Privacy and security have become issues that are making or breaking businesses. A steady stream of data breaches over the past few years has shown that organisations must now take a proactive approach to security across their entire business. Yevgeniy Vahlis, Director of Security First at Georgian Partners introduces principles to help both reduce your exposure as well as start to make security a competitive differentiator for your organization.
1. The 10 Principles Security First 1
How to Differentiate Your Business
By Making Security a Priority
The 10 Principles
of Security First
2. The 10 Principles Security First 2The 10 Principles Security First 2
It’s thinking about your
company’s security holistically
from the ground up.
Security first
is a mindset.
3. The 10 Principles Security First 3
That means looking beyond technical
considerations to see where
security fits into your…
Business model
Software development
People and hiring practices
Pricing
Approach to partnerships
Marketing
Research and innovation
✔
✔
✔
✔
✔
✔
✔
4. The 10 Principles Security First 4The 10 Principles Security First 4
That’s
important
because by putting security
first you’ll not only keep
your business safe...
5. The 10 Principles Security First 5
You’ll also be able to
differentiate yourself
from your competitors
by creating better
experiences for your
customers.
6. The 10 Principles Security First 6The 10 Principles Security First 6
To help you better understand
security first, we’ve put
together 10 principles to
orient your thinking.
7. The 10 Principles Security First 7The 10 Principles Security First 7
Start now.
1
8. The 10 Principles Security First 8
Introducing privacy and
security too late can
come at a high cost...
9. The 10 Principles Security First 9
Being forced to undo every
decision you’ve ever made
that’s had a security implication.
10. The 10 Principles Security First 10The 10 Principles Security First 10
Don’t make
that mistake.
Start introducing a security
first mindset into your
business today.
11. The 10 Principles Security First 11The 10 Principles Security First 11
Make security
everyone’s
responsibility.
2
12. The 10 Principles Security First 12
Although it must start at
the top, no one should be
exempt from being
responsible for security.
13. The 10 Principles Security First 13The 10 Principles Security First 13
Plus, it has to be
communicated
clearly and
regularly.
14. The 10 Principles Security First 14
That’s because security needs to be
embedded in all aspects of the business,
including culture, hiring, business strategy,
technology and promotion.
15. The 10 Principles Security First 15The 10 Principles Security First 15
Create new
value through
security and
privacy.
3
16. The 10 Principles Security First 16The 10 Principles Security First 16
Make your commitment
to security and privacy
a competitive
differentiator.
17. The 10 Principles Security First 17
If you get it right,
you can win against
your competitors.
18. The 10 Principles Security First 18
Plus, your users will be willing to give
you more data and more rights to
extract value from that data.
19. The 10 Principles Security First 19
To achieve this, you need
to show your users that there
are mechanisms in place to
protect them, and that you
will meet the security and
privacy expectations
that you set.
20. The 10 Principles Security First 20The 10 Principles Security First 20
Seek out synergies
between security
and function.
4
21. The 10 Principles Security First 21
Security has
historically been
viewed as a cost.
To get it, you had to
trade off functionality.
22. The 10 Principles Security First 22The 10 Principles Security First 22
But it doesn’t have
to be that way.
23. The 10 Principles Security First 23
If you start with
security early, you
can build unique
functionality on top
to come up with a
stronger offering.
24. The 10 Principles Security First 24
Look for opportunities
to improve security,
reduce user friction
and increase product
functionality.
25. The 10 Principles Security First 25
One example is touch ID on a
mobile phone for password-less
authentication and a smoother
user experience.
26. The 10 Principles Security First 26
Another is moving to a major cloud
provider such as Amazon Web Services
that combines functionality with much
much more robust security.
27. The 10 Principles Security First 27The 10 Principles Security First 27
Avoid
partners that
weaken your
security.
5
28. The 10 Principles Security First 28
Your business partners and
third-party integrations are
part of your attack surface.
29. The 10 Principles Security First 29
Ask them about their
security and privacy stance,
and work with partners who
have a good approach.
30. The 10 Principles Security First 30
In the process, help your partners
take a security first stance as a
way to protect yourself.
31. The 10 Principles Security First 31The 10 Principles Security First 31
Always be
(threat) modeling.
6
32. The 10 Principles Security First 32The 10 Principles Security First 32
Adversarial behavior can
take many forms, shapes
and sizes.
Malware
Credential Attacks
Phishing
AI model and data
poisoning attacks
Denial of Service
Rogue Software
Network Attacks
Application
Attacks
✔
✔
✔
✔
✔
✔
✔
✔
33. The 10 Principles Security First 33
Be creative in understanding your
assets, stakeholders and the current
state of all your systems, including
both digital and human processes.
34. The 10 Principles Security First 34
Plan ahead for new attack
surfaces and advances in
attacker capabilities.
35. The 10 Principles Security First 35The 10 Principles Security First 35
involves going over every process,
role, product and piece of
infrastructure in your business,
and identifying the threats they’re
exposed to.
Threat modeling
36. The 10 Principles Security First 36The 10 Principles Security First 36
Give customers
control and
oversight over
their data.
7
37. The 10 Principles Security First 37
Software companies have
traditionally assumed broad data
rights through their privacy policies.
38. The 10 Principles Security First 38
But this approach to managing privacy is no longer
compatible with legislation such as the European
General Data Protection Regulation (GDPR).
39. The 10 Principles Security First 39
Practically speaking, you need
to consider such regulations in
your product and sales strategies.
40. The 10 Principles Security First 40The 10 Principles Security First 40
Be transparent.
Give users visibility into the
personal data you’re capturing
and storing, and some level of
control over that data.
41. The 10 Principles Security First 41The 10 Principles Security First 41
Design systems
to reduce the
impact of an
attack.
8
42. The 10 Principles Security First 42
Breaches will happen, so ensure
that your systems are designed
to compartmentalize damage
from attackers.
43. The 10 Principles Security First 43The 10 Principles Security First 43
Three approaches that have
been shown to minimize the
impact of a compromise are:
The principle of least authority
Decentralization
Redundancy
✔
✔
✔
44. The 10 Principles Security First 44The 10 Principles Security First 44
Assume that
reality is always
worse than it
appears.
9
45. The 10 Principles Security First 45The 10 Principles Security First 45
Complacency can
be your downfall,
so always approach monitoring
and system assessment with a
healthy dose of paranoia.
46. The 10 Principles Security First 46
Don’t consider
any security alert
or incident resolved
until it has been fully
investigated.
47. The 10 Principles Security First 47
And, to help uncover the root cause
of a situation, make it part of your
company culture to always ask why.
48. The 10 Principles Security First 48The 10 Principles Security First 48
Have a rapid
remediation plan
and practice
using it.
10
49. The 10 Principles Security First 49
When a security or privacy compromise
is discovered, use your well-practiced
incident response plan and notify any
affected customers immediately.
50. The 10 Principles Security First 50
Providing timely remediation
is essential to protect
your brand and retain
customer trust.
51. The 10 Principles Security First 51The 10 Principles Security First 51
Effective plans
will cover both the common
scenarios and outliers.
52. The 10 Principles Security First 52
They will include a
communication strategy
and will evolve and adapt
over time as new threats
are understood and
best practices for
response improve.
53. The 10 Principles Security First 53
By putting security first,
your company will not
only protect your own
interests, but also those
of your clients.
54. The 10 Principles Security First 54The 10 Principles Security First 54
Start now.
Make security everyone’s
responsibility.
Create new value through
security and privacy.
Seek out synergies between
security and function.
Avoid partners that weaken
your security.
That creates
a big opportunity.
4
5
6
10
7
8
9
1
2
3
Always be (threat) modeling.
Give customers control and
oversight over their data.
Design systems to reduce
the impact of an attack.
Assume that reality is always
worse than it appears.
Have a rapid remediation
plan and practice using it.
To take advantage of it, remember these 10 principles:
55. The 10 Principles Security First 55The 10 Principles Security First 55
Want to learn
more about
security first?
Download our white paper
on the “10 Principles of
Security First.”