Purusottam: Hi Everyone, Thanks for tuning into our Scale to Zero show. With this podcast, our goal is to get your security questions answered by experts in the security space and build a community.
For Today’s episode, we have Gary Dylina with us. Gary is the Director of Security Engineering at Narvar. Prior to Narvar, he was the Director of Information Security at Pantheon Platform.
Gary, Thank you so much for joining me today.
Gary: it’s my pleasure.
Purusottam: Alright, so let’s get to the first question.
We are launching a new consumer-facing capability. How should we prepare for a large-scale event from a security standpoint?
Gary: So, you have to profile the new feature to determine capacity requirements and provision capacity for expected load with an appropriate margin for safety. Then make a test plan for how you will respond when the demand exceeds expectations by 2X and 10 X, important to make a plan and test it in advance, then scan the application for vulnerabilities and address those in intensive to release. And engage a skilled team of testers to perform an application security review or penetration test and close out any nonissues prior to release, will be my recommendation.
Purusottam: Okay, make sense. The second question is
Our sales team is pushing us to get soc2 certification. Is that enough from a security standpoint?
Gary: Ya, Sales, they will ask right. They want tools that they can use to accelerate closing deals. Customers need to have confidence they can trust providers to have security postures that’s equal to a better than their own. SOC 2 auto reports and ISO 27001 certificates are great tools to faster that confidence. But we need to meet customers where they are, but some customers will review reports and be satisfied, and others will want more information to develop an informed opinion about your security posture. You need to be prepared to engage in that process if you want to land business.
Purusottam: Okay, that makes sense, so the next question –
What are the five key questions I should consider before setting up my IAM?
Gary: IAM! So, ‘Who needs access and to what will be one question, and how many roles are enough. You want to figure out how to bucket your users into groups that are logical collections and at the same access needs in order to be able to reduce the demand for individual access assignment activities. Consider how you will handle onboarding offboarding and role changes. Those moved adds and changes. Figure how you will validate access and review it periodically and figure how you will measure the success for that particular IAM deployment.
Purusottam: Okay, fair, so the next questions is –
We are a company with 100 engineers, What steps would you recommend to ensure my IAM assignments are valid and are following the least privilege principle?
Gary: I would recommend leveraging single sign-on and multifactor authentication wherever possible. As discussed earlier, implement role-based access controls for granting access and establish a periodic preview process that detects whether access has been expanded or otherwise is inappropriate. Automate that review process to the degree that you can increase the frequency over time is possible and then propose establishing key performance indicators for the effectiveness of your system would be recommended.
And you would look at things like a new member on boarding time, the number of ad hoc privilege change request, meaning like wheather you got it right in the beginning, whether there is frequently out of alignment, especially during reviews, the number of excess or unused rights that are detected during reviews and the number of exceptions during reviews whether people have access that they shouldn’t or if leavers remains in the system after they are gone, so using that information to feed back into the system whether not it’s effective
Purusottam: Okay, so , KPIs is a very good suggestion. Because most of the times we don’t have KPIs or we donot think about KPIs right, while setting up the IAM or following the least privilege right, so that’s a good one.
Gary: Thank you.
Purusottam: So, last question –
For a health-tech startup, What is the right time for the first security hire? And why do you think that?
Gary: The right time is probably six months prior to when you actually make that hire. The goal of every hire should be to augment the existing team with needed capability. The correct time to hire for security focus team depends on the strings of the other team members.
Every start-up specially the Health tech startup needs to do the following things: identify appropriate technical controls frameworks, implement those control and verify their effectiveness, organise a third-party audit readiness assessment, conduct one or more compliance audits, and then prepare to demonstrate security competence during the sales process. If the existing team can do that, they have the expertise and bandwidth to address this issue , then it might be possible hiring a dedicated security person.
The risk is that delaying the start that would be costly if the result is a significant gap in controls. So the right time actually depends on the team and their existing capabilities.
Purusottam: Alright, so now let’s move to the rapid-fire section-
Is there a member of the animal kingdom that you most identify with?
Gary: So I identify with the capybara for its reputation for being kind to others.
What is one of the myths about Cyber Security?
Gary: That certification or passing an audit actually results in a good security situation. Those certifications and audits should be a result of having like should be easy and not a lot of work if you have good security practices and procedures in place.
Purusottam: So, Assuming you are hiring, in one sentence, What stands out in a candidate’s resume for you?
Gary: So I like to see a demonstrated passion for continuous learning. That hints that look or appear as a variety of products or projects or outside I take these things like open source contributions, where you can see that the prospective candidate is passionate about doing development and learning and growing.
What advice would you give to your 25-year-old sale starting in security and why?
Gary: My 25-year-old self didn’t have the notion of like a dedicated security anything because it was before times. But I think just continuing to learn and grow right which has been my path to where I am now, finding interesting problems and solving them often the problems are related to something that’s gone wrong, and often things that go wrong or security issues and so, feeding that natural curiosity and growing knowledge around a wide variety tools and technologies has been successful for me and I think I would I would a highlight that.
Purusottam: Continuous learning. Alright the last question,
The one line of code that keeps you going?
Gary: One line quote that keeps me going, is from a fellow that I have a great deal of respect. A fellow named Michael Lopp, who said, ‘As managers we should be unfeelingly kind’
Purusottam: Makes sense. Thank you so much, Gary, it was lovely to chat with you and get some of our most asked questions answered. Looking forward to connecting and learning from you eat more from you in future.
Gary: Thanks Purusottam.