About the author: Doug Kersten, Appfire’s Chief Information Security Officer, brings 20+ years of experience leading security and IT programs for some of the world’s top financial institutions and law firms. At Appfire, Doug Kersten was instrumental in launching an award-winning Trust Center, which connects customers, partners, and prospects to the latest information on the security, privacy, and compliance of the company's products and services. Under Doug's leadership, in 2023 Appfire received three internationally recognized cybersecurity certifications, including the International Organization for Standardization (ISO) 27001, ISO 27017, and System and Organization controls (SOC) SOC 2, Type 1.
As businesses scale, security teams are expected to do more with less. Without a thoughtful strategy toward scaling securely, companies can become less secure and trustworthy over time. Ultimately, this could lead to a data breach or compromise that can threaten the life of a company.
To address this, companies need to encourage a shared responsibility security model internally as early as possible, or in other words, a strong security culture. A strong security culture emphasizes a collaborative approach and incorporates cybersecurity best practices, and ultimately responsibility, into daily operations across teams, levels, and departments. Centering security culture around responsibility also means that everyone understands where the security line is drawn, whether it is between an engineering and security team, a company and its partner, or a company and the organization it wants to acquire.
Training new hires on security best practices
New hires are especially vulnerable to falling victim to the "bystander effect" when it comes to security. Because they are newer to the company, they often assume that another member of the team will report risky behavior or suspicious digital activity. Sometimes, new hires are not aware of security risks, or are just not comfortable flagging suspicious activity themselves. Regardless of the reason, not reporting suspicious activity can lead to a security incident or data leak that could have been prevented.
Awareness training for employees is vital, and should include five key elements:
- The security team should be positioned as an ally, not the security police. Fear of punishment for being transparent about a security issue will often lead to a breach. Encourage transparent communication.
- Provide an anonymous way to report concerns for those who are uncomfortable doing so openly.
- Promote a security culture where everyone is responsible for security and thinks about it on an ongoing basis.
- Identify common causes of successful attacks, like phishing attempts, unpatched systems, and poorly maintained credentials. Train new hires on what to do to prevent a security compromise.
- Develop targeted training specifically focused on areas where a security compromise is more likely to occur, like with engineering, IT Ops, and accounting teams.
By following these steps, organizations can increase the odds of a new hire or existing employee preventing a data breach. People, more often than systems and processes, are best positioned to identify potential compromises.
Consolidating trust across app portfolios
When you have multiple apps, there are a few additional considerations when it comes to trust. Most importantly, you need a way to create a standardized "baseline" of trust that all of your products meet, and then you must have a system for prioritizing which apps to "up-level" first with more costly investments.
When a team creates a new app, or when apps are acquired, it is important that they are quickly integrated into a trust program. At Appfire we've worked with our vendors to design our security programs for our needs. In some cases, we've created new vendor paradigms that make us more effective and efficient. By doing this we have been able to centralize key security functions like secure source code testing, penetration testing, and bug bounty programs, so that we can quickly onboard apps. We've also standardized our security, compliance, and privacy policies, as well as our End User License Agreement (EULA), so that they can be consistently applied against all of our apps. This has greatly improved our ability to quickly onboard apps into our trust programs.
When prioritizing which apps to up-level first with regard to trust, consider the following:
- Which are the most popular, and generate the most revenue? Popular apps have the most exposure and as a result there is an increased likelihood of potential compromise.
- Which are the most powerful? Apps that can do a multitude of things have a higher attack surface than apps that can do one thing well.
- Is it a cloud or data center app? Cloud apps are the future, but they also have a defined shared security responsibility model, which makes it easier to up-level due to related efficiencies. However, don't ignore data center apps. Ultimately, you want data center apps to be on par with cloud apps.
- Is the app being considered for depreciation? The potential security risk may not be there to justify full integration. It doesn't mean those apps are ignored, but instead an evaluation of risk should drive the decision making. How long will it take to deprecate? How powerful or popular is the app? What are the risks to existing customers in the time before deprecation?
- Finally, is there a business driver? Will you be formally announcing a new app or partnership? Will it be public? These are all important questions.
While the above are inputs into the decision making process, they are not hard and fast rules. Trust is also based on flexibility. Remember, sometimes a simple, specific customer request is enough to increase priority.
Trust and acquisitions or product partnerships
As you gain success and maturity in the Marketplace, you may start thinking about building partnerships with other Marketplace Partners, or even acquiring apps to integrate into your offering. This can be an exponential growth lever if you're able to achieve it, but it has real implications for the security of your product portfolio that should be considered. It's important to make sure that you partner with other companies who are just as serious as you are, and that you clearly communicate responsibilities when it comes to security, privacy, and compliance.
When considering acquisitions or pursuing a product partnership— or really any other market collaboration—, building trust begins during the due diligence process, prior to the completion of the acquisition or deal. It is important to understand the security profile of the company you are acquiring or partnering with. Especially when acquiring smaller companies, how they think about security is often more important than the tools and processes they have in place to address it. If a company is unwilling to discuss security or disagrees with the primary role of information security, it should be a cause for concern (note: this is also how many customers feel — when a vendor is unwilling to discuss security, it's a big red flag). Those that are the most open about their weaknesses are often the most trustworthy.
Part of building trust after an acquisition is integrating the new acquisition as quickly as possible into your security culture. Addressing pain points like vendor security risk and customer security assessments will build strong trust with the acquired company. Also, folding them in under your security policies from day one provides clarity in areas where there may be a potential for conflict.
To foster trust during acquisitions, you should:
- Have a separate due diligence session with the company being acquired to discuss security and controls that are in place, and also discuss those that are not.
- Identify where security responsibilities lie and how you can leverage your resources to improve the acquisition's security profile. Communicate this and document a plan.
- Meet with their appropriate leadership as soon as possible, and point to your security policies as the source of truth for information security.
- Integrate the acquisition quickly, with an eye on standardizing security controls so the acquired company can be laser focused on its products and services, instead of worrying about its security posture. This also helps create consistency across your product portfolio.
- Leverage your support teams and trust center (if you don't have one, create one — this also helps let customers and potential product partners or buyers know you're serious) to communicate that the acquisition is a part of your security program, so that customers that already trust you will also trust the products and services of your acquisition. Appfire’s Trust Center connects customers, partners, and prospects with the latest information on the security, privacy, and compliance of our products and services.
- Roll the acquisition into your certifications and audits as soon as possible. ISO and SOC 2 audits particularly go a long way to build trust with customers and partners.
If your company has plans to scale, prioritize implementing these trust and security practices across your organization. Learn more about Atlassian's work with Appfire.