Time to Prepare: Be Ready to Scale Your Workforce and App

If you sped through your digital road map during the pandemic and are looking to fill security and privacy gaps right now, go back and check out my earlier posts:

• Accelerated Your Road Map? Go Fix Workforce and App Security
• Workforce and App Privacy Have Changed, So Should You

This post is about making the shift from reaction to preparation so that you are ready for the next moment that requires speed – and set up to scale.

Find Your Balance

In all of these posts, we mention speed and imply pressure. There is always going to be a business reason to get an app to market as quickly as possible. You will discover vulnerabilities that require your immediate attention. And regulations will set deadlines for you.

So there is always going to be more you could do to improve security for your customers, your business, and the rest of the internet. Even for veteran security professionals, the pandemic was a reminder that we still need to pick and choose priorities. If you have an internal security team, lean into their expertise. Give them the time and space to guide you on priorities. Listen to their assessments of risk and let them set a pace that works for your business.

Longer-term security and privacy improvements can have big payoffs. Like the previous posts, these things require action. You’re also going to need to support your existing security team or create one. By support, I mean backing conversations about risks with budget for tools, external vendors, and hiring internal talent.

If you don’t currently have security or privacy teams, we’ll cover a bit of advice on what to look for as well.

Consumers Expect and Deserve Strong Security and Privacy

Let’s also set some context.

There was a time when businesses leaned heavily into just shipping the product. Speed often won over security or privacy.

Consumers are telling us that time is over.

In a recent global survey, McKinsey found that 87% of consumer respondents said security practice concerns would mean they wouldn’t do business with a company, and 71% would stop doing business if it gave away sensitive data without their permission.

The more secure and private app is now the one that keeps and attracts customers.

Security: Longer-Term Planning

If you’re looking to make a dramatic improvement in your cybersecurity, these best practices will help get you there.

• Increase pen test frequency. Penetration testing (pen testing) includes hiring an external vendor to test your application and site for vulnerabilities and provide you with a report cataloged by severity. Many companies do this once a year and call it good. In today’s evolving threat environment, that’s not enough. If you can up your pen testing to every quarter — and take action on what you learn — you’ll see a big increase in security. Adding a pen test after every major operating system upgrade, library update, or major code push will do even more.
• Improve your software development life cycle (SLDC). Many shops are still doing security after the product is completely coded, but this creates an automatic security backlog that can not only slow getting your product to market it can put pressure on your execs to allow unnecessary risks into the wild. Involving security and privacy teams as software is being developed allows them to raise questions that influence architecture before burning hours of engineering time. Few people like to put hours and hours into something only to have to take it apart, so your devs are rarely pleased to see this analysis tacked on at the end of the SLDC., which leads me to my next point.
• Encourage ownership and collaboration between devs and security. How you introduce the idea of static and dynamic code analysis as well as overall participation of security in the SLDC matters. Explaining that humans are fallible, so all code is going to have vulnerabilities, and there are going to be remote code executions (RCEs) is a good place to start. As a dev, they don’t want RCEs creating headaches, and they don’t want to get paged and work nights because problems have been discovered and exploited. You can encourage ownership by asking your dev team to review the security team handling analyses. Ultimately, this can go a long way towards establishing security-dev collaboration, leading to apps that get to market more securely as well quickly.
• Create a golden image. A golden Imageis a single machine image that has been tested and hardened. When there is an operating system or library update, the AMI gets updated and tested. This allows you to see how your customers might be impacted before you push that patch update out to thousands of users. It also provides an approved starting point for new business units or apps. The time it takes to create and maintain this image pays off in protected services and reduced downtimes. Using hardened) images also increases reliability and consistency.

Hiring Security Talent

Security can seem like an area that is purely technical — and your team does need to have a deep understanding of your product and how it works, but sooner or later, a human is going to touch or use your product. Strong security talent needs to understand human behavior from bad actors to customers. Your chief information security officer (CISO) also needs to be able to explain technical risks and benefits to non-technical executive teams.

There’s a cybersecurity talent shortage globally. According to an International Information System Security Certification Consortium (ISC)² report, that shortage shrank slightly during the pandemic, from 4 million open jobs in 2019 to 3.1 million. You’re going to need to compete for talent.

Your new CISO also needs to understand your industry because threats are often industry-specific. Here are some questions to ask your hiring team when considering a potential candidate:

• Are they passionate about not only security but also your company?
• Do they have experience in your industry? If not, how adept are they at cross-applying knowledge?
• Areas of expertise? If you need them to be a generalist, do they understand how to source third-party support (and are you willing to fund that support)?
• Do they welcome diversity?
• Do they contribute to open source security?
• Do they regularly attend and speak at conferences?
• Can they explain the business case for your product?

Privacy: Longer-Term Planning

Consumers are demanding a secure and contextual private experience — and we’re seeing regulators back them up with a variety of data privacy regulations.

"By industry, consumers are most comfortable sharing data with providers in healthcare and financial services, though no industry reached a trust rating of 50 percent for data protection,” notes McKinsey.

This isn’t one of those things that is going away, says Auth0’s Vice President of Privacy Lucy McGrath. Globally, we’re seeing consumer groups becoming more vocal about data privacy concerns and violations with filings against companies like What’sApp.

“Data privacy is going to continue to evolve with consumers’ awareness and expectations,” says Lucy. “To adapt, companies are going to have to think beyond just meeting the bare minimum of legal requirements. They need to ask themselves hard questions about what protections are appropriate given the context and the humans you’re interacting with and work through the answers. We need to be building proactive privacy programs that reflect these data privacy conversations. Creating consumer trust requires listening and deliberate action.”

Start with these questions:

• Have I taken the time to understand the relationship my digital properties (app, site) create with my customers? How do I want them to feel at login? What about as they continue through my app or site?
• Am I encouraging or discouraging trust by how I gather consent and data?
• Have I created a transparent customer experience (CX) with clear consent and options?
• If I am really honest with myself, do I need to change something? Do I really need this data?
• Who are my customers? What does privacy mean to them in the context of my services?
• Do I have appropriate basic security and data governance processes in place?
• Have I invested extra resources and time to protect the most sensitive/high-risk data such as health, financial, religious, or sexual orientation information?
• Do I have any customers in regulated jurisdictions such as the European Union (EU) or California? If so, when was the last time I checked in with my legal counsel to make sure I’m in line with current requirements?

Provide Cues for Safety and Trust

Apple’s nutrition labels for data privacy make good on efforts that have been around since the 2010s. If your new app is going to be in the App Store, Apple requires that you report publicly on data you’re using to track your customers, data linked to them, and data gathered but not linked to them. Even though Apple is relying on app developers to self-report, the labels increase consumer awareness and expectation, says Lucy. Given Apple’s size ($274.5 billion reported revenue in 2020 makes it the world’s largest company), these nutrition labels signal that data privacy is now an everyday consumer concern.

“Businesses who don’t respond could miss out”, says Lucy. “The threats of data privacy fines and unhappy customers are real, but so is the opportunity to create customer experiences (CX) that drive brand loyalty. The entire tech industry is coming together to work on these data privacy challenges. Companies that act on the side of the consumer stand out.”

Hiring Data Privacy Talent

Like security, data privacy professionals need to understand and express the intersection of humans and technology. They need to be able to communicate risks and benefits across an entire organization, with an emphasis on engineering, marketing, and senior leadership. Critical and analytical thinking, empathy, and consideration of different motivations and perspectives are key. Technical knowledge around privacy laws can be taught, but an ability to engage, listen and understand the context of the business and their customers is essential. Privacy isn’t “done” by privacy professionals - they support all parts of the business to build privacy protections into their individual business processes.

Lucy recommends that you ask candidates questions to show how they think about privacy issues in the context of the businesses in which they work. Examples of such questions include:

• How would you demonstrate the value of good privacy practices to the chief financial officer (CFO)?
• How do you respond to the statement: privacy slows the business down?
• What can you do to support developers to integrate privacy controls into their development lifecycle?
• Provide examples of when you have translated legal obligations into plain English requirements that the business can implement?
• Which company does privacy well? Why? How would you implement similar standards here?
• What are the key privacy risks that need to be prioritized? What actions are required to mitigate these risks?

You’re Helping Make the Internet Safer

Thank you for checking out this series. One of the things that came up while working on this content is how the pandemic has made everything even more connected. The threat landscape and regulatory requirements can seem overwhelming, but taking the time to secure your personal data, your customer’s data, and your businesses make it harder for bad actors.

Identity can be a weak spot for both security and privacy if it’s not handled by experts. A strong Customer Identity Access Management (CIAM) solution like Auth0 can increase your security, support your data privacy strategy, and comes with certifications for various compliance requirements like ISO 27001:2013 and ISO 27018:2019 and CSA Star. If you’d like to learn more about how Auth0 can help make your business more secure and stay ahead of your customers’ evolving expectations, please reach out to the team at Auth0.