The Reality of Cybersecurity for SMBs 🚨

Cloud Control is back, and this week, with a focus on SMBs 🏪 No one knows how cyber threats impact small and medium-sized businesses better than Kymberlee Price - founder of Zatik Security. Many companies outside of the Fortune 100 struggle to compete for security talent, and these companies and their customers are at more risk every day. That’s where Zatik steps in - providing top-tier security guidance for small to medium businesses.

We dive into Kymberlee's journey, from her role at the Microsoft Security Response Center to founding Zatik. She gives her advice on breaking down stereotypes, fostering collaboration, and guiding small to medium-sized organizations towards robust security practices. Kymberlee shares her expertise on building trust, preventing security mishaps, and the future landscape of cybersecurity👇

P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.

Question 1 💭

Can you share a bit about your journey in the cybersecurity industry, from starting a security researcher outreach program to founding Zatik? What are you most focused on currently?

Answer 1 🎯

In my career, I’ve cleaned up a lot of messes. Now I want to focus on preventing them. 

I started in 2003 at the Microsoft Security Response Center. I had a background in behavioral psychology, which gave me a unique skillset to ease tension between Microsoft and security researchers. In the past 20 years, I have worked different security roles including vulnerability response and open source and supply chain security strategy, but I found that all security solutions require collaboration built on trust and respect. Just as I was building trust with security researchers and product engineers then, I am now building trust with small and medium-sized organizations looking to invest in security, by breaking down the toxic stereotypes of security teams as the House of No, always making unreasonable demands of engineering teams.

I believe we can do better and create an effective secure by design culture if we get involved earlier in a company’s maturity curve and create a great developer user experience. I also believe we can do more to help small and medium sized companies access experienced security expertise to help guide them  early in their development journey, to make sure they minimize technical debt and protect their customers and brand from the outset.

Question 2 💭

Zatik Security provides top-tier guidance for small to medium businesses. Can you share insights into the approach Zatik takes to address the unique cybersecurity challenges faced by companies outside the Fortune 100? What are organizations often missing, not prioritizing correctly, or forgetting?

Answer 2 🎯

I have heard jokes made about how shipping secure products can be perceived as a zero-sum game where “You can ship. Or you can be secure. You pick.” But it’s not all or nothing. 

As many small companies are growing, they’re mainly focused on getting things up and running and delivering their product so they can acquire customers. This totally makes sense. As these companies mature they know they need to start investing in a security program but often don’t know where to start. Sometimes their best resources are search results, or they’re relying on friends at other companies to share their security recommendations. That’s not a great way to build an effective security program, but with the experienced talent shortage in security, they may not feel like they have any other options. Maybe their primary security goal is reducing risk to protect existing customers, maybe it’s getting a compliance certification like SOC2, maybe it’s customer acquisition and reducing friction in the sales pipeline… Most companies need guidance tailored to their business goals, and that’s where Zatik can help.

Question 3 💭

Competing for security talent is a common struggle. How does Zatik Security tackle this challenge, and what does delivering world-class security guidance look like?

Answer 3 🎯

First, I have to say that I keep hearing there’s a talent shortage, and that’s just not true. I have seen entry level job postings get up to a thousand job applicants in a week. So it’s not about the lack of talent. There is a lack of experienced talent due to rapidly accelerating demand, and simultaneously a lack of opportunities for early in career professionals to get experience and relieve that pressure. To address these security staffing challenges, the industry needs to do a better job of onboarding new people. Zatik is committed to training people who want experience. 

Zatik’s approach to delivering guidance is to offer a fractional expert approach - we have experts in nearly every field of product security - cloud, infrastructure, mobile, hardware, software design and architecture, Security Development Lifecycle (SDL)… and for the specialties we don’t do in house, we have a network of trusted partners we can refer clients to. Our goal is to help companies get up and running with an effective security engineering program so they don’t need us anymore. We start by evaluating existing technology, controls, processes and people to do a security posture gap analysis, providing clients with a pragmatic 18-24 month roadmap to achieve their goals. We can help with fractional staffing for execution if the client wants, but some just want to know they’re headed in the right direction and have a clear map of where they’re going and what they need to get there. In either case, they don’t need multiple speciality experts full time, so Zatik’s model offers a cost effective way to tap into just the capabilities a company needs, when they need them.

Question 4 💭

Zatik Security is actively involved in training the next generation of security leaders. What specific skillsets and qualities do you believe future cybersecurity professionals should hone to become leaders in the industry?

Answer 4 🎯

We believe it’s critical that the people with experience train the next generation. There are people who are eager to learn and they’re just looking for the opportunity. The security ecosystem is incredibly diverse and there are roles for people who write code and those who don’t. So the first step is to seek out diverse skillsets and perspectives and nurture them in security teams. 

Once you’re in the field and looking to grow as a leader, being deeply technical and competent at execution is not enough. The problems leaders are tasked with solving are big and complicated, and cannot be solved by a single person at a keyboard. Leadership requires the ability to think about the big picture and understand the business impact as well as the technical impact. It also requires excellent collaboration and communication skills, to influence and lead others without direct authority as their manager.   

To become a CISO (chief information security officer), VP of Security, Senior Director, Architect, or Staff Engineer, you will be expected to speak the language of the business and understand business objectives outside of security. For example, you will want to understand go-to-market strategies, which customer segments generate the most revenue, what features are most popular (or generate the most support tickets) and why, what regions or customer verticals are growing or declining... It’s not just about the technical risks, but also the business risks. These are all important things to learn as security professionals grow in their careers.

Question 5 💭

For smaller companies, building a security program can be challenging. What’s your approach when working with smaller security teams? How do you manage where resources should be allocated?

Answer 5 🎯

Zatik specializes in advising small and medium-sized businesses, and we focus on what’s going to have the most impact. First, I want to make sure they start with basic hygiene. I want to make sure they have the fundamentals like strong passwords and multi-factor authentication (MFA), as well as identity access controls. Those are going to have the most immediate impact. We also look at what security options they may already have in existing tools and services, but might not be using that they could enable for a no-cost quick win. These are some pragmatic practices that can really help improve the security for small and medium-sized companies. Building up from the basics, we have a series of building block components we outline for companies so they don’t try building a roof before they have walls, that also take account of their needs. We make sure to prioritize for incremental growth since we know not everything can be done simultaneously.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

In the magical land of Silicon Valley, where dreams and code converge, a tale is about to unfold…Imagine a sunny day in the Valley, with Kubernetes on the horizon, ready to set sail into production waters. But, as fate would have it, chaos ensues, and our beloved character, Streamline Willie, finds himself in the midst of a cloud conundrum 🚢💻

Watch Mickey as he goes on a rollercoaster of tech shenanigans, only to be saved by Gomboc 💪

Latest AWS and Azure Updates You Don’t Want to Miss

1. Amazon Aurora PostgreSQL now supports RDS Data API

2. Amazon Cognito user pools now support the ability to customize access tokens

3. AWS Supply Chain update: Three new modules supporting upstream activities

Top Articles and Resources of the Week

Articles

1. Apple Issues Patch for Critical Zero-Day in iPhones, Macs - Update Now

2. Cryptographers Just Got Closer to Enabling Fully Private Internet Searches

3. Microsoft Falls Victim to Russia-Backed 'Midnight Blizzard' Cyberattack

4. Data Privacy Week: How to Gain Consumers’ Trust Around Personal Data Use

5. Security Experts Describe AI Technologies They Want to See

Resources

1. Major Cloud Security Events and Conferences

   1. Opt-in to this resource to receive updates on events and conferences in cloud security. Meet like-minded cloud-security professionals from around the globe to learn, exchange ideas, network, and more.

2. Top 50 InfoSec Networking Groups to Join

   1. Join these top 50 associations, LinkedIn groups, and meetups to stay ahead of the curve on all things InfoSec.

3. CIS Benchmarks

   1. The Center for Internet Security (CIS) is a fantastic resource for initiating, implementing, and upholding a robust cloud security strategy. Access their detailed benchmarks tailored for AWS, GCP, Azure, and more. For a deeper understanding, explore the CIS Controls Cloud Companion Guide.

4. SANS Practical Guide to Security in the AWS Cloud

   1. In collaboration with AWS Marketplace, SANS introduces an in-depth guide tailored for AWS enthusiasts. Whether you're a novice or an expert, this extensive resource delves into the intricacies of AWS security.

5. Security Best Practices for Azure Solutions

   1. Learn key security practices tailored for Azure solutions and understand their significance. This comprehensive guide offers insights into developing and deploying a secure Azure environment.