Hadas Cassorla, JD, MBA, CISSP, CIPT has a lot of letters after her name, but the three letters she cares the most about are Y-E-S. She helps organizations build strong, actionable and implementable security programs by getting buy-in from the boardroom to the basement. She is currently Head of IT Security at Simple Finance and a virtual-CISO for scale-up companies through Scale Security Group.
Working as a security leader at startups, I have found that security is often an afterthought. This mindset is pervasive in the startup community given security can be expensive. Every company has to balance the level of security they have with an understanding of their responsibilities to the data, the types of data they have, what level of data they have, etc. but, above all, they must ensure that the company is sustainable. In other words, you can't spend more than you make.
It is important to understand what an organization’s risk appetite is and how much they are willing to spend on security. With startup security or any organization with a less mature security program, significant impact can be made by changing people’s mindset on security. For example, if your engineers think “we can push security to the end,” what they actually need is better education on how they can start bringing security in sooner so that in the end it does not become a huge overhaul, or worse, a massive breach.
So, how does one get started? There are two core tactics that will help foster a security culture: threat modeling and “pre-social engineering.” NetSPI Managing Director Nabil Hannan and host of the Agent of Influence podcast recently sat down with me to discuss this very topic. From the conversation, here are my recommendations on how to leverage threat modeling and pre-social engineering to effectively prioritize security in your organization and create a security culture.
Start with a two-pronged approach of threat modeling and frameworks
When building a security program, I generally like to work from the outside in terms of tooling and from the inside out in terms of people. To build trust with the people in your organization, an inside out mindset is critical. To achieve this, I suggest starting with threat modeling and frameworks.
Frameworks, or a system of standards, guidelines, and best practices to manage cybersecurity risk, are a great way to know what the bones of your skeleton (security program) look like so that you know where to add the muscles (controls, technology). In tandem with frameworks, threat modeling is a great starting point. It allows you to understand what data you have, where it is, how it can be attacked, where your vulnerabilities are, and much more. Threat modeling helps you figure out where to start based on what presents the most risk. At a bare minimum, it helps you define who you’re trying to protect against – and that information in invaluable.
Additionally, some companies don't yet understand the data they should be worried about. Which data is valuable, and in what ways? Threat modeling helps identify how specific data can be used by threat actors and can help organizations distinguish the realistic, big picture ramifications if the data is compromised.
What is pre-social engineering?
The idea behind pre-social engineering is to work with the people in your organization to make sure they remain kind and helpful to customers but are very skeptical of people asking for assistance from outside, and even inside, the company.
A lot of organizations find value in phishing their employees. To a point, I agree with using phishing as a security awareness tactic, however, today’s phishing emails are so sophisticated and difficult to tell apart from real emails that security teams who are very skeptical fall for them. For a great example of how sophisticated social engineering has become, watch this live vishing attempt from DEF CON.
Over time, I believe it has become a demotivational way to earn trust. If an employee fails a social engineering engagement, they are disciplined by spending valuable time on retraining. Pre-social engineering is an effective way to establish trust between security and the rest of the organization.
Along with your annual or quarterly security training of course, send out digestible information related to the latest threats to encourage people to familiarize themselves with security. In my opinion, approachability is one of the most effective characteristics of a successful security leader. You don’t want your employees to be afraid to approach you with a security suspicion out of fear they will get in trouble. As a part of pre-social engineering, reward your employees when they communicate with the security team.
Social engineering has the highest likelihood for compromise within any organization because the attack takes advantage of empathy. It is essential to understand that no matter how good your security is, adversaries will always find a gap. If they can get the right person, at the right time, with the right story they’re going to get in.
In the security industry we often hear, “people are your weakest link.” On the contrary, I believe they're your strongest line of defense. For more on how to leverage threat modeling and pre-social engineering to prioritize a security culture, listen to my full interview with Nabil. Or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.
Working as a security leader at startups, I have found that security is often an afterthought. This mindset is pervasive in the startup community given security can be expensive. Every company has to balance the level of security they have with an understanding of their responsibilities to the data, the types of data they have, what level of data they have, etc. but, above all, they must ensure that the company is sustainable. In other words, you can't spend more than you make.
It is important to understand what an organization’s risk appetite is and how much they are willing to spend on security. With startup security or any organization with a less mature security program, significant impact can be made by changing people’s mindset on security. For example, if your engineers think “we can push security to the end,” what they actually need is better education on how they can start bringing security in sooner so that in the end it does not become a huge overhaul, or worse, a massive breach.
So, how does one get started? There are two core tactics that will help foster a security culture: threat modeling and “pre-social engineering.” NetSPI Managing Director Nabil Hannan and host of the Agent of Influence podcast recently sat down with me to discuss this very topic. From the conversation, here are my recommendations on how to leverage threat modeling and pre-social engineering to effectively prioritize security in your organization and create a security culture.
Start with a two-pronged approach of threat modeling and frameworks
When building a security program, I generally like to work from the outside in terms of tooling and from the inside out in terms of people. To build trust with the people in your organization, an inside out mindset is critical. To achieve this, I suggest starting with threat modeling and frameworks.
Frameworks, or a system of standards, guidelines, and best practices to manage cybersecurity risk, are a great way to know what the bones of your skeleton (security program) look like so that you know where to add the muscles (controls, technology). In tandem with frameworks, threat modeling is a great starting point. It allows you to understand what data you have, where it is, how it can be attacked, where your vulnerabilities are, and much more. Threat modeling helps you figure out where to start based on what presents the most risk. At a bare minimum, it helps you define who you’re trying to protect against – and that information in invaluable.
Additionally, some companies don't yet understand the data they should be worried about. Which data is valuable, and in what ways? Threat modeling helps identify how specific data can be used by threat actors and can help organizations distinguish the realistic, big picture ramifications if the data is compromised.
What is pre-social engineering?
The idea behind pre-social engineering is to work with the people in your organization to make sure they remain kind and helpful to customers but are very skeptical of people asking for assistance from outside, and even inside, the company.
A lot of organizations find value in phishing their employees. To a point, I agree with using phishing as a security awareness tactic, however, today’s phishing emails are so sophisticated and difficult to tell apart from real emails that security teams who are very skeptical fall for them. For a great example of how sophisticated social engineering has become, watch this live vishing attempt from DEF CON.
Over time, I believe it has become a demotivational way to earn trust. If an employee fails a social engineering engagement, they are disciplined by spending valuable time on retraining. Pre-social engineering is an effective way to establish trust between security and the rest of the organization.
Along with your annual or quarterly security training of course, send out digestible information related to the latest threats to encourage people to familiarize themselves with security. In my opinion, approachability is one of the most effective characteristics of a successful security leader. You don’t want your employees to be afraid to approach you with a security suspicion out of fear they will get in trouble. As a part of pre-social engineering, reward your employees when they communicate with the security team.
Social engineering has the highest likelihood for compromise within any organization because the attack takes advantage of empathy. It is essential to understand that no matter how good your security is, adversaries will always find a gap. If they can get the right person, at the right time, with the right story they’re going to get in.
In the security industry we often hear, “people are your weakest link.” On the contrary, I believe they're your strongest line of defense. For more on how to leverage threat modeling and pre-social engineering to prioritize a security culture, listen to my full interview with Nabil. Or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover why security operations teams choose NetSPI.
