portrait picture

TIMO ZIMMERMANN

balancing software engineering & infosec

Security 101: Path of least resistance

posted on Thursday 28th of May 2020 in ,

No matter if you are starting your career in information security, want to build your newly started company on a solid foundation or for whatever reason decided that it is time to step up your security and compliance game: You are in for a long journey with dozens of fights and surprises you will never anticipate. In the spirit of covering as many angles of possible related to security, let us talk a bit about you and your colleagues.

Let us start with a straight forward example. You decided to start a company working in a highly regulated field, like healthcare. If you are based in the US this most likely means you have to be HIPAA compliant. Most founders are aware of this requirement and have a rough understanding of the implications, but it is likely not deep and not technical enough to ensure that a growing and complex web or mobile app satisfies all requirements. This is why people specialized in security and compliance – like yourself – are brought in.

Most companies will have someone running marketing. No matter how good your product is, you have to sell it. And all over the world one thing holds true to marketing: they need data. The more data the better. This is their job. And let me tell you, it is not very compatible with highly regulated fields. So their first request to engineering is putting Google Analytics on the website so they have an idea what visitors look at and when they lose interest.

As shocking as this might sound, this is actually a problem. Google is actually very specific to not simply use GA for a HIPAA compliant product – believe me, no one will every read this FAQ when tasked to add GA. There is a good chance that you will hear some form of justification along the lines of „but look at healthCareCompanyX! They also use GA“ when you raise this issue. The sad truth is that there are tons of compliance violations in every single field by companies of any size. As long as no one catches it during an audit or sues it simply will not change. This does not mean it is okay to join the ranks of companies violating regulations and therefore customer trust.

There are a few different actions I have seen security teams take in response to a compliance violation like the one described.

You can simply remove GA from the app or website. Now your marketing team does not have data anymore they actually need to be efficient at their job. You did not just take out a whole teams productivity, but most likely also have your leadership team question why they pay a few people a lot of money to sit around. This might sound a little bit dramatic, but it is one of the outcomes I witnessed.

It does not even matter if there is any truth to it, you are in a bad position at this point. Compliance will win lots of arguments and drive decisions. But the team will remember that you turned off one of the tools they need. And moving forward they will try to make sure you do not know about the tools they use. You are the villain that tries to prevent them from doing their job!

Sooner or later you will find mysterious services and tools you never knew your company is using – and chances are pretty good they will not be compliant with your regulations. People will try to take the path of least resistance – which is not talking to you and simply start using tools. When it is uncovered there are usually no ramifications for them, in the end they “did what they had to do to get their job done”.

Another option is to replace GA. You do some research and notice that you can self-host Matomo in a HIPAA compliant way. And it shows some fancy graphs that look like GAs, so it has to be a good replacement, right? Set up a server, drop the pixel and you are done. Except you forgot to port data from GA over. Existing data is core to an analytics solution, you cannot simply discard months of data. Except the marketing team does not know how to use the new tool. Except that core features work differently. Except… you see where this is going.

Professionals usually know one or two tools. They invest a lot to get really good at using those tools to get their job done. Sometimes there is only one tool the whole industry seems to use. You cannot „simply start using another one“. You might have to get a consultant on board for custom development and training. You need to plan transitioning periods. And all of this assumes the team understands why you want to force them to abandon the tool that served them so well for all of their career.

The least fruitful „solutions“ – let us be charitable and call them that – I have ever seen was creating a ticket for the marketing team telling them „GA is not HIPAA compliant – please find another tool“ or asking large enterprises who are not setup for it to sign a BAA. Good luck, you need it.

On a personal note: I have chosen this example because it is easy to follow, this is not a general statement about marketing teams. The same scenario will happen in every team across your company – no matter if it is marketing, finance or engineering. I have also seen amazing teams being sensitive to compliance requirements and doing all the work upfront to make sure tooling will be compliant.

I have never witnessed a good security team that worked in isolation behind closed doors. You can do all the research you want and decide to move forward with what the industry considers best practices and top of the line security measures, but if your team and company is not on board you basically burn money and set yourself up for failure.

The two most important things you have to work on as early as possible are making sure everyone in your company is aligned on the importance of security and compliance and being their partner figuring out solutions that work from a security and compliance point of view – as well as setting your colleagues up for success.

Understanding the importance of compliance and the basic nuances of how decisions are made and tools are evaluated will help teams a lot when making the initial request. In a perfect world you provide something like a small check list to them and as they engage a new vendor to simply check off boxes so they can have a higher confidence that the work they put in talking to them will be worth their time.

Or, if some of the boxes are not checked they know they will have to pull in you and your team immediately before spending more time on the partnership. Self service is one of the most important aspects, as it allows teams to move as fast as they want, not as fast as you are able to do your research. Security teams usually do not scale as required all the time. And the moment it becomes bothersome, slow or tedious to work with you, people will again follow the principle of least effort which is cutting you out of the loop, delaying as long as possible to bring you in.

At some point any team that wants a new, shiny tool should talk to you and your team for a final sign off. The sooner in the process the better. And best case you are involved in the vendor selection early on and act as a thought partner. This will not always be feasible. But having teams follow some form of sign off process and making sure they know you work with them and try to make things work is far better than working reactionary to signed deals. Once you committed money you often will be told to make it work. Even if it is not possible, you will be asked to get creative. This is even less fun than it sounds.

Security and compliance is a process involving the whole company. Work with people and set them up for success. Be mindful of their time and requirements. Help them to get to a solution that works for them, not only for you. This will make your job so much easier and more pleasant.

If you want to follow this article series you can either subscribe to the main RSS feed or to the tag specific one if you only care about startup security posts.