Know your crown jewels
It is challenging to meaningfully protect everything because when you try to protect everything, you're going to wind up protecting nothing. So instead, you just need to figure out what it is that you need to protect, isolate that, and make sure that you have the strongest security just on that. You should also know what are your crown jewels. What do you think your crown jewels are and what does the attacker think are your crown jewels (because those two things are not always the same.)
Find a Partner in Pentesting
You don't know how to defend your company until you understand how to attack your company.
This is where PenTesting comes in.
Of course, you probably won't know how to attack your company because pen testing is really a skill that takes decades to learn and perfect. Within Radically Open Security, we have this peek-over-our-shoulder method, which is basically our pen testing workflow that we work in chat rooms online. We use something called RocketChat, which is an open-source, self-hosted clone of Slack. And we invite the customers into our chat rooms to actually observe and interact with our hackers while we are busy breaking your stuff.
The whole point of it really is just to transmit the hacker mindset to everyone involved ( particularly to developers, but also security officers sysadmins, DevOps people). By being part of the process of breaking the stuff, then they understand why those problems got there in the first place.
After all, security is a long-term process and mindset, not just a set of patches that you get from a pen test report.
So as CTO, make sure that whichever vendors that you're working with include you in the process and educate you while it's happening. Because ultimately we're going to leave, right? You're paying us by the hour after. and the real question becomes, are you still able to handle things correctly after we're gone?
This openness and transparency make things efficient for both parties. With peak-over-the-shoulder pen tests, the customers are oracles for us. If we get blocked, if we have a question if a server needs to be restarted. Just having the customer there with such short communication lines is super handy and super efficient.
Internal Teams are great, but only if you can afford talent.
It's always a good thing to invest in your internal capacity for cybersecurity. However, that assumes you have the financial resources to do so.
For larger organizations, it's realistic to build your own internal red team, CSIRT, security architecture, and other security departments.
However, not every organization has that budget or capacity or is even an attractive enough place to attract quality cybersecurity professionals. If you are a tiny company and security is not your focus, probably the best idea is to hire an external company. It isn’t just cheaper but also gives you access to better talent as smart security folks want to hang out with other smart security folks most of the time. So often it's feasible to be able to get that quality cybersecurity service by hiring an external company if you are a small company.
You must look for a trusted external partner to work with. Underline PARTNER as security should be a learning experience, not a transaction.
Core and Extended Teams
Where you are big enough to have an internal team, you should always have a kind of a core team and an extended team. Even if you're a larger entity like a bank, it's still necessary to have external experts on speed dial (or rolodex or yellow pages). Ideally, these are people who you have negotiated rates with in advance as that means you get much better pricing.
Security is a mindset, not a list of tests. Ideally, one should one have an in-house cyber team - but only if they are big enough to attract top talent. If they can't get top talent, it is best to partner with an external provider. Make sure you have a partner in your external pentester - perhaps one that provides over-the-shoulder pentesting like they do at Radically Open Security. This way, your team can improve their skills as well.