Listener's Guide: 15 Key Application Security Take-Aways from a Global CISO

I recently moderated an application security webinar with HCLSoftware’s CISO, Joe Rubino. In the session, Joe explained how his team keeps up with the pace of change in a global organization, instills credibility with Development colleagues and maintains security controls in today’s “Work from Home” environment.

Our webinar is generating a growing number of replays, so we’ve created this convenient listener’s guide for our new listeners. It presents the themes that Joe spotlighted in the session, along with key quotes and time-stamps for your review. Before reading further, you should access the webinar replay here.

Theme #1: Think like an attacker

The first prominent theme of our webinar involved Joe’s advice that security professionals should reposition themselves to “think more like attackers.” In particular, Joe reminded us that appsec risk can be managed and minimized by global organizations such as HCL, but security risk can never be completely avoided. He also encouraged organizational contacts of all types to report security issues when they arise- no matter what the reporter’s role in the organization might be.

Key quotes and time-stamps regarding Theme #1 appear below:

4:27:    “We need to think like an attacker more, especially in the appsec space”

10:19:  “If you see something, say something.”

10:53:  “Risk isn’t a bad word.”

Theme #2: Redefine what a “Security Professional” means to your organization

Joe’s advice in this section of the webinar was for an organization to re-think its definition of the term “security professional.” Long-gone are the days when emotionally-unintelligent security contacts could dictate orders from afar, without focusing on internal customer service issues or on core business drivers that triggered the security problems in the first place.

In particular, Joe redefined the term security professional to include “anyone in the organization who touches organizational data.” For that reason, Joe encouraged all of us to become data privacy and business continuity professionals right now.

Here are key quotes and time-stamps regarding Theme #2:

7:52:    “What is a security professional?”

8:50:    “Everyone needs to be a security professional.”

9:42:    “We’re all data privacy professionals now…we’re going to all be business continuity professionals.”

13:55:  “We need security professionals…that demonstrate emotional intelligence.”

14:52:  “Are you effectively aligned with the business…as an enabler?”

17:06:  “Individuals that are driven by data are really what we’re looking for.”

Theme #3: Manage your “Work from Home” program more effectively

As my colleague Neil Jones shared in his recent blog, a working team led by an MIT professor found that nearly half of survey respondents were working from home as a result of the COVID-19 pandemic, as of April 2020. Although business professionals are beginning to return to their offices in certain geographic regions, a large proportion of global workers continue to tele-commute. In this section of the webinar, Joe provided practical steps that empower your organization to manage its Work from Home landscape more effectively.

A key quote and time-stamp related to Theme #3 appears below:

29:11:  “This new landscape (Work from Home) certainly presents new attack vectors.”

Theme #4: Maintain credibility with your Development colleagues

Taking his IT Security emotional intelligence recommendation even further, Joe offered several key ways for IT Security professionals to partner more effectively with their Development colleagues, including deploying security tools that represent win-win situations for IT Security and Development.

Key quotes and time-stamps regarding Theme #4 appear below:

25:12: “Long-gone are the days when you could have this siloed approach to security.”

31:15:  “That credibility (with the Development team), it’s one of most important pieces of my job, and the team that I’m fortunate enough to lead..”

34:11:  “We can kill credibility when we’re deploying tools that make life miserable for them (the development team).”

34:59:  “We (Security & Development) are best effective when we partner together to make these large steps to better support the business.”

Theme #5: Harness the power of Artificial Intelligence (AI) tools

Finally, Joe discussed the importance of Artificial Intelligence to potential Application Security Testing success. When implemented correctly, artificial intelligence can be a powerful tool to improve your appsec team’s productivity and to reduce your false positive findings.

A key quote and time-stamp associated with Theme #5 appears below:

36:39:  “We utilize it (AI) in real-world, practical aspects.”

Test-Drive Application Security Testing for Yourself

Are you ready to try Application Security Testing technology on your own? Then, register now for our 30-day free trial of HCL AppScan on Cloud so you test-drive appsec technology while incorporating Joe’s wise advice above into your Application Security Testing program.