How Perion’s Approach to Collaborative SecOps Improves Product Security Posture
Updated September 17, 2024.
Imagine it's Monday morning. You’ve just made a fresh cup of coffee, but your phone is already buzzing with urgent notifications from work.
Messages flood in: 'Critical vulnerability detected, zero-day attack, backdoor found—patch everything now!' You hurriedly open your laptop, abandoning your coffee.
Does this sound familiar? If you work in tech, you’ve likely experienced similar mornings. If not, you are a very lucky person.
I’ve encountered these situations more than once. I’m Adi— a tech-savvy gadget enthusiast, aviation geek, and an experienced IT and Security specialist at Perion.
Our team at Perion, led by CISO Ben Hacmon, is making significant efforts to engage other departments in our shared goal: protecting our organization. As a result of this collaborative approach, my role in safeguarding our assets involves implementing and managing security measures and actively participating in cross-departmental initiatives to enhance overall security and awareness.
As Michael Jordan said, "Talent wins games, but teamwork and intelligence win championships." This is especially true in cybersecurity, where collaboration with the business can mean the difference between a minor incident and a full-blown crisis. In our rapidly evolving technological landscape, winning individual battles is nice, but aiming for overall success is a must.
In my opinion, this concept is best described in the book “The Phoenix Project” by Gene Kim, Kevin Behr, and George Spafford, which outlines different types of work—two of which are planned work and unplanned work. Ideally, security operations should fall under planned work. However, achieving this requires collaboration, not just the creation of a “critical” task in your favorite project management tool without proper context for the team. Such tasks often remain in the backlog indefinitely. But what happens when we identify our top risks, present them to the business owner, explain the risks, and together establish a timeline for the task?
This is where collaboration truly shines—no more security tasks falling from the ivory tower.
At Perion, a technology leader connecting advertisers and brands with consumers through AI-powered solutions, we recognized this necessity for a united front in cybersecurity.
We rely on several key factors that are vital for achieving risk reduction, regardless of whether it’s a critical issue, zero-day vulnerability, or any other security task. A collaborative mindset is necessary for effective security operations and risk mitigation.
Below are a few best practices for enabling a culture of collaborative cybersecurity:
Know Your Business
Understanding the business workflow is vital. It’s not just about knowing what assets need protection; it’s about identifying your crown jewels—those critical components of your infrastructure that, if compromised, could have serious consequences. Collaborating with business owners to map these essential assets ensures that everyone is on the same page when it comes to their protection.
This alignment is crucial for creating a security strategy that not only safeguards your technology but also supports the overall business objectives, ensuring that security measures are both relevant and effective.
Explain the Risk, Not Just the Action Item
Don’t simply pass action items to your DevOps team—engage them in understanding the real potential risk. When teams grasp the true implications of vulnerabilities, they can take more thoughtful and proactive steps to mitigate them.
By explaining the "why" behind each task, you foster a shared understanding that goes beyond mere compliance. This approach helps build a culture where security is seen as a shared responsibility, and where teams are motivated to address issues because they understand the broader impact on the organization’s safety and reputation.
Be a Trusted Advisor
Building transparency and trust is essential across all teams, whether you’re working with Alex from Finance or Jane from Legal. As a security professional, your role isn’t just to enforce rules but to serve as a partner who shares valuable expertise.
While cybersecurity is often thought of as a technical and strict role, this is very much about soft skills. Do your coworkers trust you? Do they feel comfortable approaching you about security challenges and best practices?
By positioning yourself as a trusted advisor, you encourage collaboration rather than resistance. When other departments see you as a partner rather than an obstacle, they’re more likely to support and adhere to security initiatives, leading to more effective risk mitigation.
Train and Educate
Empower your organization by providing the necessary tools and training to effectively "speak" cybersecurity.
No security team can do their job alone. For example, in the world of product security, there is no way AppSec professionals can chase and resolve every security vulnerability. Instead, they should focus their efforts on training developers to resolve issues on their own – it's the only scalable solution.
When employees are educated about cybersecurity, they become more than just passive participants—they become active contributors to the organization’s security posture. This not only enhances their ability to recognize and report potential threats but also transforms them into valuable sources of cyber threat intelligence, helping you stay ahead of potential risks.
Prioritize What’s Crucial
Noise of constant alerts and notifications is a critical cybersecurity challenge – when security teams are bombarded with potential issues, it's impossible to determine what really matters. Similarly, if developers are constantly asked to resolve issues that don’t actually pose serious risks, they can lose trust in the security process altogether.
For this reason, prioritizing the real risks is crucial to maintaining trust.
For example, when securing applications in the cloud, app and cloud scanners will find thousands of potential “issues”. However, are those issues in production? Or just a staging environment? Are they exposed to the internet? Do they expose sensitive data?
This context is critical for understanding the true risk of a code vulnerability or cloud misconfiguration.
How Perion uses Jit to enable collaborative SecOps
To address some of these best practices, we partner with Jit, a solution that helps us stay focused on what’s important, eliminating wasted time and unnecessary alerts.
Jit’s Open ASPM Platform makes eleven code and cloud scanners feel like one – covering the full code-to-cloud landscape. They help us implement a collaborative security approach in a few ways:
Non intrusive security feedback for developers: Jit provides immediate feedback on the security of every code change entirely within the developer environment, so they don’t need to learn a new tool or bounce across UIs to secure their code. By making it easier and faster to resolve security issues as they code, developers are more likely to use the feedback to improve their code security.
Contextual prioritization: Jit helps us cut through the noise and focus on the risks that matter most by prioritizing code security issues based on their runtime and business context – like whether it is in production or exposes sensitive data. When the development team can understand WHY an issue poses a risk, they’re much more likely to fix it.
Alignment toward a business objective: Jit’s Security Plans align the entire security and engineering team around a common goal – like meeting our SLAs for resolving issues. By rallying around a tangible outcome, product security becomes a business initiative rather than something tacked onto the side.
In conclusion, collaborative SecOps is crucial to any security strategy success. By collaborating effectively, we can enhance our defenses and work towards a shared objective: ensuring a secure digital environment for our organizations and customers.