Most companies rely on AI solutions to analyze data and detect discrepancies, vulnerabilities, and potential areas for improvement. However, some things still require the touch of a human hand.
One of these areas is code, and it’s crucial for humans to oversee the process of developing, acquiring, or patching software. Malicious code may be concealed in the most clever ways, hidden even from the most advanced algorithms.
To furtherly discuss the dangers of relying on automated malware detection solutions exclusively, Cybernews reached out to Justin Beals, the CEO and founder of Strike Graph, a SaaS for cybersecurity compliance.
Let's go back to the very beginning. How did Strike Graph go from an idea to what it is today?
Our company is a compliance automation startup that was founded by my cofounder, Brian Bero and I, to eliminate the confusion related to cybersecurity audit and certification processes.
Can you tell us a little bit about what you do? What are the main challenges you help navigate?
At Strike Graph, we help our customers design an organizational security practice that can be audited or certified to help facilitate trust with their customers. We help them identify the security controls that matter, which in turn eliminates security theater.
Strike Graph customers distribute security responsibility throughout their organization via the platform to create a stronger culture of security and reduce the burden on Chief Technology Officers or Chief Information Security Officers. Strike Graph integrates with common cloud environments to automate the acquisition of evidence for independent certifications or audits.
And finally, Strike Graph provides a number of trust assets that can facilitate revenue acquisition. This includes SOC 2 audits, ISO 27001 audits, PCI-DSS assessments, Penetration Testing, HIPAA audits, CCCP audits, and GDPR audits, depending on a customer's requirements.
You describe your approach as risk-based. Would you like to share more about what this entails?
At Strike Graph, we have developed a very easy, but very robust risk assessment that our customers use to identify the risks that deserve active mitigation for their business. By using our assessment, customers develop only those security requirements which matter to their specific business instead of adopting checklist security. The outcome of this is a more efficient, effective, and organizationally supported security practice for their business.
Have you noticed any new cyber threats arise as a result of the pandemic?
We’ve noticed that change management has been critical for organizations that maintain sensitive intellectual property such as software code or massive data sets. With more remote developers around the world working for our customers, it is imperative and critical to ensure that malicious code is not injected into CI/CD processes. There is no automated way to correctly detect malicious code. We saw these types of issues recently happen with Colonial Pipeline and Solar Winds.
Which security measures will become crucial to combat these emerging threats?
Enterprises must continue to tighten up how code is written, reviewed, and deployed. This is critical to maintaining security in remote first or remote hybrid organizations across the globe and in light of the pandemic. Also, ensuring peer review that includes a security assessment of new code and that proper time is given to testing on QA and Staging environments will be critical. For organizations that feel or are heavily targeted, our team recommends quarterly or even monthly penetration testing for protection.
What issues can an organization run into if it doesn’t have appropriate compliance certifications in place?
Many issues can arise. For example, we have found that 90% of companies report achieving compliance for the acquisition of revenue or to fend off their competition. The cost of not having a general security certification or audit will result in lost and/or delayed deals and have a direct and measurable impact on the company's financial health. Never in my 25 years of engineering have I seen security and trust be so critical to overall company revenue as it is now.
Even though cybercrime rates are constantly on the rise, certain companies still fail to recognize the importance of compliance and other security standards. Why do you think that is the case?
CEOs and CTOs often feel like compliance is a burden to the innovation which they’d like to quickly bring to the market. In turn, auditors who don’t have any experience in developing software have made compliance feel like security theater, therefore reinforcing an unfortunate perception of compliance as a hindrance.
What is true, but not repeated enough, is that in each standard there are likely portions of the standard that don’t apply to your business. Strike Graph helps companies identify which portions of standards do and do not apply to their business through our risk assessment.
According to SOC 2 or ISO 27001, a company should not be audited on the portions of the standard that don’t apply to their business. I believe that if more executives understood how malleable the standards are, they would be more open to utilizing them to implement the security that is effective and efficient for their business.
Additionally, what would you consider to be the worst cybersecurity habits that are widely prominent nowadays?
My answer would be Antivirus requirements. Antivirus software is, at best, a huge drain on system resources, and often it’s a vulnerability in itself. The focus on having antivirus software is the best definition of poor security practices. Most of these solutions have been developed as malware and adware and sometimes exploited themselves. After a discussion about these concerns with our auditor, we decided not to include antivirus software as a requirement for our security compliance.
Share with us, what’s next for Strike Graph?
We have a lot of exciting technology and developments on the horizon. Strike Graph is planning to launch support for additional frameworks which will allow us to support customers that process financial transactions, Department of Defense contractors, and publicly traded organizations. In addition, Strike Graph will continue to expand the integrations we support for automated evidence collections. We continuously improve the flexibility of these integrations so that our customers can select the specific data that matters for their compliance roadmap.
In 2022, Strike Graph is also working with select Managed Security Services Providers to allow them to develop security ontologies on the Strike Graph platform that represent their security expertise. These are significant partnerships where organizations can utilize the power of the Strike Graph platform with the expertise of security leaders.