Security Considerations for Technical Due Diligence
It seems as though a week cannot go by without news reports of yet another data breach at a large, recognizable company. One wonders what has been compromised but not yet detected or announced.
Security issues are perceived far differently than other technology issues. Consider an example of “Dilly Dilly Fidget Spinners has hard coded IP addresses in their code base” – most people would infer little if anything from that fact, while a minority would shake their heads and feel nauseous. On the other hand, “Dilly Dilly Fidget Spinners suffered a data breach affecting thousands of customers” is likely to have a negative perception from everyone who hears about it. The public sensitivity to all things security warrants a thorough investigation of security practices and incidents prior to any investment.
What should a potential investor look for in regard to information security during a due diligence effort? The answer to that question will vary widely based on the market segment of the potential investment, but there are some common considerations for information security
Common Security Considerations
1. Fit the Risk
Security posture should fit the risk a company faces. A company providing financial services or healthcare has a far higher risk to manage than a company involved in consumer product pricing and availability. The security policies, regulatory compliance and certifications, and operational practices should fit the risk. Going beyond the appropriate degree of security adds cost and may not make business sense but is far superior to inadequate security.
A security program that fits the risk profile for the company can be a business enabler. Security programs consume time and cost money – establishing the right fit and balance can conserve resources. Alternatively, a poor fit can add drag to a company and damage the business. Consider industries that have a strong reputation for security and face significant regulatory requirements, industries such as financial services and insurance. An experienced security professional with a banking background moves to a telematics company and is determined to bring bank level security to his new role. The telematics company deals with route optimization and fleet maintenance management. It does not process credit card payments or store PII. Bank level security would be a horrible fit that adds cost without benefit and ultimately damages the culture.
2. Security Minded Culture
Security awareness and accountability should be part of the culture. Well written policies do not accomplish much if they are not internalized and emphasized by leaders. Technology leaders must treat security in the same manner as they treat availability, quality of service, and engineering productivity - by establishing transparent goals and objective metrics by which those goals are measured.
An excellent resource for security awareness training is the OWASP Top 10 Application Security Risks list. The top 10 list is revised periodically as security threat vectors morph. The top three risks from the 2017 list are injections, broken authentication, and sensitive data exposure. More information can be found here.
3. Validation via Recurring Testing
Recurring testing is a hallmark of successful security programs. Areas to test include employee security policy training, 3d party network penetration tests, static code vulnerability testing, and drills to rehearse information security policies such as a security incident response plan. Testing validates the policies and practices are effective and part of the company’s culture.
QA automation is needed for agile product development that seeks rapid iteration and market discovery. 75% code coverage or greater is recommended. Incorporating automated security testing into the overall testing program is a smart move.
4. Cover the Basics
Basic security hygiene items that should be considered table stakes today include role-based access with audit trails, closing server ports by default and opening them by exception, segregating networks, logging production access, and encrypting data at rest. None of these actions are particularly difficult or expensive. Implementing them demonstrates security awareness and commitment. Controlling who can access data in a taciturn server farm, logging that access, and encrypting the data is a pretty good start to effective security.
How AKF Can Help
AKF Partners has performed hundreds of due diligence efforts over the last 10 years and is comprised of technology professionals that have walked the walk at widely recognized companies such as eBay, PayPal, and General Electric. Our security expertise comes from living the reality of technology, not an auditing course.
- Technical Due Diligence Checklists
- Technical Due Diligence and Debt
- Technical Due Diligence: Did We Get It Right
- Managing Risk with Technical Due Diligence
- Technical Due Diligence Best Practices
- Technical Due Diligence