We recently sat down with Head of Operations Vlad Rusu to discuss his cyber security efforts at Lola Tech and proper risk management. Vlad has been instrumental in implementing the company’s new information security management system, as well as achieving cyber security certifications.
Strong endpoint security and other security measures that guard our own assets can only get us so far when it comes to protecting our clients. First, there has to be staff security awareness - I honestly don’t believe you can get anywhere without thoroughly investing in education. Our teams are always working deep in the stacks of our clients and often have access to sensitive information, so they need to know how to manage the risk they individually pose. Ultimately, it’s the knowledge and vigilance of our staff that makes us a safe and reliable member of the supply chain. Then there’s defining a Security Development Lifecycle (SDL) and applying it from Day One, no matter how small or large the project is. This is more of a joint effort between clients and Lola Tech, and really key. Essentially, everything else is layered on top of these two pillars.
We have upgraded our entire Identity and Access Management (IAM) stack - from tools to processes. We changed mainly because our solution at the time was missing user provisioning (SCIM) capabilities and context-aware adaptive authentication - but I’m really glad we made that change because it has vastly improved our overall operational security.
As you say, it’s a work in progress - the process of building an ISO 27001 compliant Information Security Management System (ISMS) is a long one, and we’re still working through it. Rather than the technical aspects, I’ve found one of the greatest challenges to be navigating through the complex requirements for this standard. For instance, one of the more demanding tasks is to rigorously document how we respond and react to events - there are so many eventualities to consider. As part of the process, we also have to formalise ways of working into clear policies, and that’s been surprisingly tricky. There’s a lot of discussion and consensus-building involved in achieving this certification.
Thorough and formalised risk management, I’d say. That includes everything, from endpoint security to shadow IT and Google Drive usage. But, ultimately, I think the really hard work has already been done by all those who created and contributed to the ISO 27001 standard. We’re lucky to be able to use their work as a blueprint and have access to standardised guidelines on how to build a solid ISMS.
Start small. There are a lot of great free educational and practical tools out there - so build your security on those foundations.
I know I’ll repeat myself now, but each project - however big or small - needs to define a minimal SDL. The practices defined as part of the SDL must become part of your definition of ‘Done’. Start small. There are a lot of great free educational and practical tools out there - so build your security on those foundations. Get your team familiarised with the key Open Web Application Security Projects (OWASP), especially the ones giving you lists of controls to implement. For example, you can use OWASP’s mobile app security standard MASVS to define the requirements (controls), and their testing guide to trial how those controls have been implemented. It’s great stuff, and it’s free to use.
I’ve seen plenty of applications and entire networks where even the most basic of best practices were not followed. You don’t need a team of highly trained security professionals to implement the basics. The biggest failure I’d call out is lack of vulnerability testing and management - not patching applications and the OS for months or even years. Some of the world’s most brilliant security analysts work relentlessly to find flaws in the software we all use before malicious actors exploit those vulnerabilities, and all the user has to do is download a patch. That’s minimal effort and yet many users - including large organisations - fail to do so. Thinking back on some of the biggest cyber attacks of recent years, most resulted from vulnerabilities for which patches already existed. That always boggles my mind.
