The summary was written by Kaisa Kumpas, Head of Public Relations at Digit.
Last week, the Algorütm podcast hosted Kristian Kivimägi, the Head of Cyber Security at Pipedrive. In a candid conversation, Kristian unravelled the intricate tapestry of cybersecurity principles that shape our digital world. Check out the full podcast: Küberturvalisuse disainimisest.
Kristian Kivimägi has quite a long history in the cybersecurity field. In addition to his contribution to the private sector, he dons the hat of a guest lecturer at TalTech, where he imparts wisdom on vulnerability assessment, security, and the art of cybersecurity. His journey at Pipedrive actually started when a friend called and invited Kristian to work with them - the main argument in the conversation, besides the fact that the work would suit him well, was that he would get a spectacular hoodie. Looking back, he said: “The hoodie really was great! Oh, and the work as well…”
Now, as the Head of Cyber Security, Kristian's chief mission is to foster seamless information exchange among teams, streamlining workflows for all. The two primary sides here are developers and security engineers. It can be challenging from a security perspective to filter an avalanche of information in order to provide really valuable input for the developers. Bridging this gap and eliminating redundancy can be daunting, yet entirely achievable. Remarkably, Kristian's security team largely comprises former developers who harbor a passion for cybersecurity. This unique blend ensures not only cybersecurity expertise but also an innate understanding of developers' needs, a recipe for efficient security integration.
But do the transferred team members still get to continue their development work? The answer is yes. For example, a part of the work of the security team is developing inner tools to unearth and dissect potential code, platform, and workspace risks. Kristian's sage advice echoes through the corridors of Pipedrive: “Let’s not search for a tool that would solve our problems, but let’s start with understanding the problem itself”. While developing custom tools may demand resources and effort, they yield a deeper understanding of potential security risks, making them a worthwhile investment.
One of these risks may come from misplaced trust in third parties. Whether it's a snippet of code, an external package, or any other component, verifying the source's trustworthiness is paramount. There are many alarming stories of how an installed pack was equipped with a virus that, for example, steals crypto wallets when activated. To mitigate such risks, locking specific code versions is a pivotal step - at least a step in the right direction. As Kristian aptly puts it, "You can't fix everything at once; doing so would be half-hearted."
But why maintain a dedicated security team separate from developers, and when is this bifurcation essential? The answer is as diverse as the organizations themselves - it depends largely on the function and size of a business. Nonetheless, the paramount benefit of a dedicated security team is to simplify the lives of developers. Penetration testing, problem filtration, and dispensing precise and truly valuable information to developers all contribute to a streamlined workflow. For fledgling security teams, Kristian's counsel is simple: commence with identifying your attack surface and work your way up, bridging the chasm between security and development one step at a time.
At the upcoming Digit conference, Kristian's presentation, aptly titled "Security by Design", promises to unveil the secrets of bringing security closer to developers. No longer a solitary responsibility, cybersecurity will become a collaborative effort. Understanding the nuances of interdepartmental communication and comprehending the significance of cybersecurity at this level is paramount. We will be looking forward to hearing about Pipedrive’s story of overcoming mistakes and managing to climb to the level of cyber security they are now.