Does it spark joy? Cybersecurity jargon sure doesn’t: risks, threats, breaches. It all sounds so negative.But Security Architect Kaan Dolgun is keen to make the language more positive and carefully architected. That’s quite a challenge already, but let’s see what else sparks joy for Kaan.
Dolgun. Kaan Dolgun.
Our Architects all have their areas of expertise: finance, data, B2B, security; you name it. They are spread across our IT organization. Operating independently in their area but collaborating with their peers to optimize the enterprise architecture. In that capacity, they act as team Spectre - yes, the name is inspired by the Bond movie.
Dolgun, Kaan Dolgun is one of the members of the illustrious team. As security became increasingly crucial within DPG Media, Kaan jumped on the chance to switch from Product Owner to Security Architect. “It’s a more independent and abstract role with the freedom to go very in-depth on specific topics. As a Product Owner, I dove deep into application security topics. Now, I’m still concerned about them, but with a wider perspective for security in general.”
Hard-wired to security
The Spectre members function as each other’s consiglieres and stakeholders. After all, many architectural decisions in one area impact other areas. It’s humanly impossible to have a deep understanding of the entire technical landscape. “We’re not interchangeable as Architects. As process facilitators, we probably are. But as technical facilitators, not so much. If you’d put me in a data team, I’d probably look at data security governance, data leakage prevention, access control, audit and logging. It’s the unavoidable nature of the beast,” he grins. So Kaan’s the one pushing security topics on the architects' agenda - from application security to threat modeling in order to consider the unthinkable or impossible.
We must change the classic cybersecurity language to something positive: talk about business value, and risk optimization, for example.
Document, document, document
One of Kaan’s pet subjects is the architectural decision record (ADR). An ADR describes an architectural decision, the context, and the consequences. Kaan: “It’s easy to think you’ll document something later, but it either doesn’t happen or happens poorly. And that’s a shame because it’s already super important in the decision-making process. Documenting evidence or knowledge can change opinions and support the process to get everyone on the same page.”
Take a new security information and event management solution (SIEM) - software that analyzes real-time security alerts. “We needed a tool and an implementation partner. An ADR supports our selection process. Everything is documented: costs, technicalities, capabilities, requirements, et cetera.
The SIEM implementation is pretty cool. Typically, a security operations center with a managed detection and response capacity manages the SIEM, but at DPG Media, we like to do things differently. “All the teams get access to SIEM to monitor events and findings for a clear view of their total security posture.”
This capability is automatic, systematic…
Implementing a new tool doesn’t happen overnight. “Because we believe in Werner Vogel’s You built it, you run it-principle, we don’t ask individuals to install specific tools or require them to use a certain editor. Instead, we provide capabilities to improve DPG Media’s security posture. This principle also includes taking responsibility for IT risk management. So You built it securely, you run it together would be even more fitting.” An example? Well, think of a security testing ecosystem that an engineer can use throughout the software development lifecycle: focus on the dependencies and containers and also code security to detect hard-coded secrets or data flow vulnerabilities.
Adaptation takes time and a lot of stakeholder management. That’s quite different from the banking sector, where Kaan worked before DPG Media. “Banks have to deal with certain rules and regulations. No questions asked; just be compliant and ensure you have all the right policies for Bring Your Own Device, pentesting, automated reporting, et cetera. But we are a media company with many brands and acquisitions, which results in even more applications, front-ends, and ways of working.”
To give you an idea: 75 teams and 15.000 domains across Denmark, Belgium, and the Netherlands. So you can imagine it’s not a copy-paste exercise at all. “That’s why we focus on company-wide capabilities and automation,” says Kaan.
Take pentesting, for example. Kaan believes that pentests will always be necessary; there’s enough work for years. “But, as the teams are gaining security capabilities to use in the development phase, we don’t have to plan for five-day pentests just before going live anymore. Automating specific activities saves us about half the time. However, the tools will never truly understand the business logic. You can only automate so much; you’ll always need human intelligence.” Shifting security to the left means pentesters at DPG Media will quickly grow into full-stack security engineers. Security Engineer Stijn Crevits is the living proof.
You can only automate so much; you’ll always need human intelligence.
Mind your language!
No copy-pasting. No one-size-fits-all. So, how do you guide solutions through such a large organization? It involves a lot of stakeholder management and conscious communication. Kaan is a big advocate of positive security language. “The classic cybersecurity language is negative. Risks, vulnerabilities, threats - all have a negative connotation. I don’t want to be that annoying risk guy with a questionnaire who reports issues only. So we must change our language to something positive: talk about business value, and risk optimization, for example. I believe strongly in a positive and collaborative approach; it leads to better adoption and more involvement.”
But, let’s face it, it’s hard to mind your language when there’s a security incident. Not to say that our security engineers roam our offices swearing and yelling! Old habits just die hard.
Take the Log4j vulnerability from late 2021, for example. “We set out to do security assessments throughout our entire organization. We felt the pressure and acted quickly to improve our company-wide security posture. Looking back, we realize that we focused on the negative too much. We said: ‘Ok, so your squad doesn’t have a business continuity plan (BCP). Bam, that’s a risk. Make one, now.’ Instead, we should have focused on the benefits and explained how a BCP positively impacts the entire ecosystem. So yes, we got the result we wanted, but we could have gone about it differently.”
Security is a team effort
With incidents like these, it’s important to keep your head cool and that you can count on your colleagues. “We all worked from home during the pandemic, and I actually intended to keep it that way. But I feel positively obligated to go to our Antwerp office: we have such a good time and vibe. And that’s essential because, especially with a security incident, the pressure is high.”
Kaan compares his security team to Galatasaray: they won’t win matches if they never train or talk together. “My team is very attuned to each other. We almost read one another's minds and know when and how to pass the ball. So yes, I’d say we make a good match - we have that spark.”