CISO Faberlic Vadim Smirnov - on priorities and plans for the development of cybersecurity

Vadim Smirnov: We are a partner for business and for IT. The IT component in our company is quite large. We have an online store and a mobile application, so most of the information security risks are associated with the IT unit and, accordingly, the main work front is concentrated in this direction. In terms of working with staff, we are engaged in improving digital literacy. Since Faberlic consultants are an important part of our business, we are also faced with the task of increasing their cyber literacy skills. In combination, this allows us to strengthen the image of our brand.

Within the information security directorate, we highlight several areas that deal with different topics. One of them is secure development. It appeared relatively recently. We have created a roadmap for DevSecOps, have already implemented and automated basic code validation secure development practices. In this direction, we work together with the development team, their involvement is a key factor in success, and for them it is an indicator of the quality of the product that they produce.

In addition, we are involved in the analysis of new solutions. This can be new functionality or some new technologies or digital channels: for example, chat bots, AI tools, etc. We can check them for various parameters: compliance with legal requirements, requirements for secure development, architecture security, quality of network interaction with our other systems. We pay special attention to the built-in security features and strive for the Secure by Design concept.

Vadim Smirnov: The main difficulty is that the best practices and standards do not always cause a response from developers, at the first approach they perceive them as some new obligations. It was important for us in information security to understand how internal IT processes are arranged, and how our proposals for the implementation of new processes correspond to their usual practices.

In the basic version, we used foreign standards on which the Russian GOST of secure development is based. We have previously conducted an audit with a contractor who has developed a strategy for implementing practices based on this key standard. As practice has shown, everything looks beautiful, but it took off when we began to trust each other and tried to find some comfortable options for interaction, based on the direction set by the audit and the adopted strategy.

Then we just watched how the developers would work comfortably so that we could keep up with their releases. It is important to come in time with questions about information security - when they still have time to assess our requirements and have time to fix something. After some time, mutual understanding appeared on the part of the development, when they also became interested in critical vulnerabilities and try to correct them in a timely manner. They have already begun to evaluate them for their part. As a result, we seriously reduced the time required to negotiate with the IT team, and accelerated the process of eliminating vulnerabilities.

As a result, there was a peculiar distribution of responsibility between us. We managed to involve the development team in the process of eliminating vulnerabilities, now IT specialists themselves understand that this is necessary and important. We no longer force them to fix problems, but simply share our findings. We perform a triage of vulnerabilities and form a task queue. Then the developers take into work what seems to them relevant, and gradually eliminate. We are consistently digitizing this process so that we have methods for assessing how quickly problems are solved and which of the vulnerabilities are still left. We hope that this will allow us to identify elements of the development process that can be further improved.

Vadim Smirnov: Here we adhere to a democratic approach. In many ways, it all depends on the introductory business for IT. Sometimes the task is to implement a small digital service for an advertising campaign in a short time and there is literally no time for long discussions. In this case, we show IT what risks they have, and they implement the project quickly enough, trying to apply our recommendations. Thus, IT can quickly implement the functionality required by the business and already start testing on the focus group, and at the same time we help prepare the solution for release with the necessary level of security. This is how quick projects are implemented, in which business and IT are ready to take on security risks, but at the same time everyone has time to use the "window of opportunity" to benefit from the implemented project.

There are more detailed and coordinated initiatives. In them, the IT team tries to connect us at the very start, when the outlines of the project from the business are already roughly clear. Then the business shares its wishes and designates important criteria, and analysts on the IT side try to translate them into the development language. At this moment, there is already an understanding of the potential security risks, for the solution of which it is necessary to connect the information security service. At the basic level, they assess these risks for their part - critical or not, and we, for our part, act as a consultant.

In addition to development, we also control the installation of various components into the corporate infrastructure, compliance of all our products with the requirements of legislation on personal data, secure development or security of the system architecture. We strive to make the infrastructure safe, but not interfere, but improve the customer experience with the secure solutions that we offer.

In the event of conflicts, the Chief Information Security Officer (CISO) plays a crucial role. This is a business representative inside the information security agency. He must defend the interests of business, assess the reasonableness of information security requirements, find a balance between business tasks and cybersecurity requirements, as well as timely introduce measures that require additional investment, time or resources. CISO's role is that it must understand what risks to the business arise, how important they are. Business also sets IT objectives and designates KPIs, and at this point it is very important for everyone to agree "on the shore" on risks and how we will work with them.

Sometimes the information security directorate can put forward overestimated requirements that create restrictions on business and reduce the value of the resulting solution. In this case, it is important either to accept the emerging risks with the business or to develop possible options instead of an unsafe solution to the problem. This is how conflicts are usually resolved - as a result of a mutually acceptable compromise, in order to solve the problem, and at the same time comply with security interests. But no one turns a blind eye to aspects of information security.

Vadim Smirnov: Signatures are updated, automatically, anti-virus policies are controlled by the information security directorate. At the same time servers , we have organized interaction with the infrastructure department, which is responsible for the availability of servers. It is also important for them to control the operation of the antivirus, they have the right to disable it or restart it if necessary. To do this, we have special regulations for action.

We have moments, especially at the end of the year, when, with various calculations, there is an increased load on the servers, for example, "1C." And for them, antivirus is often a blocker, because it also requires certain computing power. We have approved processes that have developed based on the results of solving similar problems with equipment performance. We are preparing for this moment: we check all policies in advance so as not to cause problems, launch monitoring of the processes that the antivirus creates, and thus minimize their impact on assets.

We have also developed processes for interacting with other departments in the event of an increase in load due to various actions of the antivirus. It is generally the use of exceptions, update schedules and system health monitoring. These simple actions allow you to painlessly pass the peaks of the load on digital assets.

Vadim Smirnov: Technical system owners are responsible for eliminating vulnerabilities. We strive to automate this process to reduce the risks of sudden vulnerabilities. Such work cannot be planned for the quarter. We identify current vulnerabilities and react automatically. This takes a certain time, of course, there is a risk for some time, but we do not consider it super-critical. Of course, there are critical vulnerabilities like React4Shell. In this case, it is not a standard process that is important, but an established interaction and trust between departments. We say: "Guys, this is critical, you need to quickly take and check, the exploit has already been published. We cannot discuss this for long. " They just take this task to work and react outside of the standard process.

For example, we React4Shell been warned about a critical vulnerability from different monitoring systems, manufacturers of products and services that we use. On the same day, we checked everything. We strive to respond quickly so as not to bring the situation to an information security incident.

Vadim Smirnov: We use several services, for example, the WAF monitoring service from the Solar group of companies. On their side is a monitoring team with a specific SLA and the same vulnerability response process that I mentioned earlier. This helps to reflect the huge number of web attacks faced by our web applications in time. For example, in 2025, the number of rule revisions recorded by the WAF service amounted to 552.3 million, which is 4.6 times more than last year. Most of these developments − attempts by automated bots to find vulnerabilities in web applications.

As part of the service, there is also the possibility of operational interaction bypassing tickets on urgent issues. We can also quickly discuss and resolve critical issues with the team. "Solar" helps us and, perhaps, even more than within the service. They see problems on those assets that they have under protection and report it immediately. This helps IT address an emerging security issue, or at least highlight it and schedule a response.

Vadim Smirnov: The first step is that we check whether we have such a vulnerability and whether it is relevant for us. If we see that it takes time to eliminate it - it is necessary to update the system or rebuild something, then we can make a virtual "patch" using such an external monitoring service. For example, if the wheel is punched and you need to get to the car service, then you can use such an external "patch." Our contracts with such services provide for such interaction, and the team uses this.

Vadim Smirnov: Of course, like everyone else. All IT departments are trying, one way or another, to apply new technologies, including artificial intelligence. At the Faberlic Monitoring Center, we have implemented elements of artificial intelligence that help enrich information about security events.

If we talk about risks, then it seems to me that due to the information background, the risks are somewhat exaggerated, although they should not be completely excluded. Of course, there are risks associated with a safety culture, but they have always been in different manifestations. The employee who prepares the report can mistakenly send information to the wrong people or use an unprotected communication channel, for example, a messenger. But he could have done this before. Or sometimes a lot of information about the company's infrastructure and its security systems can be found out by tender documentation, there was a way to search for confidential information in the "trash bin." This all applies to the culture of working with information.

Therefore, an ongoing process to improve employee cyber literacy is needed to make them aware of the risks in their work. For us, this is a basic task. We use training platforms, conduct various tests. Moreover, they automated this process. For example, Faberlic even has a rating among departments that compete with each other and receive additional points for successfully passing tests, polls and solving other tasks for interacting with information security. But they can also get negative points with various non-critical, but still information security violations. We constantly tell our employees about new, just emerging cybersecurity threats, fraud tactics.

Vadim Smirnov: I have a slightly different approach: I do not plan to purchase any certain solutions annually. There are requests and tasks from the business that we solve in various ways. Perhaps just by the forces of your own team, without the introduction of additional means of protection. It already depends on the competencies of the team and its maturity. And already for these tasks I select products. If you need any specific tools, we choose them from the solutions on the market.

For example, there is a task to test the skills of the response team. You can organize simulated cyber attacks within the team with the involvement of Red Team or use automated penetration testing services. Or you can invite an external team that could do this. Of course, the quality and accents that will be in the report on the results of the work will differ. There is a task, and I am looking for a solution for the task. Another example is the safe use of artificial intelligence. It can also be solved by organizational measures, cyber hygiene and raising awareness. Or you can choose a separate solution. For me, the priority is the optimal use of the company's funds. As we know, the funds spent on preventive measures should not be higher than the possible damage.

We also solve the tasks of automating processes, which are mostly implemented by our own team. It is important for us to ensure the balance and sustainability of the business.