author photo
By Bruce Sussman
Thu | Sep 6, 2018 | 5:01 AM PDT

Justin Berman is Chief Information Security Officer of Zenefits, and he is a big believer in what he calls practical test-driven security.

Practical, he says, because test-driven security (or TDS) paints a constant picture of how secure an organization is.

We interviewed Berman at SecureWorld Bay Area. Watch his interview on test-driven security or see the transcript below:

[SW] You really are passionate about test-driven security. Why?

[JB] “I think continuous testing is really important because adversary behaviors change frequently, our profiles and organizations change frequently.  And more importantly than the changes they bring in the playbooks we face is that ultimately the controls and their effectiveness are easy to lose track of.

So when I think about testing constantly, it is because I want to know more up to the minute than up to the month how our controls are performing."

[SW] And you use this same testing process to drive cybersecurity technology decisions? 

[JB] "Before I ever want to touch on ‘is it worth investing in' additional vendors or open source controls, I want to know what the problem is to a fidelity that I can assess and that my team can assess whether or not it makes sense to spend more time or money to fix the problem."

[SW] How does the action of cyber adversaries fit into this notion of test-driven security?

[JB] "You use that to drive an understanding about what you should be testing for, to drive an understanding of what controls you need. Because ultimately, when you think about the role of security, it’s not to build more stuff. The job is about stopping bad people from doing bad things, whether those bad people are internal or external or whatever else.”

In the end, Berman tells us test-driven security drives real data into answering “Are we secure?”.

[MORE: U.S. Bank CISO Jason Witty on 3 areas for CISOs to focus on right now]