🍪 Cookie Notice

We use cookies to learn how you interact with our content, and show you relevant content and ads based on your browsing history. You can adjust your settings below. Here's our policy.

Cookie settings
Skip to main content

Cybersecurity Best Practices: Tips From Sebastian Gierlinger, VP of Engineering at Storyblok

Marketing
Gillian Mays
Try for Free

Storyblok is the first headless CMS that works for developers & marketers alike.

"Everyone should be aware that the security landscape has changed tremendously."

If you’re a CMS user, those words are enough to send a chill down your spine. The ever-accelerating pace of technology has introduced countless opportunities, but it’s not without its risks. Keeping up with evolving security threats can feel like a full-time job.

But don’t worry — you don’t need to be a security expert to be prepared. We sat down with Sebastian Gierlinger, our VP of Engineering and provider of that quote, to pick his brain on cybersecurity best practices. Check out his insights to stay on top of today’s biggest threats.


Security begins with you

With all the external threats to worry about, it might seem counterintuitive to look inwards. But Sebastian tells us that keeping everything secure takes rigorous maintenance from you and your teams. And the best way to do that?

“Regular security trainings,” he advises, “about twice a year.” In addition to basic security practices like secure password management, Sebastian recommends using these trainings to cover some of the bigger risks too. Phishing attacks – where a bad actor impersonates a trusted source to get vital information – are particularly alarming to him. “If you’re not a skeptical person, it’s very easy to fall for these attacks,” he tells us.

hint:

Sebastian highlights internal phishing simulators as crucial tools. They’re an efficient way to identify team members who could benefit from a little more training.

Engineering teams should be wary, too. In addition to consistently reviewing secure coding standards, teams should also be threat modeling. Threat modeling is the systematic process of examining your system, coming up with possible attacks against it, and planning countermeasures.

Learn:

Learn more about threat modeling at the OWASP Foundation.

Sebastian also advises the importance of knowing your own system: “Know where your critical data is stored,” he advises. It’s not just about familiarity. It’s about having full visibility of any potential weak points and being able to communicate them to the teams that rely on it. “If everyone is informed, everyone can play a role in maintaining your site security.”

Know who you’re working with

It’s not just internal systems that you should be monitoring, though. “The majority of your data now lives on the cloud,” Sebastian highlights. If you use products like Google Workspace, AWS, or Salesforce, your data’s in the cloud, too.

Even if you don’t use the cloud yet, you’ll be relying on it sooner rather than later: “Some industries are a little bit further down the path and there is more stored on the cloud than in other industries, or maybe that still use on-premise software service, but in general everything is moving in this direction. There’s not a single industry that won’t be affected by the move to the cloud.”

Storing data on the cloud can be incredibly helpful, but it also opens you up to risks. That means the tools you work with need to be just as secure as your own tech, or you risk bad actors getting to your data through the cloud. A chain is only as strong as its weakest link, after all.

One way to vet your tools is with security certifications. Certifications like ISO 27001 can only be earned through rigorous adherence to the highest international tech safety standards. It’s an easy way to make sure you can trust the vendors you work with.

However, Sebastian cautions against treating certifications as end-all be-alls: “For companies in a B2B context, it can be good to have security certifications, because it’s a shortcut to prove you’re working in a secure way. But it presents a certain problem for startups and smaller companies as [getting certified] is a huge financial commitment. You can’t get away with it for below $50,000. And spending $50,000 for a certification for a startup is quite the commitment.”

By limiting yourself to only vendors with certifications, you’re limiting your market choices to only big, cash-flush players – and there’s no promise that these will be the best fit for your company. There’s no hard and fast rule for when to require ISO 27001 or any other certification, for that matter. But Sebastian offers a glimpse into how Storyblok makes the decision:

  • Step 1:Determine how sensitive any info you’ll share with the vendor is.
  • Step 2: Raise your security standards for the vendor to that level. The more important or sensitive the data is, the more rigorous your standards should be.
  • Step 3: Send out security questionnaires that ensure your partners are on the same page with their security standards. “‘Do you do regular access checks?’, ‘How do you host our data?’, ‘How do your backups work?’ Stuff like that.”

Regardless of whether a vendor is certified, Sebastian still recommends doing your own research. “Check the trust centers. There’s a lot of information out there that you can get for free, without even asking. Make yourself familiar with what they’re doing.”

Classify your information

“The most important thing that many companies don’t do – and that’s the reason why some of them fail – is they don’t know where the critical data is really stored,” Sebastian stresses. And no one is immune to this pitfall. Large or small, established or startup, it doesn’t matter – if you’re sharing your data with unsecured partners, you’re at risk.

The best correction? “You need to first map out in what systems this information is stored,” Sebastian advises. “Then, you can come up with a proper protection policy. That normally means you come up with a classification scheme: highly confidential, confidential, public, and so on. Once you have categories, they can be applied to different systems. Then you can communicate to everyone how to deal with the data that’s stored in those systems.” This classification should be a regular part of any new system integration.

hint:

Make sure that both the classification and the behavior it entails are clear. Whether a frequent user or a one-time collaborator, keeping expectations clear for all users ensures that data will be handled properly.


Balancing innovation with security

With the importance of secure operation and the essential need to vet any new vendors, it’s easy to feel like your growth is restricted. Striking a balance between innovation and security – making progress and doing it safely – presents a unique challenge.

“It’s a good question,” says Sebastian. “Innovation is necessary, or else you fall behind. I would highly suggest already thinking about security during the innovation process.” Thinking of the two needs like partners rather than competitors can keep you moving swiftly and safely. Sebastian recommends threat modeling before any development begins, considering security implications carefully, and picking your partners wisely.

AI and security

Artificial Intelligence (AI) and Large Language Models (LLMs) have opened up a whole new world of possibilities for customers and brands alike. But Sebastian warns us that it isn’t all roses: “Honestly, from a security perspective, AI is terrible. No, seriously, it’s terrible. There are so many new threats that are coming up…. It’s becoming more and more complicated for us to defend against these attacks.”

One big risk is the rise of deepfakes. These digitally altered assets can be used to impersonate nearly anybody and manipulate your trust to obtain sensitive data. Nobody is safe from them – not even world leaders like President Zelenskyy. With the help of AI, even novice users with very little skill can produce targeted, convincing impersonations.

The same goes for more traditional hacking. Your average user is now only a few prompts away from learning every security vulnerability of your CMS and the best ways to exploit them. To make his point, Sebastian pulled up an AI engine, asked for the best way to hack a CMS, and – quite alarmingly – got a detailed, step-by-step guide in seconds. It even went as far as to suggest the best tools for the job. When everyone has easy access to hacking know-how, nobody is truly safe.

However, Sebastian assures there are steps you can take to keep yourself out of trouble. The first is to maintain a healthy level of skepticism and be cautious about the information you send. You should also pick an authorized, secure method of communication with your team members. That way, if any contact is made outside of those channels, it’s an immediate sign to be wary of what you’re hearing.

hint:

Avoid channels that external collaborators can easily access, like Discord or email, if you want an extra layer of security.

There’s still something to be optimistic about with AI and security, though: the power of AI doesn’t belong to bad actors alone. You can leverage its strengths to protect yourself, too. Sebastian recommends using it during your threat modeling phase to predict potential assaults that bad actors with the same info might try. This allows you to shore up your defenses before they can strike.

Staying up to date with security

As tech like AI continues to evolve, so does the need to safeguard yourself. Losing data to bad actors has a host of dire consequences, not the least of which is potential legal action if there was something you could have done to prevent it.

Sebastian’s advice? “Get a lawyer!”

But there are less litigious steps you can take, too. Staying informed about threats is half the battle – and depending on what certifications you’re after, it might even come up in the audits. Join cybersecurity forums, sign up for industry-relevant LinkedIn mailing lists, and set Google alerts so you can stay on top of security news.

When it comes to staying up to date with more specific regulations, like GDPR, Sebastian says it’s best to go directly to the source. “I highly recommend going straight to the regulatory bodies. They are doing a good job in communicating what they would like to have and what they would like to see.” All we have to do, he assures, is listen.

Final thoughts

The bottom line? Knowledge is power. The more you’re aware of the state of security, the better you know your tech stack and potential risks, the more informed you are about repelling threats, the safer you are. Sebastian also recommends a healthy dose of alarm: “It’s good to have a sense of panic about security. That way, someone’s always taking care of it.”

There’s a lot on the line when it comes to keeping your CMS safe. But alongside vigilance, Sebastian advises patience, too. Be diligent, be careful, and if any missteps do happen, be prepared to recover and grow from them. “It’s a learning process in the end.”

More to read