How to Build a Security Team and Program

I just want to remind everyone this is all due in part thanks to our sponsors hacker won Fitbit and Baer script Colleen won't take it away thank you thanks guys I'll try to be mildly entertaining to earn that from you so before I start on the agenda I'd like to get into why am I here today why are you here today so I want you to take a moment I know it's really loud and there's spilled beer everywhere but look around the room look at your fellow folks here thanks for taking pictures and you're probably gonna settle your gaze on somebody who is another excellent security practitioner just like you maybe this is someone who does

excellent cloud security someone who does third-party security somebody who is an architect and helps with security and everybody here does the job of security very well we know that but what happens if you're a good security doer and you do your job at a very hostile infertile and apathetic environment has that ever happened to you yes yeah some people look sad where they raise their heads it's okay we've been there so if this is you I'm here to persuade you to abduct maybe just a couple of my learnings that I got some beatings

hello awesome how about that okay so suspense I am here to persuade you to adopt some of the things that I have learned that helped me push past some of the really really painful things that have happened to me at work maybe can save you a couple days of heartache maybe a year of heartache something and who's this for really security professionals who are at startups small companies or other companies who don't give a crap about security okay so we're gonna spend a little bit longer on part one so I apologize you'll be like oh part one two and three she's spending a really long time on part one once we're done with part one two and three are

gonna they're gonna fly through okay starting with do you have a program and/or team is it doing anything do you have people so I'd even like to back up a little bit and ask are you always fighting with your VP of engineering do people in the company tell you that security needs to be out of the way that they don't want to hear from you that they don't want to do what you say like if there's a little bit of antagonistic stuff going on maybe it's not the right time for your company to go into this full force or maybe they're a little bit more receptive but maybe your company has never had any kind of security

incident and your execs are really annoyingly cavalier about that well it's never happened to us why do we need to care why do we have to spend money on this that's we have cyber insurance for so convincing them as hard as well so if you're in either of these situations you can reevaluate and say should I bug out or should I actually push forward should I try to do this I'm here to say push forward make them do this it's for their own good all right so forget the plan and the team first you need to make the executives want security they need to want you and what you're going to do because you're gonna

bring some pain you're being a lot of changes but you're gonna make things better so you need to convince the execs because they control your money they control your hiring so this is what happened to me at first because I went to a small company it worked at big companies before and I tried to tell them look we've done this gap analysis and you have a ton of risks and we went through the exercise of prioritizing them and maybe thinking about this one we'll take one year this won't take two years you each should hire this person to do this thing and they were just falling asleep in fact whenever I would give them updates they were texting I'm

sure they were tweeting they were just not into it and it was really hard to get my message across and I thought what the hell is it why don't they take this seriously this is their company well the problem that I was having was I was talking about security the way that I talked to security with all of you were security practitioners we have as base understanding and some of us have this crazy calling where we might have trouble going to sleep at night because this thing didn't get done or there's a bunch of risks that haven't been mitigated but some of these guys don't give a you know what do they really care about they don't care about what

you do so you have to flip it so I would say that really you need to make them care by focusing on the things that they actually are interested in so number one executives care about staying out of trouble they don't want to be that guy that girl that company whatever it is that screwed up and the second thing they care about is making more money for themselves in the company here over here those two things really have to be underpinning everything that you say to them otherwise they're just not going to give a I'm so sorry but that's why we have each other in the security community is to cry on each other's shoulders but executives are

like money and keep me out of trouble and money and keep me out of trouble so when you're creating presentations for them and you're in you have poured your heart into it and you're telling them everything they need to do you are solving it you've given them a silver bullet if you forget to turn it on its side if you get to wipe it down with and here's how you can unlock new markets with doing what I say or if you forget to put and this is how you can stay out of the headlines and here's a couple other companies that didn't do exactly this and they got in the headlines you don't want to be in the headlines so

unfortunately it seems manipulative it seems pedantic but you have to do it or I promise you they won't listen all right so now this is a little bit more like the relationship we have it took a very long time it was about two and a half years I'm sure they actually hated me they probably complained about me behind closed doors and I know there was one person who's gunning for me for sure but he's quiet now and it is because we've been able to tie what we're doing is a team together to what we can get because of that okay so on the on the part of keeping them out of trouble because they're very very concerned

about this execs if they go looking for a job it's actually very hard for them to find another job for security people we think that's crazy like if I quit my job today my boss pissed me off I'm gonna go out tomorrow and I'm gonna make twice as much better stock options they'll be kissing my feet I'll get a better title etc that's not the case for them if they go unemployed because something really bad happens it could take them six months or a year to find another job so they must stay out of trouble alright so this fun photo here whose fault was this who blew it there ah yes okay you want me to talk louder

all right is that better okay whose fault is this well we all have our personal opinions on this and I vacillate on it myself because it's that basic understanding don't you care about your users and security and your company they do care about their company but just in a different way so I've struggled with this because this person's VP of security tried to tell her things that were wrong scent that prioritized list up there and said we need to fix a B and C and those things didn't get funded and they didn't get fixed and that person left and went for a better job and a better title but this problem didn't get fixed because if you

use any Yahoo products you suffered because things didn't get executed so the way that I want us to operate is we as security people own the communications and the response that we get from the executives informs us how good of a job we've done and the type of message that you put together if it gets that kind of a response you need to get some help on on reconfiguring that message because she's not getting it so we need to fix this so she does private opinions aside so assuming that you buy into what I said previously how do we make them understand we covered that there are different animal than us they don't care about the same things that we

do so I bet you've already done a gap analysis in your area you probably have a prioritized list of if this happens and this happens and this happens with companies dead everything is dead we're all gonna find new jobs well did they ever listen to you when you presented that maybe they probably thought you know what security people do security people scare people that's what they do well what we had to do to make it seem like we weren't using scare tactics was we took that Tai's list which we thought was just gold and then we spent $100,000 with PwC buddies and they did the same gap analysis they went through they did a maturity model and lo and behold ours

and theirs looked so much alike I felt good spending the money but the most important thing was when you have external validation of the stuff you've been saying all along this means they can no longer ignore the problem so once you have them on the hook then it's your job to come up with and then fix these five things this year it's going to require a team that looks like this and they have this expertise we're going to need a budget that looks like this this is the time to really ask for a big budget and then have the executive sign-off this is where they don't get to shirk their responsibilities they get to understand what the responsibility is

which means that they not only have to fund you but if there are any conflicts meaning you want a bunch of things to get fixed and then product or another team says all these other things are gonna get done and you can't do your security stuff they need to back you up so you have to get their commitment then as soon as you have that in your hot little hands write up your job descriptions and get those jobs posted immediately find your security people okay so getting your team together as I said move immediately to hiring your security people and those people are going to lead remediation in the most critical areas that you have will say

you had issues with maybe you're in Google cloud or AWS cloud you have problems there you need a cloud security expert and this person is going to come up with a roadmap to help fix some of those items over the next few years what if your app sec is all over the place same thing you need to find an app sect person to come up with a roadmap to fix those items over the next few years and your job is to make sure it gets rolled up and reported to the execs because if they signed a big check for you guess what every quarter they want to know how's my investment paying are we getting safer we're getting

better can we get certified tomorrow they'll start throwing that at you and a note about hiring it's hard to find really good security people because they already have jobs we already have jobs and not only that but through LinkedIn and here next door tomorrow and RSA people are going to be trying to pick you off pick you off and giving you a better job oh you have two years experience do you want to be a CSO it's coming it's gonna happen so it is hard because if you are trying to hire people for your company maybe you have three security people just three it's really hard to get that fourth because chances are they're gonna go to Netflix they're

gonna go to Google they're gonna go someplace where you can't compete with the dough so I would encourage you to hire internationally and I made these slides kind of before some things happen whoops that didn't deter me though because most of my team is from somewhere that is not the Bay Area the whole world has security people who are interested in fixing things building things and and making your company better really it's you just your job is to convince them to leave everything they have rent out their home and come to a crazy place called San Francisco where the rent here is probably three times as much as their mortgage wherever it was they came from but once they get

here there's so many interesting problems to solve so I'm again once they get here get them on their road maps they need to start delivering okay now you scared the hell out of the execs good job you got the money and you got your people starting to flow in and make changes what else do you need well at least 80% yes at least 80% of what you need to get done depends on Rd and that's just what we call and some other teams call your general engineer group so it's like platform engineers it's your DevOps engineers it's you know every single product engineer that you have most of the work is actually done by them you're telling

them what to do you're showing them how to do it sometimes your baby stepping them into it but they're doing most of the work so you can't afford an adversarial situation with your R&D team and I know 15 years ago when I started getting involved in security it was very adversarial developers hated security people they saw us coming and they would start lying they would start running they just didn't want anything to do with this they would cancel our meetings don't have that happen to you because you need them to fix stuff they're gonna fix your access control issues your change control issues testing pen testing everything they're gonna do all of that for you

and one thing about engineers engineers in general are you know they're smart people they want to be known for high quality work they don't want to be that dumbass that ships some code that broke something they want to be the person who's efficient and has great code and people talk about them they love that and also I found that they really are fueled by beer and camaraderie and I've come to really enjoy their company personally so make sure you regularly acknowledge their achievements and their accomplishments toward your roadmap because you're pushing them to do the things that you want I would even say around review time write something like a paragraph up and sent it to their

manager and say I want this to be included in their review because this person's helped so much not only they do in their day job but they're really making sure this stuff gets done all right so this is kind of how we are with them I did steal a picture from one of my friends here I thought it was so cute they do drink with us they like us and never underestimate the power of friendship because if they're pressed for time and they've got five things they can choose from on what to work on if they like you better they're gonna do your thing first okay so continuing on the Rd part two really cement the positive changes of

your program I would like you to roll out a security champion team what is a security champion team does anybody who doesn't work at Twilio know what is security champion team it's what is that deputizing engineers to be responsible for security that's right ding ding ding I have like a drink ticket in here sweaty though I don't want your DNA yeah so again since they're doing 80% of the the work for security you might as well make it official these guys are guys and gals they're an extension of your team you know and they will be for the next couple years few years as long as they can stand it might as well officially enlist them create a page somewhere that

says security champions with flashing gold things give things away to them t-shirts acknowledge them publicly have their names listed they need to know that they are not only appreciated for doing the work but now with their names up there they are officially accountable another note about your champions is they will help get your roadmap items prioritize as I mentioned if they only have time to do one thing and they like you better they're gonna do your thing or they're gonna make it work all right hey that's all of us together ok one last thing with R&D since you've been putting in all this hard work and assuming you have this great roadmap with all these different streams you've

been accomplishing things sooner or later you're gonna get to the point where you can go for a certification this is the one that we went for it no it is not the hardest one there is there are much harder ones than that but we actually got to a point where we could have an outside auditor to come in test our controls and we actually passed so awesome the best thing about it was that our security compliance person who isn't here today made up these really cool certificates any them to the champion folks the ones who supported us the most the one who put in the effort so it's not just securities game it's everyone's game and note about

certifications I actually was very anti certification until a couple years ago and when I realized that even though for us and I guess for other people in general year-over-year making your security at your company better that's good that's what we're here for you know last year security sucked ass this one was next year is even better and the year after that's gonna be great that's what we care about other people don't necessarily care about that - like good job I'm doing a good job what this does now if you have this on your website guess what if somebody tries to cut your budget next year and this gets in danger of being lost your executives

aren't gonna be happy about that your salespeople aren't gonna be happy about that at all this becomes something that they want to keep so a little bit of manipulation a little bit a secret there all right on to the people part wrap it up so is building a security team and culture at your company easy to do is it super easy every day people come up to and they say thank God for you and your team and all the work you do and it's like - you're starting to gather up like what will we do without you guys know most of the time this is what it feels like oops so all these wonderful security

people that you have here what's actually happening to them is that they might be suffering on a daily basis these folks are fart not these folks these folks are far from home their support people and when they're having a bad day they have you to console them so you got to take care of them especially the ones if they travel the farthest be the nicest to them if you can cook then dinner buy them things tell them they're awesome just spend time with them people need that yeah and someone once told me that hey grit and hanging in there was one of my best qualities and other security people who were good had a lot

of grit but it's the ability to take repeated beatings if you're relatively new to the security field get ready it's about getting punched in the face repeatedly and coming back and going you know what you didn't punch the other side of my face so let's make it even that's what the job is that's why we have to be here for each other I'm not joking all right so this is really how the job feels it's either pulling teeth right you're pulling teeth to get people to do things or you're taking a beating this is the one that I feel like most of the time probably every Wednesday when we have ops review like I'm just ready for it but yeah and

we don't want people to feel like that so if you feel like that imagine how the rest of your team feels like maybe you're leading a part of the roadmap and it's going really well and the devs love you but then your cohort is leading another part of the roadmap and they're getting beaten up left or right people are complaining about that person their stuffs not getting done thank you but stuffs not getting done you know they have to report oh another week went by and I didn't make any progress you need to help that person out because this is we want this instead create this not this right this all right how do we

create this environment the jobs hard we know that and if you've done a good job with the roadmap the prioritization exercise scaring your executives your budget the doing part can be tough as well so creating this is super important so that your guys don't have a nervous breakdown they don't go back to whatever country they came from because it sucks so much here make sure that when you made that budget in the beginning you need to make it bad enough to have like send them to DEFCON send them to blackhat get training for them like dot maybe they want sans trading maybe they want some certifications you need to pay for that so they need to grow as

professionals as they're getting the crap beat out of them so even if you have a small budget maybe you can't send them to blackhat maybe you don't have $6,000 for each person but what you can do is when I have it a bad day take them to lunch you know buy them a beer if they don't drink make them a mocktail you know part of theirs Martinelli's and orange juice or something just acknowledge that their their job is tough and you're there for them and tomorrow's gonna be a better day and you've been there and then you could say hey next week when I'm having a shitty day you could make me a mocktail so yeah another thing to what

my team does maybe is because I force them to is we exercise together so we've run around the block and talk you can do that you can you know cook dinner for each other those are all things that are free and I would say do the free things remember that these are human beings you're working with and they are suffering because their job like your job is a calling which means that you know they have those sleepless nights to when they think about the thing that can't done are we being attacked we didn't remediate this thing fully oh my god are we gonna pass this audit like everybody's got that voice in their heads so remember bring the calm make a

conscious effort to do this every day if you can and if you happen to be a leader of the security team well while your folks are working hard and executing on your roadmap give them your time and attention you know always have a clear career path for them don't have them be like a mid-level engineer for four years you know without giving them a raise or with a path to promotion because you're a terrible boss you know sorry don't do that to people because that's how you would feel you know you've been busting your ass and what if the VP of engineering he was your boss was like good job doing a good job I don't care

that you kept the lights on you don't want to be talked to like that so don't pass that down to your team all right okay wrap it up again most important part is before you roll out that program and hire the team make sure the executives and RD actually want your security then you roll out the plan I can't stress that enough because you will bang your head against a wall until your head is bloody make sure the execs want it and they're gonna pay for it and you'll know that they actually want it when they start repeating some of the that you say you know they'll start catchphrases and you like I caught you I

programmed you that's how you know you want keep going until you win because you will and also once you have your security team from all over the world or wherever you get them you better take good care of them because if you don't someone else is going to and remember that because that is the truth all right and that is it thank you very much

Salesforce is sponsoring a happy hour tomorrow at 8 o'clock right here we also want to thank our sponsors Baer script hacker 1 and Fitbit and actually we have a special gift for our speaker a brand new Fitbit Alta for her so that's good information think about the CFP next year and see if you can be up on stage next year thank you