So You're the First Security Hire: Creating a Security Program and Integrating Security into Your Company's Culture

please join me in welcoming Brian from whom ooh so Who am I this one goes out to all the dr. Seuss fans in the audience at the far out of town where the Grieco grass grows I began my career in security protecting ones and zeros back in 2002 before cyber was a thing and clouds were just something about what you might sing from the Department of Defense to banks and universities then on to Netflix to get paid to watch movies I led Netflix's implementation of Xero trust for which most people think beyond Corpse a must now sit back and get comfy I'll spin you a yarn of how to use one pair of hands to protect your business

from harm oh thank you so what have you gotten yourself into let's say you're taking over a security program we're starting the security program from scratch of a small company or maybe a security engineer leveling up maybe your manager whose role is expanded or maybe you're the poor IT guy or girl that drew the short straw so first congratulations also second I'm sorry so on the plus side you get to do things from scratch quote-unquote do it the right way but just remember that the right way is very subjective so two years from now people could be looking back and think well what idiot did this and you'll have to own up and say oh

sorry that was me be ready to wear many hats at a startup you're definitely gonna do ton of different roles definitely outside of securities so don't don't scope your role too narrowly at first it'll definitely narrow naturally over time for example I'm kind of Handy so I spent a lot of time fixing coffee machine luckily now we have a third party that does that let's see ideally you're not gonna want to be just a heads down security engineer you're definitely to need those skills but you also want critical social skills shall we say because you're gonna be interacting with a lot of different teams around the company engineering IT legal sales leadership ideally so remember that you're not just setting up

security controls and all the techie stuff you definitely have to start setting security culture how do you want your security team to interact with people how do you want them to interact with you how do you want security to be valued in the company so why do you exist as the wu-tang clan says cream or cash rules everything around me you need to help that the business get that dolla dolla bill y'all so the three most important things I do for the business are making sure we don't get hacked dealing with compliance and filling out secured incoming security questionnaires they all either directly or indirectly bring in money so you're either winning customers are you closing those deals

your media legal requirements to stay in business or your keeping the lights on and by the way just because I didn't directly bring money always remember to protect your customers data because it's the right thing to do keep in mind that you're an advisor you're not the police people the people can in the business can take your advice or just leave it you need to understand what's important for the business and not just you so maybe you have an urgent phone to fix or maybe gotten shiny a new tool to buy but the business might weigh the risk benefit and cost benefit and say and it's really not worth it sorry you have to be okay

with that and move on you might think steered you to start but really that big of a deal because we're too small to get attacked but no there's I mean as we know there spray-and-pray attacks but also even just on LinkedIn there's plenty of information to launch spear phishing attacks against you we've seen that definitely we're a small company depending on your customer data and the industry you're in you may start getting more targeted attacks from I like to put out the equation of startup - security equals easy money for attackers because you're gonna space you're gonna face all the same attacks like ransomware extortion data theft all the sort of stuff that the big companies do but

attackers know that you do not have a security team or maybe if you're lucky one person so strategy the first part here so first step is finding a company with management support security you definitely need buy-in from the top to get anything done otherwise you are gonna start crying very soon ask you know during the interview process start asking some questions like who's the position report to can you talk to CEO about your strategy what's the budget what's the timeline for like how big does the team want to get and and what are the goals and what's the timeline that sort of thing because you're trying to figure out are they trying to check a

box for security or do they actually deeply care about security ideally the company wants to start caring about security early because as we all know bolting on security at the end for either the business or the product is going to take a lot more time and effort and money example would be like see becoming see see see CPA and JP are compliant trying to both those features onto a product after the fact are gonna be a big huge pain and then before putting in the controls and processes and procedures always ask why so take a step back and think okay well what are we trying to do here so what's the reason behind it how will it actually

benefit us is there a new or a better way to do it which is one of the benefits of starting from scratch you can you can do that so for example traditionally people have said you know hey we need a crazy long passwords that are rotated every 90 days but then you take a step back and you realize oh actually we can take care of this issue and we can take care of a bunch of different attacks account takeover stuff but just by requiring more memorable passwords but 2fa you know you might traditionally buy fancy was paying firewall with a bunch of security features I won't mention names but then you take a step back and you realize oh

actually we can solve all these problems and eliminate a whole bunch of other problems by going with the encore and just a simple firewall so now on to the strategy or the the tote the the meat of the strategy if you or the tofu if you prefer if this Chromebook would scroll oh there we go so you've got one pair of hands so how do you make sure that you are spending your limited amount of time on the most critical things so I've created one simple you need to remember acronym there for you first part is finding what matters most to the business the valuables the crown jewels talk to the the founders the heads of each group

what data applications process this procedures matter most to the to the company into things like customer data intellectual property bank accounts you know internal apps blah blah blah blah blah and then find what laws you have to comply with and certifications that the business's wants in addition to those legal requirements that's going to determine determine what frameworks you have to use what controls you're gonna put in place policies and generally how fast and loose you can play with security dealing with compliance might be one of the reasons one of the big reasons why your position was created in the first place so a lot of people hate to admit that but there will likely be

some some compliance parts of your job my recommendation is outsource as much of the compliance stuff as you can like GAAP assessments and audits and getting policies but realize you're still gonna be doing a bunch of the heavy lifting putting that in place and then find out what level of risk the business is comfortable accepting so getting a general feel from the co founders like do they want to move faster and accept more risk or do they want to go move a little more slowly and dot all the i's and cross all the t's some basic examples would be you know if there's a medium risk of exposing customer data with this new feature but the new

feature is gonna close a giant deal you know do they want to move forward with that or do they want to fix the issue first before moving on or do you block installation of software on employees laptops or do you trust them to use their best judgment and and let them install whatever they want or do you have air gap systems free most sensitive a slight tangent here related to risk third party risk do you really know where your data is so you might think you have a small AWS and GCV or GCP footprint but your data could be going to all kinds of places thanks to G suite plug-ins slack plugins Chrome extensions all that sort of

so I recommend turning on a lot whitelisting from the beginning so you can start getting a handle on this sort of stuff especially things that have access to G Drive because that's where a ton of sensitive business information is these days definitely don't take more than like a day to answer those requests otherwise you're gonna be holding up the business which pisses off a lot of people which I'll go into a little bit later and then take an inventory of applications and and integrations try to gather some security information on them good luck if you're a small company and trying to get any sort of response out of security at whatever company calm and then create a basic risk spreadsheet so

you can track your assets and your risk I do something basic like likelihood of compromised times impact / remediation effectiveness equals your risk just a good basic idea you can get fancy or something like cbss if you want remember that third party and subprocessor inventory is kind of important for GDP R and C CPA you definitely need to know where your data is going and who your sub processors are back to little more the strategy threats so finding your your cyber threats and ideally your physical threats as well you can use miters attack framework for some ideas you can also use Verizon's D bi report shout out to Alex Pinto I know you're in the audience riding a capybara somewhere

and then you can use this CB SS for ranking them unauthorized access to data data being held ransom using trusted access to access your customer or attack your customers those those are some of the big ones talk to the co-founders and get their input see if they agree with you see if they've got some other ideas see what are the biggest threats next you're gonna start setting culture because security isn't just about technology it's definitely the people - I'll get more into that in a couple slides and then good security culture makes it easier to integrate into the business start building trust and getting into those important teams and workflows and I'll get more into that too in a second

and the last part of the strategy here so then comes every engineers favorite part the policies you might be able to actually skip these if you're lucky if you don't have a bunch of laws and certifications to comply with but you may actually have large customers that the man do you have certifications so you're back to square one I recommend getting templates from whoever you're outsourcing compliance to also if you want to go the cheap route which might take a little more effort you can go to most universities websites all their policies are typically public work smarter not harder harder copy and paste and let's see then - of course tweak them to fit your business so do you

really need that 10 page password policy or you can just go with you know a paragraph you don't really need to go crazy and then lastly you start putting the controls in place this is where all of us engineering types are most comfortable so things like 2fa anti-malware inventory access control yada yada yada you're gonna select those controls based on these inputs you've gotten in the previous steps and select what's right for the business so you know you're probably not gonna have three FA on an air-gap network with you're just selling cad emojis so keep it simple that's one of my guiding principles that I'll go into in a minute and then iterate put the basics in place and then improve as

you go along so if you haven't been in a small company before you might be most comfortable with like hey I need to get this done 100% right the first time but you're gonna realize that you know you're gonna want to get like 80% there at a startup cuz you're gonna be moving in tons of directions with one pair of hands and then come back and finish the 20% later remember that perfect is the enemy the good guiding principles so guardrails not gates is a saying I got from Jason Shannon from my time at Netflix so people hate hearing no it definitely gets in their way prevents them from doing their job yeah you become a source of their anger so they

won't want to come work with you again they'll definitely try to go around you so don't hold up the business unless it's something critical let people get their jobs done and like I said you're here to serve as an advisor you're not the military and be wanted not feared you know do you want to be this feared security person or do you want to the one that people love to work with which one is going to get better results for you definitely create an approachable and positive security culture people are gonna want to bring you their questions and issues rather than you having to go and dig them up which takes a lot a lot

more time I'll go into that in a little bit and then keep it simple like I mentioned here so complex policies and procedures are gonna be hard to maintain and there we go scroll and they're definitely gonna invite people to the point of going around them so choose short policies she's paying the security reviews choose platforms of service choose erode trust choose life choose Trainspotting references keep it simple and you're gonna remove an entire class of security concerns like platform-as-a-service has almost no infrastructure to administer remained IRB's insecure zero trust is gonna you know eliminate a bunch of traditional network security architecture and and network security concerns so you've got one pair hands so let AWS and GCP take

care of all those old school security issues for you shameless plug for minding my talk from a couple years ago on zero trust and it flicks and then make people self reliance so they can be your hands your hand or sorry your eyes and ears because you can't be everywhere at once so give them the tools you know to be on that paved path that's inside the guardrails and the education to use them because you won't have the time de birria around and be involved in every single security decision let me start getting the culture here how well you integrate into the business is Howie well you integrate security into the business is gonna depend on the

principles you set like the also the culture and how your you and your future team interact with people so be transparent you know if you're gonna install something on someone's laptop the first thing they're gonna be like what's what's going on here you've spying on me it's like no we're this thing is gonna catch malware for you it's gonna it's gonna protect you there's literally no way can spy on you here's the manual if you want to double check just having some some rapport with the person showing them what's going on and and being transparent on your decisions I appreciate people so say thank you it's simple but it goes a long way just hearing thank you in the office

really goes really improves a lot of things like a relationship with people you know what I do is if someone that has helped improve security some way or they report a good phishing attack or whatever I give a security shark award at our All Hands meetings so it's like a Amazon gift certificate I'll say hey person X did this thank you very much and give them a little reward gets gets the word out there keep security in people's minds and also says thank you to the person and be humble so no one works no one wants to work with a brilliant jerk we've all worked with brilliant jerks I do jujitsu and it's taught me many things most importantly

is that you're gonna learn of course from people above you and you know your peers probably ideally but you're also gonna learn from people below you so treat everyone with respect to treat everyone as a pro that you can learn something from you know say like hey this area is not my area of expertise can you teach can you teach me how something about this and we can work together on this issue it's exactly what I did with some apps egg phones we had I can barely spell apps X so I went to our head engineer was like hey we've got this issue can you explain it to me can we work together like how can we fix

this and the two of us worked on it together which goes much better than just like hey fix this for me feedback so you can't improve and you definitely should want to improve so you can't improve in a vacuum ask people for feedback see the conversation with examples like hey we just rolled out this tool would you think about it or we're gonna do this what you think about that or in this meeting I said this did I sound like a jackass what do you think how can i how can I improve empathy so always assume good intent you know people are just trying to get their jobs done you know some traditional security person might hear like oh hey person

comes up to you and says I need an FTP server right now like I need to transfer this file and you might go whoa head explode but no take take a step back and realize okay let's dig in a little bit this person's trying to get their job done okay they have this important file for the CEO or whoever they need to transfer it now they just didn't realize that we've got a paved path here to like get this transferred security and quick it's securely and quickly or maybe they don't have an option right now so then you come up you work with them to come up with a more secure solution so I always assume good

intent the little things speak English not techie either couple these points were in some of the other talks as well it definitely alienates people if you're going to talk about the lithium crystals and rotating your cables every hundred thousand packets that sort of thing you know if you're talking to legal they're gonna be like what in the hell are you talking about they're not gonna want to come back and talk to you again so tailor your your level of techie to the audience and say hi in the hallway make eye contact just basic interpersonal skills I mean not just on your team but like random people in the office it definitely improves the the culture and

it helps get you get you integrated into the company let's see and also try it out in the real world it's nice and then last thing on security culture is setting the elevator back down so use your position of power at the top to help out others below you we're never gonna increase diversity or fill hiring gaps if you don't get out they like spend some effort trying to get out there finding women of minorities who either work with you or outside the office interns recent college graduates we're trying to start their careers invite them to conversations and projects and write them to industry events try to help them try to help them build their network give them career

advice high school teachers definitely need people to come talk and inspire their students you can skip fancy universities people at community colleges high schools and poor school districts are gonna definitely appreciate it and use it a lot more integrating the companies socialize so start building relationships and trust across the business you know you you're gonna need to work with engineering for production type stuff IT for malware and corporate type stuff legal for contract review sales for incoming Security questionnaires go talk the sales team and ask how many deals if you we lost because we didn't have security thing X and that'll show that you're trying to help out the security team you can also take that number to leadership and say

hey we need to spend a bunch of money and here's one of the reasons why we've you know trade-off of cost there times really running out and then find that the major stakeholders and the team leaders meet with them regularly over lunch and one-on-ones and then try to build a relationship you like I talk about increasing visibility so you want to find the security issues and also keep yourself visible in the eyes of the rest of the company so you know have new employee security training yearly security training developer security training go to the other teams all hands it's like a fly on the wall to keep your finger on the pulse and hear what's

going on security related there of course don't over communicate because people are gonna because people are gonna get alert fatigue and just start ignoring you after a while and remember to tailor the content to the specific audience don't blast out email to the entire company if it only applies to half the company and then recruit people on the other teams who are interested in securities to be your to be your eyes and ears and potentially hands to help you fix issues and report things collaborate don't be a dictator don't just throw stuff over the fence like I mentioned earlier it's gonna go much better if you could say hey how can we work on this together rather than just

like here please fix this problem [Music] engagement so we all know security is a dry topic like hey pick a strong password don't share your password don't do this don't do that I like to get creative make a little fun here's the security shark award that I hand out with the Amazon gift certificate at the All Hands meetings when I was at Netflix did some security education posters around the office in October this one was pushing password managers who doesn't love hedgehogs the head of legal said she loved this one also two-factor off I know somebody here was attending had an icon of a sloth thank you and then a little last one or a couple

more slides our white elephant Christmas party a couple years ago my contribution for the gift pile was a picture of myself which people thought was hilarious until I told them that there was a hidden gift card in there so they did the trading and then eventually pulled apart they didn't find a gift card so what they did they took awhile but they eventually found out if you held the picture over heat source the Amazon gift card was written in lemon juice and then it appeared the CEO loved that so much that he now hides this picture regularly around the office with another card hidden in it a coffee card and then if you find it you get to hide

it for the next person people love that so much that they took my picture and then put it on put on t-shirts for our one of our Halloween costume competition things and on the back you'll see there's a bunch of letters and if you unscramble that you found out where the prize was now I have a picture a write up a t-shirt with my picture on it which is weird anyway I love wearing it around it's great make me look famous or something and last thing oh good I think it's gonna work out physical security why would you care about physical security you know maybe you want to learn something new you know really who else

is gonna do it at startup so there's a lot of similarities with InfoSec so you've got badges and doors for authentication and access controls you got cameras facing ideally out the external doors for after the fact monitoring Remer do not face the cameras in that tends to creep people out and likely you're not gonna have alarms because ideally people are taking their laptops homes at home at the end of the day you've gotta be on Corp Network so if someone does plug into your network whatever that's nice and then you know people also forget to set alarms anyway so they're kind of useless yes sir thank you and then other things you know like you're only gonna have to worry about

theft for really the first few years but as you get bigger you might want to start investing in guards and there could be domestic violence issues is one of the big ones that comes up targeted attacks higher you know as you is your leadership gets higher profile maybe attacks against them that sort of stuff you know I've heard of things like teams of doing international extractions on like big physical security teams but don't worry about that really all you have to worry about his theft keeping the doors locked and then auditors to satisfy cameras to satisfy the auditors and potentially like tracking down what got stolen and I went a little fast because we lost some time with filling

the theater but I think I got in under the wire I don't think I have any time for questions but I'll take softball questions outside and then if you want to you can add me on LinkedIn I will be happily answer any questions via LinkedIn or just find me outside and ask your questions thank you [Applause]