Building Security Through Culture (Craft Conf - Budapest 2016)

Aa6b7d3a12a61bfe0ce9c8a12405bd75?s=47 Rich Smith
April 29, 2016

Building Security Through Culture (Craft Conf - Budapest 2016)

A talk given at Craft Conf 2016 in Budapest by myself and Destiny Montague (@thisiscarlsagan), it discusses developing security culture in an organisation and some of the lessons learnt in pursuing this at Etsy.

Aa6b7d3a12a61bfe0ce9c8a12405bd75?s=128

Rich Smith

April 29, 2016
Tweet

Transcript

  1. 1 Building Security Through Culture D E S T I

    N Y M O N TA G U E - @ T H I S I S C A R L S A G A N 
 R I C H S M I T H - @ I O D B O I
  2. 2 What are we talking about today? • Security Culture

    • Areas that security teams & security industry gets wrong • People are as important as tech for effective security • Share Destiny’s specific experience of security at Etsy • Things we’ve learnt on our security culture journey at Etsy • Ultimately, as developers how can you work better with security
  3. 3 Rich Smith Destiny Montague • Security Engineer at Etsy

    • Co-Founder of Etsy’s Device Lab • 15+ years in IT • Background in liberal arts • Problem-solving & fixing • Hardware & software support • Creativity is essential • Play in several bands • Make jewelry @thisiscarlsagan @iodboi $ alias whoarewe=“whoami” • Director of Security at Etsy • Co-Founder of Syndis, Reykjavík Iceland • 15+ years in the security industry • Background in breaking not building • Pen-testing, Red Teaming, Attack Sim • Vulnerability research, Exploit development • Attack framework & tooling • Lots of Sec Architecture & logical flaw finding
  4. WHAT IS ETSY?

  5. 5 Etsy is a global marketplace where people around the

    world connect, both online and offline, to make, sell and buy unique goods. 42
  6. 6 By the Numbers 1.6M active sellers AS OF DECEMBER

    31, 2015 24M active buyers AS OF DECEMBER 31, 2015 $2.39B annual GMS IN 2015 35+M items for sale AS OF DECEMBER 31, 2015 819 employees around the world AS OF DECEMBER 31, 2015 9 offices in 
 7 countries AS OF DECEMBER 31, 2015 51% female employees, 49% male AS OF DECEMBER 31, 2015 86% feel connected to the
 company and to each other AS OF 2014
  7. Scaled, Global-Local Marketplace Concentration of Active Sellers in 2014 7

  8. SECURITY CULTURE So let’s dig in:

  9. 9 A + B != Culture Disclaimer!

  10. 10 ‘Security’ from 50,000ft

  11. 11 Information security the set of requirements that arise at

    the intersection of technology and society
  12. Society Technology Security

  13. 13 From this simple picture it’s easy to that people

    need to be considered alongside technology when thinking about security
  14. 14 It doesn’t diminish your security street cred to value

    people as much as technology, it means you will have greater impact and effectiveness.
 You have more tools to work with. Security Ego
  15. 15 {DevOps, SecDevOps, DevOpsSec, $FlavourOfTheMonth}
 should not need to be

    words…
  16. 16 To me DevOps just means Communication and Collaboration

  17. 17 …and maybe breaking down silos - but that’s just

    really different words for Communication & Collaboration
  18. 18 Communication & Collaboration are a requirement for all of

    us here to be effective in our roles
  19. 19 We shouldn’t need to make up a special word

    for ‘Doing Our Jobs Properly’
  20. 20 and we’re engineers, let’s be clear it’s a trend

    that doesn’t scale …..
  21. 21 DevOpsSecPerfHRPayrollComplianceLegal
 PolicyCustomerServiceMarketingFacilities
 LocalisationPublicRelationsAdvocacyDesign
 ProductBusinessIntelligenceHelpdeskProduct QAManufacturingUserResearch….. Should never be a

    thing
  22. 22 Instead let’s just call it being an
 effective organisation

  23. 23 When we say DevOps let’s understand what we really

    mean, that is we are mindfully using Communication & Collaboration to do our roles the best we can
  24. 24 Also realise that Communication & Collaboration are symmetric -

    they require effort from all parties to actually succeed Bonus Points
  25. 25 In particular we need recognize Communication & Collaboration are

    critical to building a positive security culture
  26. 26 Unfortunately Communication & Collaboration is something that many security

    teams are 
 not very good at, which makes building a 
 security culture hard
  27. 27 And the building - and maintaining - a strong

    security culture is required to build an effective security organization
  28. 28 What is Security Culture? 48 ‘Culture includes a set

    of shared values, goals & principles that guides the behaviors, activities, priorities and decisions of a group of people working towards a common objective’ Photo by Emily Andrews Karl Wiegers - Creating a Software Engineering Culture
  29. 29 THE TIME WHEN A SINGLE PERSON OR TEAM CAN

    BE RESPONSIBLE FOR AN ORGANISATION’S SECURITY IS LONG OVER… Laura Bell
  30. 30 …it is up to EVERYONE…

  31. 31 …it’s a SHARED responsibility

  32. 32 Unfortunately Classical Security approaches are not conducive to building

    a security culture people buy into ….
  33. 33 …..in fact they often do quite the opposite

  34. 34 Classical ==Restrictions

  35. 35 Classical ==Blocking

  36. 36 Security as a Blocker • Lazy or just plain

    bad security teams default to blocking • In a fast, agile, Continuous Deployment world blocking makes you a NOP • You will be ignored and you will be circumvented • No’s are a finite reason, use them wisely, • `sed ’s/no/yes but/g'`
  37. 37 If security introduces blocking to an organisation it will

    be ignored not embraced
  38. 38 ‘A security team that is left out of the

    process is worse than no security team at all’ Ben Hughes - 
 Earlier this week at Delivery of Things World in Berlin
  39. 39 Security teams want to be looped in early and

    often
  40. 40 Security as an Enabler • Support teams to do

    their new crazy ideas (securely!) • Chase solutions to difficult problems • If your security engineers don’t like solving hard problems you have the wrong ones • Helping people to solve their problems incentivises them to engage you
  41. 41 +

  42. PEOPLE > TECH UP NEXT:

  43. “hard” technical skills vs “soft” interpersonal skills

  44. team diversity is stabilizing for the ecosystem

  45. None
  46. None
  47. Corp IT Security Device Lab keep proprietary data secure restrict

    ability to alter OS/software RFID Tagging passcode lock prevent theft secure access to production data ability to remotely lock/wipe MDM omg wut?
  48. None
  49. 53 EMPOWERMENT ECOSYSTEM Trust Empowerment Communication Perception

  50. trayboard in Long Beach, CA

  51. we’re fueled by a common purpose

  52. SECURITY HIRING UP NEXT:

  53. 57 If you're building/running a security team Effective Hiring Manager

    needs to be a bullet on your resume
  54. 58 Security Team Hiring • A successful security culture needs

    the security team involved in the process 100% • Again think in terms of Communication & Collaboration • Don’t expect your recruiters to understand all the nuances • Initial outreach from you is more genuine and carries more weight • Better at evaluating both for accomplishments & approach - cultural fit • Remove silos - but closing still needed (Hint: they are better at it than you!)
  55. 59 Don’t Hire Assholes Number one rule…..

  56. 60 Remove them ASAP If you inadvertently do, or you

    inherit one…
  57. SO WHAT DOES SECURITY LOOK LIKE AT ETSY?

  58. 3 2 1 62 Transparent Enabling Blameless 3 Principles of

    Effective Security
  59. 3 2 1 62 Transparent Enabling Blameless 3 Principles of

    Effective Security A security teams success should be measured by what they enable not by what they block
  60. 3 2 1 62 Transparent Enabling Blameless 3 Principles of

    Effective Security A security team that is open as to what it does and why spreads understanding and is embraced
  61. 3 2 1 62 Transparent Enabling Blameless 3 Principles of

    Effective Security Security failures will happen, only without blame will you understand true causes & learn
  62. 63 Photo by Emily Andrews 49 ‘Sociable conversation is the

    inevitable product of socializing. Sociable conversation is the way that human beings establish trusted relationships among themselves’ Cory Doctorow - Information doesn’t want to be free Security Outreach
  63. 64 Security Outreach • Outreach is distinct from Education •

    Outreach focuses on relationship building • Remove barriers • Reduce intimidation • Can be as simple as footing the bill for cake, donuts or beer! • Assign budget to this, it will be some of the best security ROI you see
  64. 65 Bootcamps & Rotations • Have people come and ‘bootcamp’

    with your security team • Embraces transparency • No better way to provide insight to the day-to-day of security • Builds strong personal relationships • Seeds Champions back out to the organization ….
  65. 66 Champions • Champions are friends & allies the security

    team • Champions help enable you to: • Build strong links into teams across the organization • Organically share security knowledge & awareness • Lower barrier to interaction with the security team • Scale a security team without direct hiring
  66. 67 Securgonomics • The study of the efficiency of people's

    security interactions in their working environment • Security teams often lock themselves away in special rooms • Focus on being accessible & visible to everyone, it’s invaluable • Lowers the barrier to interact with security IRL • Sit in the busiest part of the office you can • Have security dashboards front and centre /səˈkyo͝or/ ɡəˈnämiks/
 noun
  67. 68 Gummi bears are the way to your developers hearts

    ….. Security Candy! • Biggest sources of security pod ‘drive bys’ • IRC bot commands so people can what’s in stock • Bootcamp project
  68. SOME PARTING THOUGHTS AND FINALLY:

  69. 70 Questions you can ask about your org security org

    • When you walk around the office do people voluntarily interact with you? • How often do you proactively include security in your project? • Do you grow your security team with internal hires? • Do you scale your security efforts champions? • Is security seen as enabling or blocking? • Recognition - How often does Thank You come to or from the security team? • Does security have buy-in from the very top? • Is humble a word in the security teams vocabulary? How often is it used?
  70. 71 If you leave with nothing else 48 Enabling Transparent

    Blameless Photo by Emily Andrews
  71. Teşekkür ederim! / Thank you! D E S T I

    N Y M O N TA G U E - @ T H I S I S C A R L S A G A N 
 R I C H S M I T H - @ I O D B O I