Building Security Through Culture (Craft Conf - Budapest 2016)
A talk given at Craft Conf 2016 in Budapest by myself and Destiny Montague (@thisiscarlsagan), it discusses developing security culture in an organisation and some of the lessons learnt in pursuing this at Etsy.
• Areas that security teams & security industry gets wrong • People are as important as tech for effective security • Share Destiny’s speciﬁc experience of security at Etsy • Things we’ve learnt on our security culture journey at Etsy • Ultimately, as developers how can you work better with security
• Co-Founder of Etsy’s Device Lab • 15+ years in IT • Background in liberal arts • Problem-solving & fixing • Hardware & software support • Creativity is essential • Play in several bands • Make jewelry @thisiscarlsagan @iodboi $ alias whoarewe=“whoami” • Director of Security at Etsy • Co-Founder of Syndis, Reykjavík Iceland • 15+ years in the security industry • Background in breaking not building • Pen-testing, Red Teaming, Attack Sim • Vulnerability research, Exploit development • Attack framework & tooling • Lots of Sec Architecture & logical flaw finding
31, 2015 24M active buyers AS OF DECEMBER 31, 2015 $2.39B annual GMS IN 2015 35+M items for sale AS OF DECEMBER 31, 2015 819 employees around the world AS OF DECEMBER 31, 2015 9 offices in 7 countries AS OF DECEMBER 31, 2015 51% female employees, 49% male AS OF DECEMBER 31, 2015 86% feel connected to the company and to each other AS OF 2014
of shared values, goals & principles that guides the behaviors, activities, priorities and decisions of a group of people working towards a common objective’ Photo by Emily Andrews Karl Wiegers - Creating a Software Engineering Culture
bad security teams default to blocking • In a fast, agile, Continuous Deployment world blocking makes you a NOP • You will be ignored and you will be circumvented • No’s are a finite reason, use them wisely, • `sed ’s/no/yes but/g'`
their new crazy ideas (securely!) • Chase solutions to difficult problems • If your security engineers don’t like solving hard problems you have the wrong ones • Helping people to solve their problems incentivises them to engage you
the security team involved in the process 100% • Again think in terms of Communication & Collaboration • Don’t expect your recruiters to understand all the nuances • Initial outreach from you is more genuine and carries more weight • Better at evaluating both for accomplishments & approach - cultural fit • Remove silos - but closing still needed (Hint: they are better at it than you!)
inevitable product of socializing. Sociable conversation is the way that human beings establish trusted relationships among themselves’ Cory Doctorow - Information doesn’t want to be free Security Outreach
Outreach focuses on relationship building • Remove barriers • Reduce intimidation • Can be as simple as footing the bill for cake, donuts or beer! • Assign budget to this, it will be some of the best security ROI you see
with your security team • Embraces transparency • No better way to provide insight to the day-to-day of security • Builds strong personal relationships • Seeds Champions back out to the organization ….
team • Champions help enable you to: • Build strong links into teams across the organization • Organically share security knowledge & awareness • Lower barrier to interaction with the security team • Scale a security team without direct hiring
security interactions in their working environment • Security teams often lock themselves away in special rooms • Focus on being accessible & visible to everyone, it’s invaluable • Lowers the barrier to interact with security IRL • Sit in the busiest part of the office you can • Have security dashboards front and centre /səˈkyo͝or/ ɡəˈnämiks/ noun
• When you walk around the office do people voluntarily interact with you? • How often do you proactively include security in your project? • Do you grow your security team with internal hires? • Do you scale your security efforts champions? • Is security seen as enabling or blocking? • Recognition - How often does Thank You come to or from the security team? • Does security have buy-in from the very top? • Is humble a word in the security teams vocabulary? How often is it used?