An updated version of the talk I gave at KiwiCon 8.
Understanding people, and not just technology, is critical in building a successful Security team. Much has been spoken about Etsy's engineering culture, and how continuous deployment and 'devops' have been embraced and developed, but how does security operate in such an environment? This presentation will discuss the progressive approaches taken by the Etsy security team to provide security while not destroying the freedoms of the Etsy engineering culture that are loved so much.
Discussion will cover the building of an effective security organisation that is people rather than technology centric, and one that positions security to facilitate problem solving with fellow engineers rather than blocking progress through the fear of increased risk. The aim of this discussion is to start a dialogue that will hopefully result in a more honest and inclusive security environment, in contrast to the more common scenario where a false perception of security exists that becomes increasingly divergent from reality as the imposed constraints are actively circumvented.
The approaches discussed are those that we have found work for Etsy but should not be seen as a one-size-fits-all solution. Every organisation is different and has its own cultural needs, but it is hoped attendees will be able to adapt our learnings to best meet their own organisation and in doing so share these experiences back with the wider community.