Scaling Security Programs in High Growth Companies

Moderated by YL Ventures‘ newly Operating Partner Andy Ellis (Former CSO, Akamai Technologies) alongside Karthik Rangarajan (Director of Security, Robinhood), and Talha Tariq (VP & CSO HashiCorp), this session features insights on how to build and scale security programs, navigate team management, establish strong foundations early on, and more.

Summary

This webinar discusses the challenges of scaling security programs in high-growth companies, featuring insights from security experts from HashiCorp and Robinhood.

Highlights

  • 💡 Building a security program requires anticipating scale challenges, even with little data on future growth.
  • 💡 Branding can be a challenge for an infrastructure software company competing with larger cloud companies for talent.
  • 💡 Security teams need to build relationships and provide tools to manage the scaling of DevOps and R&D teams.
  • 💡 Focusing on engineering customers first can help with scaling security programs and building a sustainable culture.
  • 💡 Remote hiring can be an advantage for high-growth companies experiencing rapid expansion.

Transcript (raw)

(00:00) [Music] hello everybody i’d like to welcome you and thank you uh for joining us today to this special event very excited to see everybody and uh we hope that you will enjoy this webinar my name is offer shaiba i’m a partner in wild ventures i’m heading to israeli office for anybody who’s not familiar with wild
(00:22) ventures first of all you should and i’m a quick intro about us we’re a global venture capital firm we have offices in silicon valley and in israel and we invest exclusively in early stage israeli cyber security startups i’m sure that you’re familiar at least with some of our portfolio companies such as axonius orca security medigate
(00:45) hunters falcon cyber and and a few others uh i would also like to announce that our moderator for today’s panel and the echo is the former uh chief security officer of akamai officially joined wildventures team today as an operating partner and we’re very excited uh we’re very excited for that andy and we
(01:07) officially welcome you on board andy was one of our first venture advisors he joined the program almost four years ago the program now consists more than 90 global csos and cyber security executives from uh fortune 5 fortune 500 companies and high growth uh companies in the us and globally uh andy has been working with us and
(01:33) with israeli cyber security entrepreneurs some from our portfolio and some some not and he will continue to do so uh even further and share his experience uh and guide israeli entrepreneurs pre-investment and post advancements with the ideation market validation product development strategy vision and
(01:53) particularly providing a lot of depth and understanding uh regarding customer needs we hope that you will gain meaningful insights and different perspectives from from the panel today and i’m sure that you will enjoy it so thank you very much and with that we let andy take it from here thank you welfare and thanks everyone for
(02:18) attending i’ve been joined by a couple of fantastic folks today and yeah we’re going to talk a little about the challenges of scaling security programs you know sort of you know from seed to lead from you know you’re a small company you’re going to have high growth as fair mentioned today i start as an operating partner at weill
(02:38) ventures which i’m pretty excited about but before that i spent 20 years building the security program for akamai a company that uh i hope a few of you have heard about and so i’ve got some insights there that i’ll share but mostly i’m going to be asking for talhah and karthik’s insights as we go along if you’d like to ask a
(02:58) question feel free to use the q a function of zoom i’ll be monitoring that and that will help guide our discussion if not i’ve got a laundry list of questions that i’m going to be asking these two to share with us so first let me let each of them introduce themselves for a few moments so talha we’ll begin with you
(03:17) thank you andy hi my name is salha i’m the chief security officer at hashicorp been with hashicorp for about two years been in the industry for about 15 years my previous experience was at microsoft pwc and a few startups in city development excellent karthik hey everyone i am karta kangarajan i’m a current principal engineer former
(03:40) director of security at robin head i’ve been with the company for over four years i was the first security engineer i helped build up the team and i’m now in the trenches along with them excellent so i’m going to start with sort of an open-ended question which is really what are the the top three challenges
(04:00) that you’ve faced you know when you’re trying to build a security program but both from the ground up and then scaling them and i think sometimes people you know to give some insight here you know what were the choices you had to make early that sometimes you then had to change as you scaled yeah i can start so a couple of theme
(04:19) that i was experiencing when i joined hashicorp one of them was everything was a gigantic scale problem and what i mean by that is yes you know you have large companies like google and microsoft they have scale issues but when you are a tiny company and you are experiencing really high growth your scale problems are similar because
(04:40) your number of people are also like very very small compared to the problems you’re experiencing uh we grew from 400 to 1000 people in about 18 months from operating in one country to 17 countries in about 18 months so in that context when you had high customer growth high employee growth high product growth
(04:59) you have to think at least two to three years ahead with very little data of what kind of things you will experience two or three years from now so mostly as i was building my team i was security high number one like karthik and i was started to build a function from ground up uh most of it was a scale challenge and
(05:17) looking to what kind of team we would need to have two to three years from now and setting the foundations earlier so that’s um that was challenge number one challenge number two we were popular in the practitioner developed for devops space uh we were popular in enterprise too but from branding perspective people know more about our
(05:40) products than what hashicorp is and in some sense i i got this challenge of branding it’s like hey what is i know in a terraform i know what but what is hashicorp like what are you related uh and the way this translates back in hiring is you’re basically competing with the same tier one talent with large
(05:59) cloud companies um because what we are building is infrastructure software it’s serious enterprise software this is not you know some experimental tech we have a lot of fortune thousand global thousand companies using our products for running their infrastructure and the kind of talent that we needed
(06:17) was tier one talent across the globe so those were two challenges that i had the third challenge which some people thought was a challenge before pandemic was being able to hire remote and have a team report for us it was different because our company was remote from day one so that actually worked very well in my
(06:37) favor there we had to hire 20 30 people in the next six months and it was actually very easy to go after talent globally distributed that could solve uh large-scale problems for us yeah i’ll take a shot at that a lot of uh a lot of what taha said obviously i resonate with i think at robin hood it’s um
(07:00) it was an interesting challenge when i first joined the company was pretty small uh we were already pretty popular uh in the in the markets for our customers the challenge was figuring out which customer which security customer i make happy first so security has many customers you’re in you have engineers
(07:22) you have regulators you have executives you have the board you have your actual customers so which of these customers do i cater to first in order to help scale this program um and what will give us the highest roi as the company scales and what will help me hire more what will help me build the culture that will actually sustain
(07:44) the security program over time when the company is a thousand people and so i at that point made the choice of serving engineering customers before thinking about any other customers given that the company was still small and that’s was the dna of the company it was if we were an engineering firm that were that was
(08:05) innovating in the space and so i said okay let’s serve our engineering customers let’s figure out how to work with them how to think like them how to act like them and then we’ll start steering this ship in the direction we want to go and starting to think about how we can tell the story of what our
(08:26) engineers are doing what this firm is doing to other customers whether it be regulators the board um our you know users whatever it might be how do we tell that story effectively but dude in order to tell a story you need to be part of the story so that was one of those things that we had to decide very early on is do you function
(08:46) like an engineer that is part of helping build a product ship the product do you act as a check and balance what persona of security do you play and um you know four years ago i made the choice of playing the persona of i am an engineer in the trenches shipping products with you let’s see how we can make this secure
(09:09) and fast you know i really like that approach karthik the tag you have to pick somebody you’re going to work with first and it’s always easier if your product is secure to then deal with your customers and marketing to really go and sort of sell that so i want to pivot sort of the next question to taha which is you know if you’ve seen
(09:30) sort of this similar uh model and how do you scale your security teams as your devops and r d teams are scaling so that you can continue to to manage engineering security great yeah great question so i’ll give a really practical example to so we we started with open source products we were building self-hosted products and then we started
(09:54) building cloud managed products of the same uh product portfolio at some point our cloud team to security team was a 1 200 ratio we had like one engineer trying to figure out between sre and product security and devops and platform and product and analytics how to figure out how to set myself up again a perfect
(10:17) example of scale issue but the way we approach this was two front one security is a very relationship heavy game you have to go and figure out who are your partners who are your allies who can you influence to get your job done some you might do some you might go and ask so part of that exercise was like really
(10:38) good relationship building with the key stakeholders that’s like 30 40 of the job i think probably hundred percent of the job but that’s how much time you’re spending the other piece which we quickly realized was the two ways this would work in scale one we influence and ask what we need in a meaningful way with the right
(10:57) phases of things and two rather than just going and asking with like hey you gotta go do this for me what we realized was let’s make their life easy by building the tools for them so we quickly realized that you know when you say security engineering what does that really mean it could mean many things depending on the company
(11:17) but the way we approach this was okay these are the problems we will ask you to solve let me solve this problem for you and give you the tooling so we started building a tooling team under my team which was better access control libraries better auditing automation of compliance evidence uh tooling a really good example was
(11:35) when we started we have nine different teams with their own stack of this is my os this is my dependencies this is i’m going to patch monitor uh harden and you have to go to nine teams and say hey here is my monitoring thing called osgoody can you bake this in and what we said was you know stop all of this we will develop the whole
(11:55) pipeline of the os image build out and roll out and say hey everybody you don’t need to patch manage harden configure anything here is an ami go use it and when you cover that you basically solve everybody’s problems and people appreciate that too so a lot of it is like just figuring out how to scale and what kind of problems
(12:16) you should solve here you can just you don’t need to hire 10 more people to do the same thing yeah i really like that approach it’s it’s similar to what i’ve always thought of doing and have done which is not thinking of security as being separate from engineering and operations now i’d often sort of you know pivot on the other side
(12:36) and help them build that image so that everybody else could use it because i never wanted to support it myself um but karthix i want to give you sort of a related question around this you know as as we have this sort of operations engineering security triad that’s sort of moving together what are the places that you’ve
(12:53) seen challenges and tension in that scaling that something that worked at a small scale you know maybe when there’s you know 100 people in the company or 400 that might not work at a thousand and how do you tackle those challenges yeah uh the by design programs are probably the best example here um you can have a by design program
(13:14) when security by design privacy but design whatever it might be um when you’re when you’re like a 200 300 company it’s not that difficult to roll it out you know probably you know every product manager every engineer by name you probably know every operations person by name you can just especially pre-pandemic you could just
(13:36) walk over to their desk like hey what’s the problem can we just figure this out um when you’re a thousand people people don’t know you you don’t know them uh and anytime and and there’s already so much red tape right there’s already even to the point where they have to write the prd they’ve had to get a whole
(13:54) bunch of approvals now they have the prd now they start building and then they hear about this by design thing that they have to not do and they have to go to talk to yet another team before they have to ship their product so now you go from being this you know culture where she can shipping a product was
(14:12) this really like you joined the company because you ship products really fast and you’re really agile and it’s really quick to there’s a long tail of process that you have to follow in order to do it so the challenge for security teams is how do you not become part of the problem how do you not create red tape
(14:32) how do you continuously morph your culture to encourage behavior change and that’s kind of you know been my mantra almost is you know don’t talk don’t necessarily describe the process don’t tell why just talk about how you change behavior so that this is now the safe default it isn’t a checkbox you have to do this
(14:54) you’re getting value out of this um one way that we’ve been able to kind of get the i guess the cultural buy-in is by running products and services ourselves like you know we started with the same approach to start here it is hey we’re going to ship the secure baselines we’re going to make sure we provide these libraries
(15:17) and then we realize we had to take it one step further we’re going to use them and support production services um that we are now serving users with our products and services and we can prove that this works at scale and also we’re eating our own dog food we are following these processes too we’re not asking you to do something we
(15:37) don’t the number of security teams that i’ve worked with that you have this rigorous process for everybody to follow but they themselves never follow it when deploying things uh that’s that’s like the death of your of any process because nobody’s going to take that one seriously and that leads into one of my favorite
(15:59) topics which is you know how do you hire and how do you build an organization at scale and yeah i’ve always found that probably the first non-security and put quotes around that yeah the person who’s not a security engineer the first one you should hire is a good program manager who can actually sort of
(16:14) help build those relationships for you you had akamai that was actually security person number three when we were down only had three security people because that was a better force multiplier than another engineer but how if you work to sort of manage you know growing your team uh you know navigate you know
(16:33) when do you change your leadership roles who’s going to be in your team as you’re starting to scale um and yeah what is what’s your your secret that you would share you know that makes your team different from who you’ve chosen to hire uh i’ll take a first shot of that for me i i agree with the program manager uh
(16:52) higher and i wish i’d known that four years ago andy um when i first started hiring for my team but we eventually got there i think a tpm was higher number six for me um on the team because there were for for many of the reasons you described also because i realized that program management wasn’t what i was
(17:13) strong as that i was more of an engineer archetype than a program manager archetype um but for hiring you know we started the i’ll call it the traditional way which is hey let’s find these infrastructure security engineers these corps tech engineers abstech engineers and very quickly i realized i wouldn’t be able to hire
(17:32) fast enough to support the scale of growth at the company because all the people i was looking for were unicorns i was looking for people that had security expertise that could also write code that could also build things they don’t exist it’s uh or if they exist it takes six months to hire them and
(17:51) as a quickly growing company and team you just don’t have the ability to wait that long to hire people and so uh we made what at that point may have been somewhat of a risky decision but since then you know lots of companies have gone in this direction which was hire software engineers that have some security expertise
(18:12) but aren’t security experts and that was predominantly what the team was staffed with um for the first seven or eight people like i had maybe two security engineers but six software engineers that were interested in security had a lot of security expertise but weren’t necessarily your traditional security experts but they
(18:29) could build and share production quality things and that was huge for us because that helped us raise our hand up and say hey you want to ship this product when this has security implications let us do it for you because we have the engineers to to support this and that’s uh that’s been the guiding philosophy
(18:47) for us ever since which is let’s hire the best person for the job whatever that person looks like and that is also helped us build somewhat of a diverse team is we’re not looking for very specific archetypes we’re looking for people that are able to solve a problem for us in terms of you know managing like how
(19:08) when do you find the right leaders when do you promote the right leaders or convert the right leaders uh i think that’s going to be the most challenging thing for any high growth business some people will raise their hand up and will have a rocket ship trajectory others will raise a hand up and then you
(19:25) realize that’s not the trajectory they want and they realize they realize that too so there’ll be people that’s that you know will rise up to a people manager then you realize that we’re better as tech leads there will be people that raise up as tech leads that are better as people manage and so on and so forth
(19:40) so you have to make some tough choices as as leader of this group you have to be rational empathetic and kind of very logical about it all and i think that’s the hardest part of the job is you have to make these really difficult choices of you know what at what point do you do thing that is right for the business to
(20:02) scale and at what point do you say okay i’m going to take this rest commander i’m going to let this fail whether it’s human process um you know team whatever it might be and then i think the biggest thing i’ll i say i’ll say where i think i found success was hiring people that were way better at a given thing than i
(20:24) would ever be um like for my team for instance i needed somebody to run trust and safety i hired samantha davison because like who else is going to be better at that than her is like okay cool come do this build a team go run this and then i will say it for another thing too like when i realized this program was scaling really quickly
(20:45) and needed to scale even more we ended up hiring caleb sima because i said i we need a cso that has done this before and i might not be that person um so let’s hire somebody that is so i would look at it both ways like i think for me sort of leaving your personal ego and whatever at the table and looking at what is right for the
(21:09) business is going to be really important that’s great taha do you have anything to share on uh how you sort of build that team and scale it and what was what was your special uh you know non-security or hire that you you like to make sure you do yeah so i’ll touch on the tpm side which i was not planning to hire
(21:26) but i just got lucky and there was a solutions engineer in the company she was burned out by traveling this was before pandemic and she’s like i want to you know i have a security guy who’s building a security team so i want to try security and she applied she said i’ll just come help build out some of the
(21:45) functions and she was great because she was with the company for three four years way longer than i am she knew the culture she knew the onboarding she knew all the processes that didn’t exist that needed to exist and she helped me build that while i was focused on hiring and build out of them so that
(22:02) worked really well for me by accident i’m really appreciative of how the experience played out um the way i approached this was since i had at least 30 40 size team in mind for the next 18 months or so i started building out my leaders first which was let me hire my leaders who can help me scale up and build teams under them even though
(22:27) that might take longer but then it’s a logarithmic scale of like exponential support so my strategy was hiring the leaders first for each of my large pillars like security engineering and risk and compliance and detection tooling and corporate so while i was hiring for leaders i was also open and i started hiring
(22:48) folks who would be early in the career or will actually do the work and the way i balance this out was which are the teams where i can hire like an ic who will be productive because there is structure and support to help them succeed so it was top down and and bottoms up and at some point these things
(23:09) the fun things for us which which made my job a little easier one was my first seven eight people were actually from my network they were either people who worked with me or used to work with me or wanted to work with me which was very privileged to work with smart folks like them that was really fantastic for year one um
(23:30) given we are an open source company there was a lot of like great inbound talent too of folks like i just want to go work on war like do you have a role and i was very flexible like yes you know programming you know tooling you know security we will make a role for you so you have to be like flexible for the
(23:48) right talent uh and not like box them in that way they have some freedom and they can contribute to your company in other ways so it was a combination of hiring from my network um inbound from the industry um and at some point this starts scaling um in your favor no i love those answers and i’m a huge
(24:08) fan of sort talent development the one thing i would add is as you’re scaling a lot of the people who are going to become your leaders are in your organization already and they’re sort of two i might call them tricks they’re just standard ways of doing management you know one is you know make sure that
(24:25) for everybody in your organization you know what their next two jobs might be so that you can start putting opportunities in front of them because a lot of times we wait for there to be an opportunity and then we try to guess who it might be relevant for rather than already knowing who might be relevant
(24:41) and be willing to take risks and provide gentle exits we had a lot of people who were qualified you know engineers and architects who said they wanted to try people management so we gave them you know one or two people for a year and more than half of them at the end of that year were like i’m done i don’t want to manage people
(24:59) and we made it graceful we said great you can go back to doing your individual contributor role we’d still value you there whereas a lot of businesses sort of once you take that leap into management if you fail you’re out and now you’ve lost both an individual contributor and you’ve possibly harmed whoever they
(25:15) were managing if you weren’t putting good supports around that practice let’s pivot a little bit off of people management and talk a little bit more about your overall strategy of a security program um and just for when you talk about security program it’s you know what are the things you’re choosing to do what
(25:34) are you investing in how are you going to run your the company um how do you approach evaluating that program and understanding your risks and choosing the right risks and how often do you want to sort of step back and re-evaluate what you’re doing and what you’re choosing to focus on so taha why don’t you take this one
(25:56) first because we let karthik have a long answer on the last one sure sure so one of the good things about hashicorp given we were remote for us from day one um use written form content a lot and we run what we call rfcs this is the ietf style rfcs where you are starting a project and you are you want to enforce some systems thinking
(26:18) and alignment across the organization any large initiative starts with a document you document your thought process your strategy you communicate this out it goes to a list of 700 people you get comments there’s a template where you’re forced to write the trade-offs and you’re forced to write your code
(26:38) abandoned ideas so it it forces you to think and capture whether it’s a small project or a last week or your multi-year strategy how do you build out and communicate that work and that’s reviewed formally four times a year and at least once a year you’re expected to lay out your strategy and communicate and align
(26:56) your function along with the corporate strategy so a lot of these tier one consulting companies when they come into government like hey this is how you should run the business um we had a really fantastic chief of staff working with the ceo he built that structure for the company early days so that construct helped
(27:15) align all the business to work together in terms of what does the company want what are we achieving how are we aligning this so security strategy is a derivative of like what the company aspires to do and where they want to be and it’s basically supporting the business uh so that part is working well but it
(27:35) starts getting challenging obviously is with the high growth you have to align you have to think through the phasing of some of these programs what’s foundational what can come six months one year later uh things of those nature um high level there’s a strategic objective of what are the top three things we are hoping to
(27:53) accomplish protecting customers protecting our products uh enabling trust in the ecosystem then those mission statements start getting down to each program level objectives of how do we what is the outcome we are looking for for this year um and reverse engineering what are the initiatives that will
(28:14) get you there so for us it’s like we have seven teams or seven pillars in security um and they each work on their initiatives as bottoms up aligning with the top level uh strategic ask we we run what we call a scorecard format which is the same strategy in a very transparent and this it’s transparent in the company we expose
(28:37) our scorecard this is what we said we would do this is how we are doing quarter by quarter with some metrics sometimes metrics may be hard and that’s okay as long as the objective and outcome is communicated well um and yeah that’s what we’re doing uh very transparently at least four times a year excellent now i really like that model
(28:57) of being here very clear and transparent and especially having it documented so you know why you made that choice uh a while ago um karthik i’m going to toss to you if as you look back what’s the the worst choice that you made um and i’m not looking for like the vulnerability but what’s your choice that you made in
(29:17) building up your security program that if you could go back and say god i should have done it this way i just didn’t know better at the time what would it have been yeah yeah that’s a great question uh man i’ve built security programs twice and every time i wish i could go back and change time right
(29:34) or know the knowledge i have now um i actually think it’s i i would change the way i hired a little bit uh it’s not necessarily the strategy or anything anything of that sort um when i look back at what could have helped us function even better it is hiring the right support structures for the teams
(29:55) um i didn’t hire enough leaders um i didn’t hire enough managers i just i was too much of a fan of bottoms up building and bottoms up building is great um but it doesn’t necessarily work for a company that’s scaling super fast and it is i at that time i thought it was risk risky to bring in a fresh new leader into this
(30:20) culture and have them on board and have them figure things out but i think in the long run it’s riskier to have 20 people reporting to you or according to somebody else than it is to bring in a new leader that has to figure out how to onboard and how to um grow with the team so i think that is that is fundamentally something i would
(30:44) change if i were to do this again uh is bring in bring in leaders a little bit more aggressively than i did before from a more strategic point of view i think we took the philosophy of we’re going to build this and we’re going to run this a little too far sometimes we decided to build and run this which i
(31:10) will stand by that decision forever but we forgot that it needs to be staffed with the same rigor as a product team or and a service team which means that it needs to have a four person deep on call and that once you ship it you still have to support it you can’t just go work on some other project that you need to because
(31:31) security you know there’s always something else to work on you can’t ever just stop after you do this thing and so what we ended up doing is we went from problem a okay we ship problem in let’s go to problem b and we’d never really build we we’ve since done it but at that point you know in the early days
(31:52) they were just one person managing five different services and that really doesn’t while it’s care while it works in a small company it doesn’t scale yeah at some point you sort of gets trapped under that weight um calha what’s your what’s your takeaway lesson that you you would do over if we were given do-overs
(32:09) yeah so i think the two things i can touch on which were challenging for me and my team were actually less to do with my team and more around what is the ecosystem support i need outside my team one great example is like i t like our it was still relatively immature compared to the organization needs and
(32:34) if you look at the interface back to employees id is the help desk id is the interface they are helping with password resets they’re helping with policy enforcement on endpoints they’re helping with um email security problems and whatnot and we knew uh that function was a little bit weaker but it was basically helping scale up that
(32:52) function that should have scaled up as employee base was increasing so it’s a combination of like structure and support yep you know it is your big ally and stakeholder these systems need to scale up appropriately for security to function and and employ this function the other piece i will i will touch on
(33:15) is you know different teams talk about different philosophies and cultures about guardrails versus gates and it’s not one or the other you have to find the balance of sometimes yes you know we talk about these in the motivate versus mandate constructs and yes we do want to motivate people we do want them to operate safely
(33:38) but yes there may be some times where you protest lying and satanist that is a hard mandate you will not go past that line and it took us a couple of mistakes to basically say yes we need to define a mandate for certain things and this also addresses andy your question that you asked earlier how do you scale like
(33:57) at some point when your human interaction will not scale to the size of the organization what is that framework you define where you allow people to operate safely and when they’re making risk decisions they know a very clear line not to cross that and whatever that definition is like compliance mandate or
(34:14) regulatory framework or like you will not ship with x y and z defining that gate or a mandate is like super important and you’ll have to find what’s the balance for your company a related one near that it was uh i had to learn one of the people i would delegate to you know whenever you know people would
(34:33) push too hard it would get escalated to me and i would always overrule and he pointed out to me once he said every time you overrule me you ensure that they’re going to escalate again and so we actually had a different rule which said look if you can negotiate it with him you have more flexibility that as soon as you escalate you get a
(34:51) dogmatic answer and we’re gonna because we’re spending expensive time at that point so it must clearly be risky and that was a fascinating learning for me that made the people that i delegated work to much more effective because people would learn that if you escalated you got a worse deal than if you could just work something
(35:10) out i gave them more flexibility let’s pivot a little and talk about solutions i think karthik talked about you know self-building and of course every startup out there wants to sell to every one of us um you know for me it got so bad i had a vendor template that i could just reply and it was my signature that said no
(35:29) please please go away but we didn’t say no to everybody so yeah i’m curious two things um you know the first is you know sort of what are the partners could be a product could be a service that have been really valuable for you as you built out your security program and grown and what were the products and i don’t
(35:48) want the the names on this one cause i want to throw anybody under a bus but what were the places that you might have partnered too early that you might have looked for a solution that really wasn’t going to work for you and why you two think about that one i’ll give sort of some examples from my own
(36:05) you know i will certainly say that one of the most powerful services i’ve ever used was you know outside assessors whether it was for compliance activities or red teams penetration testing just to be able to have somebody else write down the things that i might have been saying but that it always brought in more
(36:22) credibility when speaking with sort of an engineering team one of my favorites that was white hat security a while ago because they had this fantastic thing that they would say this web app is in the ninth percentile of security among our customers and nothing is more embarrassing to an engineer at that point and they’re like
(36:40) great how do i get to 90th percentile um and i think for some of the things taken on too early would be standardized training packages you’re trying to scale out a security awareness program with content that really wasn’t personalized for us that actually almost harmed us the people would look at it and they’re like
(36:59) you clearly don’t care about security if you’re just going to outsource teaching me to somebody who doesn’t even know what we do so in that vein let’s give your takes on that one um i’ll start uh i i swear i’m not doing this because taha is here but hashicorp actually helped us a lot and i i think you know especially for a
(37:20) scale you’ll have like i i’ll play this website you’ll have a lot of scaling challenges with some of the hash card products as you as you grow and scale especially if you know in the early days you didn’t necessarily think of it but i think for any company that’s trying to figure out secrets management that’s trying to
(37:38) figure out you know standardized infrastructure management you can’t do better than general reform and walt at this point um so hashgraph is definitely super helpful um the open source products um not you know not gonna speak for the enterprise versions um i think also partnering with some very early stage um companies um
(38:00) that kind of helped that we could be design partners for uh that that we could guide the direction of to give us what we needed and this is more for maybe the privacy program than the security program but transcend that we work with to help kind of bootstrap our gdpr and ccpa compliance where we started working with them
(38:25) pretty early pre-series a helped us build the right things there were a couple of other societal and others that we sort of worked with very early to help guide the product direction so that we had what we needed to achieve our goals we basically got engineers on our team basically to help us help us try what we needed products too
(38:46) early i think i’ll i’ll cop out here andy and choose the same answer you gave which is a standardized training program we did go with that very early it was a pretty like we did try to do something that was uh kind of innovative but it was it took 10 hours of an engineer’s time to deliver this training
(39:08) across a 300 company and you know like it wasn’t great and i the concept itself was super appealing but it was probably too early and it wasn’t the right thing for us oh do you have any uh vendors you loved or you know or product areas that weren’t very helpful yeah both your examples really resonated
(39:32) with me our best outside vendor is our external assessor huge shout out to trail of bits i am not related i have zero incentives but they have been really fantastic to work with uh and my team loves them our partner teams loves them and we consider them part of like our extended security uh team so that was the biggest value add
(39:55) in terms of the external vendor if i reflect back last two years training ms also resonated with me he same thing we we bought some package content from our training vendor we rolled it out and we had some fun commentary about like the the diversity and inclusion aspects of some of the content in the training
(40:15) and that didn’t hit uh go really well so we had to like really quickly pivot and and uh figure out what do we need to do uh so the way we approach this was some was canned content and then we had one of our team members do a narrative on the background like help reinforce the message so it still felt like all right you know we have
(40:34) security team actually caring about security content um switching to vendors the way i like to think about vendors and this may not be this may not work everywhere but we given the scale and priorities and how much time we can actually spend with vendors um we buy what is as known solved commodity problem like
(40:57) we need a logging platform people knew how to use plunk we went with we knew we wanted an edr the crowd strike was there we have five of our peers said it’s fine between center and one another like we picked one like there’s an established market there’s a known set of vendors it’s it’s easy like pick something that
(41:16) works that can solve your 80 90 percent of the problem in terms of prevention or detection so we buy what is this no solve problem we build what is strategic to us around our product or service portfolio so um it’s either something which we don’t like exist in the market so we’ll build that we will either build something that
(41:38) connects closely to our product ecosystem and that’s a strategic decision in terms of build out we do engage vendors all maturity sizes like company who are just two people uh or one people or company who’s like late stage companies the way i like to think about vendors is we partner for long term i really want to
(42:00) look you in the eye and see can i partner with you long term even your experiments might fail even when your stuff might not work are you committed to help me and my team succeed in the long run so we tend to partner with companies that are helping solve like either large strategic problems or they are i mean disruption is an
(42:22) overloaded one but even if you’re trying to approach the problem with the ecosystem is just like just make it better compared to what’s out there already and there are plenty of problems which you can optimize and build out and some are like unsolved problems either so it’s a combination of things for us we
(42:41) buy and partner with large establishments we build strings and we also partner with smaller companies i think the biggest challenge for us and this is a message to uh security startups out there is you have to whichever company you pick and sell to you have to make sure you’re able to scale with them because that’s the hardest
(43:03) part for us if we i’m putting you in the critical path of my customers then you have to be able to scale with us and that’s where a number of companies uh have challenges which is why we have to like de-risk ourselves and put them like okay we’ll keep working with you but you cannot be in the critical path of our
(43:21) products and services i can’t imagine a better set of words to wrap up on and so that’s perfect so i’d like to thank both of you for your time today and being willing to share your wisdom here uh for everybody who’s attended i hope this was valuable for you and useful if you have questions you’d like to
(43:41) follow up um you know you find us on social media um and i’m certain the the yl team will reach out as a follow-up as well and we’re always going to be providing great content like this we hope so thank you have a fantastic day whether it’s evening because you’re on that side of the atlantic you know midday or mid morning here on
(44:01) this side of the atlantic or if you’re on the other side of the pacific and you tuned did in the middle of the night we really appreciate your time so thank you all very much you


Posted

in

,

by

Tags: