Tracey Broderick Dr Strangelove

the right thing and are we doing the things right my name is Tracey Broderick and I'm here to talk to you about kind of mine jury my journey here my attempt to get security at Riot Games moving from a kind of tool solution driven mindset and to a strategy mindset so you really couldn't about myself I'm a senior development manager I've been at Riot Games for about sevenish years before this I was in television I worked at music this is my first gaming company and kind of heavy tech company as well when I first started out I was working with the network operations group and it's many form has many names over the years I worked with them but I

eventually found my way into security I've worked with them quite a bit and I love the team they didn't really have anyone like me a project manager development manager or whatever you want to call me cuz I had different names and different companies so I found my way to security I started in the April of 2017 or so and I was actually tasked with trying to help organize the group as well as improve our execution we were working on a lot of things going a lot of different directions not actually completing a lot or going over our deadlines there really was no focus so I kind of got in there did what I normally do I just start interviewing everyone

looking at all the rituals trying to find out what is going on and I kind of came up with three essential problems that I wanted to focus on one was I noticed there was little to no connection with the bigger picture at all so the so a lot of the team members knew what they were doing for our project but I was like why are you actually doing like what is the creator goal what does the future look like they kind of answer those questions and the leaves themselves couldn't messily answer that either the next thing was there is little to no connection between the teens so they didn't actually see that there were connected to any of the other

teams I actually experienced the a well I made this tool aware this other team using it and I'm like did you ask the other team do they ask for it well no did you tell them you're building it well no and so when I went to that team and they're like this is cool but we don't need this yet we're barely trying to like get some of the foundational pieces off the ground there's just no point at the time selects on yours there's little to no prioritization this is actually kind of a theme with a lot of the groups I've worked with that right so when when everything is important nothing is important and so it

ends up being that there's just too much there's just too many things going on no nothing everything takes forever to actually get done and it really kind of stressed the team's out and especially we have we do a survey and it kind of came in from the survey that there's just too much work in progress we weren't focusing they didn't know if we were focused on the right things we just didn't know what the right things are so after that I kind of got to see so I'm trying to figure out what would be my next steps and luckily I found out that they're going to be doing a workshop eight goals workshop and also

kind of looking at the craft of security and an engineering workshop and so you put me in touch with the scrum master for the application security team that is in Dublin so I transfer out what we're doing what the current agenda was and kind of piggyback on that which came to my first experiment which is yeah the goals workshop thinking outside the box are just thinking big so I essentially hijacked half of that session in general and I wanted the seaso actually bring what his goals were for the grapes because of right now in the session they had over everyone who's just gonna bring stuff talk about strength stop come out weaknesses and that was it

so I wanted him to bring what he wanted to focus on so we got in the room that day I kind of wish I had talked to him a little bit before then so he put up a bunch of things there was nothing four or five and it was there are some solutions there are some problems there was some I'm not quite sure but it doesn't matter it was a great start we're trying to get moving so I really wanted the guys to work through that because like one of them was just patching what does that mean what is that supposed to look like how do we know we're done how do we know that we've been successful and so the

guys start kind of working through I had them kind of pair up with each other if maybe they hadn't like worked with the group very much so like I put the sack up sleeves with I think it's AB SEC and so on and they got through they're looking at like best in class and most efficient and it was it was an interesting exercise but ultimately the outcome was that it wasn't actually very useful good thought exercises but that was really about it I really want to make sure that when I do any types of facilitation any type of workshops it's a day long I want something to actually come out of it and well I got kind of

people talking nothing really happened that was kind of it so I was like okay so this isn't quite working so what would what should be the next day what makes sense so it's time to see so and actually talking about this grandmaster day application security team I kind of took me to experiment number two which was looking at a monthly product review so I wanted each of the leads to actually get together and present what their team is doing because they need to they need to see because a common a common theme was that none of my work actually touches anyone else's team we're not doing the same things so but they needed to see that because I

talking to teams there was a lot of connection sometimes they're actually working on the exact same thing and didn't even know it so I wanted to keep his little overhead as possible God notice they were already kind of cautious and hesitant to do this anyways so what I did is I just gave them kind of very simple model tell us what you completed the last month what you plan to do what your goals are risks what is your roadmap and what is your metrics let's just get it out there get it viewed differently besides one-on-one conversations which they were having and start kind of asking those questions so ultimately the collaboration started I noticed questions I noticed a lot of discussions

happening after this it actually was send up being really good for the team's themselves because they were super interested in what was going on but again it was kind of myth that the leads themselves like what is the real length value to me and so I was like okay this still works we need to continue doing it but like what is the next thing how can we actually kind of ramp this up and make them care a little more about why this is important so this broad experiment 3 which was the quarterly stakeholder review we've never actually presented to our stakeholders there is very limited anything so and the promised time apparently the CSO is saying that the

stakeholders were starting to wonder what it is that we were doing so I was like okay let's actually have all of the leads present to our stakeholders it's same thing what they present to each other same decks took about two hours one of them to get through stakeholders had some questions but yeah so in a lot of it some of our stakeholders aren't that technical so it actually had to kind of force them to speak more it just not little terms so that happened and it was good the stakeholders who like you guys are clearly doing important things you know like we like where this is going but we actually don't know where this is

going so we don't know why it's important we just believe that it's important and so they actually came to us and what's asking what interaction strategy what are your goals how does what the work you're doing that seems important affects the entire company what does that look like what do you what are you giving us so luckily this made me incredibly happy because it was finally going towards what I actually wanted where I needed them to go start seeing that and it was also nice because I wasn't pushing it I wasn't getting dirty lips and annoyed responses in frustration so it wasn't me finally pushing this it was them and so we got to that point so now we're I don't know

how many months ended this way so it's the big ask it's the strategy presentation or how it got leaders to present not what security can do for security but what security can do for the company so because we have half the team is in LA half the team is Dublin we had a lot of early mornings we had actually some late nights I'm sure there was a lot of alcohol somewhere mixed in putting this all together but we focus on the first thing which was our vision if we couldn't even figure out what our vision was we could even go beyond like this whole thing would have to get blown up so luckily our seeso had put together a vision kind

of a while back so we kind of directs that that out trying to see what it was it wasn't great it wasn't necessarily inspiring but it worked everyone was like it works it gives us enough of what we need we can move forward it doesn't matter let's do this and actually this is something similar it's build a solid security foundation to protect random players so the agreement with the Leeds fine we don't need to mess with this whatever let's move on we have we have more important things to work on so next came the strategic goals some of these are actually my definitions there's different there's different terms for all these different yeah terminology kind of different

definitions but for mance the opportunities a problem space that need to be tackled to achieve that vision so again the seesaw had kind of done a little bit of work but he brought just words words that were very ambiguous they were very broad anyone can define them in any way such as such Gigi cold detection response makes sense that's something that you need the next one if we network again something that's important and then the constant access another thing so this we kind of these are good but yeah we needed some clarification that we needed some more definition so what I did is I pulled up a tool that gets used with a lot of kind

of company visioning and strategy it's called vivid descriptors vivid descriptors essentially just paint a picture of what the world should look like if we have been successful if we get if we achieve what we need to be a lot of times is used for a vision but I thought this would be worthwhile enough to use for strategic goals so in an example a bit of descriptors from stony this is actually circa 1950s so their vision was become the company that most as the worldwide image of Japanese products as being in poor quality so some of the descriptors will we will be the first Japanese company to go into the American market and distribute directly we won't succeed with

innovations like the transistor radio that American companies have failed at and so on it paints a very good picture it actually kind of sets some my kind of goals for where we need to go to it explains what that actually means for that so we did something similar for each of each of the five and here's five goals at the time so you got a room there's probably about three four or five sentences for each we kind of started joking that like they're like not so vivid descriptors but they're kind of good enough at this point I didn't need to be perfect they didn't need it to be perfect just enough to get them going just enough to keep them

moving forward so just for detection response I'm just gonna throw out there one of the descriptors was we will be aware or we are aware of attackers and cheers and their tactics before they hit our environment any players yeah that's kind of basic but there's key elements in there like it's about not just attackers and cheaters but also their tactics and before is the key word so it helps them a drive what detection response where we should actually be going another one might be we are continually testing your defense and detection capabilities again just adds some extra clarity it's we can always be working on these but it's just it good enough it's what we needed so the next

two thing is we lift at once we had our goals they were a bit more defined we understood more what they should what we should be going towards what the like nor start each of those are we're looking the tactics and obviously we've have tactics galore so much working progress so much has been completed so they were like this is going to be easy and the task was to basically align all of the work they've been doing to these goals what makes sense and so it became an interesting razor is if this doesn't align with one of our goals why are we doing it what's the point and if we think it is important then is our goals

there's something wrong with one of our goals or are we missing one so it does feed back it's just not completely top-down they do press feedback into each other but it helps create a leg these are the projects we need to like just step aside and not necessarily immediately shut them down but get to the point when we can we can put them aside ice box them so we can focus on our goals because it's what's important and what we obtained important and then just to jump in with that the next thing would be of the work that we decided is important what is the actual impact what is that change that we should see if that tactic

that work has been completed successfully that is kind of a huge piece so make sure that what we are doing we were doing it right because there's a lot of different ways you can tackle a goal but you need some type of definition some type of like success criteria to make sure you're going in the right direction so one of those things if we just took the you were continually testing our defense detection capabilities you can say the tactic one of the tactics was implement attack simulation again very basic it's something we are working on actually but the impact of that is if this is done we now have a repeatable attack scenarios for unit testing skill

drills and attack campaigns so we basically did that for all of that so we have our veteran we had our five goals we had the descriptions what that meant we had all of our work on lines which goals we had already kind of started taking a pause and the work that didn't align and then we it's like what is that impact what are we going to say that the company now has or what is it them the difference if we complete these so that was essentially our agenda like jennipher the presentation the vision the goals the tactics to impact I'm trying to remember I think there was only under being one person that presented to our stakeholders but again

everyone was in the room got all our stakeholders back in the room and we went through and we actually talked about what we completed in 2017 and how it aligned to our goals and what the impact was and then we looked at what we were doing in 2018 again what the work was what is the impact and was actually hip asking them to hold us accountable that if we don't complete these things we have failed and why we have failed and then explain how we have failed because sometimes it's okay sometimes that's actually necessary so though I would say the presentation went over really well we gave them what they wanted they understood more about what

week what value security could provide the company it was they were super excited and I would say they actually the one nice thing is they now knew how they could help us they became advocates for us they they could go out to teams they could already start making the connections and going oh this is the stuff you're doing you know my product is working on this you should talk to it you know you know list names so you can start they were asking us how can we help you because now I understand we understand more and the other benefit was we presented this and in all hands with yeah I'm all hands for security and so

all of the engineers now on the team as well as myself who's new security understand more so what it was though we're trying to get to they could see how their work was important they could see the value of the work that it was a bigger picture they just weren't just doing stuff to do stuff which was become very frustrating so we're at right now with this because that was in the last year or so it's we're actually looking at all of these thing we just did we're looking at our vision when we're looking at our strategies we want to we want to redefine what we think we need to we want to make them stronger we want to

reassess where we really want to go it's just constantly making that better making it more clear and the other thing about this kind of like thought process is it's not just at a top level we can definitely look at it at team level what's the purpose of the team why does it exist where is their scope what should they be doing who is their audience why are they doing this and then from there figure out what makes sense and then it also works at a project level what is the purpose of the project why if this projects been done what what should we be seeing what should be the change in the world why is it so

important all of those things I mean you can probably do it a task level even if you wanted to that might be a little much but you can't but you have to know why one of the things that's super important for me is making sure that all of my engineers know what what are they doing why are they doing it why are they doing the right things and are we doing the things right because for me if they don't understand why they aren't doing what they're doing and what they're doing that I don't want them doing it at all like I have to tell them to stop working because I don't want them wasting their

time I don't want to feel like they are not doing something important they're not doing something valuable because nothing's more frustrating than having to basically throw out your work done early but thank you thank you for your time I hope you enjoy the rest of the conference and if you have any questions feel free to come find me I will be around all day [Applause]