Lost In Space: How to navigate Corporate Security as an Engineer

welcome to B-side second day I know it's like pretty late in the day now but yeah good to see all of you so I am not supposed to be on that slide yet okay so um we're gonna be talking about how to navigate corporate security as an engineer and you know I I think at first it will seem like I'm talking about soft skills non-technical skills but we'll get there so stay tuned first off obligatory disclaimer I am uh my My Views and content in this presentation I'm just going to read it from here are mine alone and does not represent the opinions or content of my employer SiriusXM or my former employer Crunchyroll so

without further Ado here is the agenda first off we're going to be talking about corporate security what is it all about and then we're going to be talking about stakeholders and then keeping track of all the things and understanding the business what happens when Personnel changes and then we'll wrap it up so yeah hi everyone I'm Maria are you say them pronouns I used to work at Crunchyroll and uh as a software engineer and then I was a senior secure application engineer until I became staff security and compliance engineer on the security team and now at Sirius XM I am a staff application security engineer working on the application security team so let's talk about corporate security

today so when it comes to corporate security you look at the business as a whole are your team's objectives aligned with the business then consider your scope of securing all of the things do you secure the crown jewels of the company do you secure the employees do you secure corporate assets so basically your job is to help the business continue to function through cyber security related risk management so when it comes to corporate security you will be working with a lot of people like a lot of people this is not a job for Hermits so the first thing you got to do is figure out who your stakeholders are so sorry um when I started out at SiriusXM

um one of the first things that I did was identify my stakeholders so you know it could be everyone it could be a prioritized view especially when you're drinking from the fire hose so in any case start figuring out who the people are that you will be working with so let's say do you work with a particular team does your team have goals and priorities then make sure to prioritize your stakeholders accordingly next make a nice powerful impression on the people that you work with make your words count so first off branding this is about knowing yourself knowing what you want people to see you as and defining your narrative and you know branding isn't just a

marketing thing it really is about getting people to know you in a way that you want them to know you as so if you want to come off as Dependable then act like it you know if you want to come off as someone who's good at a particular part of security then you need to show them how good you are at it or at least you know allude to it and then they'll see your work so putting out that strong impression on people can definitely help you and winning allies and friends and with your stakeholders next messaging so just like Inigo Montoya and I know I'm I'm probably taking this from another talk be clear when communicating

with others so when you introduce yourself to these stakeholders you also want to provide context with anything that you're talking to them about so here's an example um I I started out you know like just talking to people introducing myself but I I told them that hey I work in the application security team and I'm going to be working on so and so project can you help me with this can you help me understand and that's where the specify request part comes in and then next with the stakeholders you've identified so far and spoken to so far does it make sense to dig deeper and work with those that they work with so think about it this way

you have an org chart you figure out who your initial stakeholders are and then you talk to your stakeholders and then sometimes they will redirect you to other people sometimes they will introduce you to other people that they're working with and that's okay that's exactly what we want and then lastly make friends join you know like the different social um Gatherings that you have at work it's really good to get to know everyone that you're working with or if you don't even work directly with each other it's still nice to make friends so you have all of those stakeholders now what well there's this thing um that I I took a lesson from uh with

regards to like sales folks and all of that there's this thing called customer relationship management which is a great tool it's a great way to keep track of all your relationships with different teams and stakeholders and whatnot so in a similar fashion your stakeholders can basically be your customers or maybe even just folks that you work with on a regular basis once I figured out who I should start talking to and I've spoken to them a little bit next step is to keep track of all these relationships and work streams so the great part about crms is that it's an address book and communication notification tool rolled into one so a little bit of a disclaimer I did

not fully come up with this idea I actually just played around with notion a little bit and I found out that they had this thing called like a friend serum or like a personal CRM tool and what it had was that you can like keep track of your contacts you can keep track of the latest updates the last time you spoke to them and then they basically had a formula on a spreadsheet that you know if you haven't spoken to them in like one and a half months or three months or what have you you can basically get a notification or you can see on the column here on the on the left side it tells you if you

need to talk to them again or what but basically this is a way to keep track of all of the things that you need to work with other stakeholders on keep track of your work streams and make sure you don't drop the ball I know it's pretty easy to drop the ball when you're working on so many things in the security team so it's really important for you to organize yourself accordingly so also consider keeping track of your work streams in a better fashion chances are your team will be using some sort of issue tracking tool so whether or not you know the particular issue tracking tool works for you make sure to keep track of all of the

things that you're working with and always document your work as part of making a business case for more resources for example so issue tracking is really important when you want to gain more resources or you know like get head count get more budget that sort of thing and then after figuring out how to track work you then figure out what you're up against this is why the above lists are so important so for example let's take a look at the data inventory we basically have to figure out where all of the personally identifiable information is whether or not it's customer data you know it depends on the kind of the kind of security team that

you have but you could possibly have um pii for your customers or for your employees so having that data inventory can be pretty important in terms of making sure that you stay um comply to regulatory things I guess and then asset inventory for example I think this one's a given so knowing where and what your corporate assets are instead of trying to figure it out like just as an incident goes is so useful so you know for example having a risk assessment for these assets to see how much we spend on protecting these it's really important stuff and then another example and this is not an exhaustive list at all is a software inventory so knowing what software you

own what software you might be owning in terms of Shadow I.T you know there might be a lot of different employees out there that use something that hasn't been properly acquired so you want to keep track of all that stuff as best as you can so once you know what you have the next step is to understand the business when it comes to understanding the business you will want to do your research work again with your stakeholders you see a theme Here so identifying duplicate work for example you want to make sure that when you're working with your stakeholders you're basically optimizing the way that you work with each other and making sure you don't do duplicate work you set your

priorities accordingly and make sure that you're either working at the same time or working in a scheduled fashion that works for all of you and then also identify opportunities for collaboration so for example at my former job I actually was talking to someone who knew everybody and knew all the work streams and we were like this is really useful information we should work with you more and she was like yeah let's do it and it was so useful and fun to get to know these different things so contrast or compare that with a team that is kind of siled imagine the difference between a team that works with other stakeholders and those uh basically kind of do their research on their own

not necessarily talking to other teams it's like night and day so how do you do your research aside from talking to other people you can document all the things or document those that you prioritize the most leave documentation better than you found it and likewise write documentation when you can't find it sometimes tribal knowledge exists in people's heads people that have been around for a long time that could be you that could be an engineer that could be hopefully someone who's still in the company remember that knowledge leaves with the people involved with it that's tribal knowledge and someone must write documentation so we can keep a record of what's going on for example run books Play Books

all of the different documentation about where this thing is or that thing or what the office is um like in terms of networking so definitely it will require some writing skills but you can learn about it so how do you document things information architecture is the keyword here so we should be considering our audience what are the most relevant pieces of information for them how do you direct your audience from more General to more specific documentation and how do you manage navigation of all these different topics all of those are concepts of information architecture so look it up on your own time definitely something to look into I will guarantee you that your documentation will look so good once you

understand the concept now you have your documentation and you have your stakeholders you understand the business you're going to communicate with everyone so communication is so important for teasing out tribal knowledge for documentation it is important for working well with others and do not take it for granted definitely not so you might have seen these different um what would you call these uh anecdotes you know things that people say they're like this meeting could have been an email you see it in mugs all the time or this email could have been a slack message well the thing is the the art of communicating effectively with different people is based on the age-old saying that it depends really depends on the

situation it depends on the culture of your company do people like to set meetings then you know you might have to go with the flow go with the preference of your stakeholders our employees expected to be diligent for their email does everything really get talked about on Slack it really depends on the situation basically and then another thing about messaging is that I do have a few other tips so for example right now I'm working with a lot of people on the East Coast so considering time zones is imperative especially if you're working with global teams you might not know it but you might be working with people from Asia Europe for example and you'll really

have to consider a proper Cadence for how you're going to be working with them asynchronous communication is probably a must at this point but then meetings who's going to adjust so these are just some things to consider next set expectations goals and deliverables and meeting descriptions or if you don't know the deliverables you can talk about it and put it in your meeting notes this is super important especially when people get a lot of meeting invites and they're double booked or even if they're not that busy you don't want people going to your meeting and be like why am I in this meeting what is this or they might not even come to the meeting

because they have no idea what's going on so it's really important to set those expectations goals and deliverables and then lastly appsec CRM sorry that's actually the the thing that I call this ERM that we use at um at my company so the CRM is basically going to be extremely useful for this for scheduling follow-ups on a regular Cadence now you can probably you know figure this out with your stakeholders but it's important to keep track using the CRM as well so that said you know you you can probably figure a lot of this out as you go along but I think it's important to talk about it as well so yeah with regards to all of that

stuff you can make allies of your stakeholders just work with them all communicate effectively document all of the things and yeah so what happens when the Personnel changes what happens during mergers and acquisitions team structures change or what happens when reorgs happen what happens when people come and go and you're working with a new set of people so what do you do now so the thing is like I said earlier knowledge walks out with the people so it is important to craft repeatable processes and workflows for working with new stakeholders so here's a little bit of an idea on how you could present it or think about it so I just wrote this last night to be

honest and I was thinking about how you can probably set a function an algorithm a method for how you're working with these different people of course there are going to be certain nuances that you'll want to consider but at the end of the day there are processes you can templatize so that you're not Reinventing the wheel over and over again when we're working with so many new people and then at the end of the day you want to celebrate your wins take a breather and remind others like your stakeholders to do the same because it's hard work they may call this you know like soft skills non-technical skills but it really is hard work to

maintain all of those different connections so it's really important for us to all just take it all in and find time for yourself so today we discuss what corporate security is stakeholders and how to Captivate them how to best understand the business and what to do when the personal changes like think lather wrench repeat and celebrate your wins with your team so the slides will be up online soon but feel free to take a photo of the slide to take home and yeah I don't know if we have enough time but I am open for at least one question thank you everyone and thank you for existing thank you Maria we have time for one to

two questions uh do we have any questions out here and if not we can follow up in the lobby I see one here [Music]

thank you very much mate um I have a question what is your uh kind of approach to networking and uh kind of building relationships in this field outside of your workplace uh in the more more broad security community okay so I mostly talked about networking within your company but you wanted to talk about outside the company right well for all of those in the room you're already taking the first step be at conferences volunteer and you know just keep coming and and then there will be people who you notice are there all the time so definitely that is one good way to get to know people join forums read 2600 magazine for example and then you know get to

know all the different cool things that are going on just learning and learn with others along the way I I think it kind of speaks for itself the the power of all of these different conferences b-sides for example it's it's good stuff great thank you Maria and on behalf of b-sides SF 2023 and our gift sponsor doing SEC we would like to present you with this gift and thank you so much