Starting a Security Program: Thrills and Spills

Poornaprajna Udupi - Starting a Security Program: Thrills and Spills Building a security program sounds exciting and exhilarating. Security practitioners tend to focus on technology and policy skills in preparation for such an opportunity. But, developing good emotional intelligence is critical for this role of a security program builder. Why would the engineering team dedicate cycles to turn on find-sec-bugs, resolve all findings and then be willing to fail the build pipeline on errors? Why would the product team design strong authentication mechanisms that could negatively impact user registration funnel? How to identify and engage key personnel in incident response tabletop exercises? How to rally company resources to resolve the findings of penetration tests? What would encourage employees to report issues and help investigations without the fear of blame or shame? This presentation discusses the journey of the first security engineer at Lyra Health who had the prerogative and responsibility of setting the security aspirations for the management, employees and customers. With that one single engineer focused on security and supported by a flourishing culture of shared responsibility, Lyra Health achieved HITRUST compliance in the first year of the security program and continues to satisfy stringent requirements from customers. The key to achieving such cohesion at Lyra Health was an emotional awareness of the purpose, process and demands at each team. With that understanding in place, security gets invited early on to projects, participates creatively in problem solving and contributes as a determined enabler for the collective success of the company.