Give Away Security's Legos: Dumping Traditional Security Teams

and now enough of me rambling like to introduce flea who is the the C so at gusto he's going to be doing a keynote on giving give away securities Legos dumping traditional security teams leave Italy take a second here to get set up it's a interesting intro and in particular it's always good I guess get these talks like kicked off but like some somewhat scary things like reminded the K there's this crazy virus going on and oh yeah by the way which I did not know I'm not being paid for this okay thanks that's good to find out like and and you know I probably should have read that guideline early about not being an

ass so bear with me I will attempt so um you know as we mentioned my name is flea I'm gonna be talking to you about this idea of giving away your security Legos I tried to hack you make this talk a little bit more friendly and less violent in the language I actually decided to say dumping the traditional security team as opposed to killing the traditional security team but I guess I snuck that in there anyway so I'm plea worked at a couple of security companies that actually worked at a couple startups you know I have a history at square at Twilio I'm now at gussto or react you focus on building a people platform and actually one of the great

things about all these adventures has been that emphasis on building I learned a ton at Twilio about the power of code and what it means to be a builder took that on further at square and just really really elevated myself now at gussto I'm not only thinking about what I can do that keep build with code but also what I can actually do a building with people but also what I want take a step back I think as a lot of you probably my first exposure to building was Legos I love Legos everybody likes Legos maybe if you're a parent you may not like Legos so much in particular if you find them laying around etc was

actually just one of those really great accessible tools that I think everybody can use and if you figure out and actually pay attention to Lego you like to build some things that actually marvelous and fantastic so maybe actually take a little history of Legos I don't know at a minimum you'll come away from this talk with just some random useless Bar trivia so leggo Becky a ridiculously old company and the word leggo actually come from the Danish leg dot and I'm sure I mutilated that but that kid means played well and I love that in particular when it comes to security oddly enough that she started out by building wooden toys and I was like the whole deal is like hey kids

need things to play with the critter that goes much later than that he went on to build these plastic toys we all know about but it's a key one of the things that everybody resonates with all across world everybody knows about Legos it is the most powerful brand in the world one thing that I really really latched onto with Legos was their motto which is the best is not too good I'm totally stealing that so everybody actually works with me at gusto that's a new thing I'm reeling at you but that's just a little bit of background on Legos and this is also to set you up for a really really really extended and drawn-out analogy so you can actually

see a lot of Legos and a bunch of slides I want to start off though talking about the stereotypical company and immediate disclaimer I know that your company is special and it's a snowflake and you do things better than anybody else you have nothing in common with anybody else so just take this with a grain of salt that these are just broad generalizations and like most other stereotypes it's not true I want to talk about companies though because how we interact with companies as security professionals and some of the things that we think about and take for granted you know we kind of think that companies are like these monoliths actually you know fighting against us

etc and I just want to bring back those key aspects of the company companies exist to solve a problem for customers and ideally they want actually do that in the most efficient way possible and at the end of the day what they're trying to do is they're trying to take all of their Legos and build something great like a company that is doing well is meant to grow and extend itself and continue growing and extending itself every company even the tiny little baby companies for so for those you're working at the ten person start-up your temperature startup is complex for those you working at the you know huge model lifts there are a hundred thousand two hundred thousand

employees obviously that's really complex no company is actually simple I think one of those other things that we often think about as security professionals in particular we think about the size of your security team or maybe the reach you have and that the company doesn't care about security that's actually not true your company cares deeply about risk but it cares about all risk so let's take a look at the stereotypical security team at some of these political up stereotypical companies and this will probably make you sad because it makes me sad whenever I think about it is I personally did not sign up to be a cop but a lot of the tasks that traditional security teams

have often look like cops it's like oh well I'm here to make sure that nothing bad happens I'm gonna keep all the bad people out I'm going to say no to you and you're not allowed to do X Y & Z you can't have a Linux laptop you can't have a MacBook you have to have this shitty Windows PC all these kind of things that we think about when other people at least as they experience security have to deal with this you know the other really really weird thing to get to see about security teams is that oftentimes we're the ones pointed towards when something bad goes wrong it's like hey my company got popped

Oh security what happened why did we get hacked what went wrong why don't you stop all the hackers you should've been doing everything possible and eliminating all risks cuz you're the security team it doesn't actually feel like that even more interesting is when you look at how security teams our staff inside of companies it doesn't seem like we're necessarily set up for success in the traditional security team model like most companies that you look at and this is hand-wavy anecdotal I found some stats on the internet so you know it's true most companies security teams are less than 1% of the company and there's definitely some anomalies out there some companies are doing fantastic things and

really in testing insecurity the smart ones recognize that security is a competitive advantage but not all companies are smart and not all companies also have that same approach so in general you are always outnumbered and always outdone at least that's what it feels like but probably the worst thing about a traditional security team is that they really look like a bunch of people that are just going through sec oh yeah let me take a look at that oh I prove it oh let me take a look at that oh that's really yucky I'm gonna you know deny that repeat etc etc and it's such a weird things I never thought that I would turn into a bureaucrat and

that's effectively what it feels like a lot of traditional security teams are doing it's like you know did I sign up to be a hacker that I found to be an accountant I personally think that security teams are probably a large part of these success for Atlassian just because of all the dirt Achatz that we file and put people through so I'm really grateful that it lasts in is a sponsor looking at least we're getting some of that money back but seriously like how many people in this room haven't secured him a part of your function is you're required to do design reviews oh that hurts or you require someone actually review access and say

oh this person gets to have permissions or oh I need to actually look at this vendor I need to look at this one person company I need to look at this little crappy chrome plug-in I got to look at every single piece of software that I could comes in there I did not sign up for that that is a horrible experience all the years that I actually spent trying to at least be a real security person doesn't feel like that when I'm just doing a bunch of paperwork I wanted to do deeply technical work not just be in somebody else's way and causing friction and frustration for other people part of that though is because of

Miss that we have to tell ourselves and a lot of things that we kind of perpetuate about what it means to be a security professional there's all these things that we actually want to believe like one is this idea that we're not drowning I also don't understand what this kid is so blissful and also where's this kid's parents whatever I'm not a parent so maybe I don't know but it's like all these weird things and we're at stereotypes to be perpetuate like this idea that security is the smartest team I have worked with a lot of dumb security people a lot of dumpy I consider myself dumb as well but it's this idea that when we show up we know

better than developers and that developer doesn't know what he's doing and that you know she's gonna go out and she's gonna craft something that's gonna just destroy the company and I have to be there watching over her shoulders otherwise she's gonna make a mistake one of my favorites though is this idea that all the reviews that we do are actually that meaningful do you really believe that the design review you performed is the same code that is in production how do you guarantee that I've definitely experienced where yep security did the sign-off and something else completely different is in production the other odd thing I find is this idea that security is too hard there definitely are some

complex things in security like if you were to ask fleeta actually do some crypto work you're gonna have a bad time everybody's gonna be unhappy but we do know that people can learn these things and it's not one of the things that only security professionals can do but we've caught perpetuated this mist that only security people wearing a hoodie with purple hair I don't have hair etc can actually do these things it led to this idea that we perpetuated ourselves that we need to control everything that if somebody is trying to build something we need to be holding on to a lot of those Lego blocks I think that's done think about this idea of us and a company

trying to build something and they said hey we want this multi rainbow architecture something like all these various things who actually trying to piece together etc but when you think about security as a gate we're the ones holding all these red blocks why this is appropriate because there's film in the matrix in San Francisco right now but no seriously like what if there actually was a better way and that's what I'm pitching to you and hopefully get you to at least think about how we should be practicing security what we really want to do and what the company needs and deserves is secure outcomes a secure outcome does not need to be done by a security professional or someone

who has security in their title we need to be flexible around that in order to allow other teams to help us have those secure outcomes and to encourage them to drive towards secure outcomes at the end of the day some of the most powerful individuals in your company are the developers help the developers be better so I hear what you're saying it's like okay well you gave this nice little pitch and it's all doom and gloom and security sucks and what should we do now and this is where this whole idea of actually sharing our Legos comes into place how can we actually allow more people to participate in our ecosystem and hopefully take more vacations and be

on call a little less then what you do this is you actually make it everybody's job I know I know every single person in here their company says security is everyone's job but is that real I don't feel like it can ever be real because in a lot of companies when something goes wrong the security team is blamed one of the competitive advantages that companies like square or Netflix or gussto has is this idea that the decision-maker owns the risk and they own the consequences that go along with that but there's so much power in that of me showing up as a security professional saying hey I'm here to help but you can make whatever decision you

want but you have to live with that decision and if we get pop if something goes wrong we hurt one of our customers that is you not me now we're definitely there to poor people and health make you really be successful but that idea of actually owning the outcome and the consequences associated with that outcome dries phenomenal behavior and it is so positive and it's just a great way to practice security you know part of the reason why I like this model is that security never has all of the context I will never under I'm a horrible product person so like when Twitter launch are like oh this is the dumbest idea ever that's never gonna go anywhere when

Facebook launched oh that's never been a bore anywhere who would ever want that Fitbit who wouldn't want some kind of tracker like looking in their lives except I'm a horrible product person I can't figure out how to make the same decisions that they do and also don't know the same concerns I would argue to say that since security is primarily an external entity or an external team to other teams we will never know all the nuance of what they're working with we don't know their code base as well we don't know what their customer feedback really is and we don't know how some of our decisions are going to impact those customers by pushing this back onto the

teams and giving them more freedom we're also reducing that process overhead and this is how we really scale when you can say hey I'm going to help you set up processes I'm going to give you code etc you can actually scale a four-person security team of five person and security team at in person and security team sometimes even a one person security team so I know what you're asking all right fleet I'm bought in what should I be giving up when I talk about this idea of sharing the red Legos there's all kinds of things that we should be pushing back on to other people in particular we've got to get rid of gates I personally rarely see gates be truly

effective at driving secure outcomes even more so gates slow your company down one of the biggest risk to companies is shipping the wrong thing or shipping something too late you don't want security that could be part of that reason this you know next point exactly a no-brainer the debit should be doing the code of you they will know the code much better than we will and they know the entire ecosystem of what that code looks like where it lives etc better than anybody on the security team I would love to see more product managers themselves actually lead those threat models we can teach them how to do a threat model if you know joy foresight she has this

phenomenal little talk that she does where she actually can teach a kindergartner to threat model you can teach a kindergarten to threat model I'm positive you can teach a product manager to threat model one of the other big things and this is probably the key is making sure that the product owner truly owns the risk and owns the risk a separate acceptance now part of that means that you're going to occasionally have to be like because they're gonna make a decision that you don't like but in exchange for that they're gonna start making more decisions you do like and they're gonna make decisions without you even needing to be there we want to push down to our employees that everybody in

the company is responsible for protecting data and when you really instill upon them this idea that data is an actual human it resonates in a way that I don't think we've communicated before if I can explain to you how losing your laptop or you know not using 2fa etc impacts an actual human being you change behavior probably though you know if you want to take anything else away from this is that every single person must be held accountable and this is actually one of the great things that security can do when security works well is helping a company understand and manage risk I did not say mitigate I did not say prevent the idea is that we actually

want to help them see what their risk budget is so they can ideally make the right choices automatically I don't want to scare anybody security is not going away the people who own those security operations though are going to change now this is gonna freak you out because we know that humans are human and they're going to make mistakes and probably one of the very first things that pops up is like oh my god what if something goes wrong I can put you at ease for your question I already know the answer to this question what if something goes wrong yeah it's definitely to go wrong people are definitely going to make mistakes they are going to do things in ways that you

do not like they're gonna use products you don't like I am very opinionated about security products the product people are going to choose security products that I hate but if it gets the job done then I need to be comfortable with that outcome one of the things that I evacuate Syrian so is the opposite I've actually found more pleasant surprises by pushing security back out into the company as opposed to nightmares people become much more engaged excited developers in particular want to do the right thing that you want to write great secure code and now that kept opportunity to by the security team saying like hey security is your responsibility to the product team developers are now empowered to tell

their managers their product managers etc well time out I have to make sure this is secured in the same way that the developer fills in power to say no there's a bug in this code and the feature doesn't work they can't and will push back because we've actually pushed that power back into them some tricks though is to figure out ways to help teams fail quickly and if they're going to make security mistakes ideally make small security mistakes and that's by saying like hey you know just try this out we'll be along for the ride with you etc help you know you've been engaged in that process along with them I think something people also forget a lot is

that security teams do you make mistakes they make mistakes a lot how many people here have ever actually brought down production as a security person by scanning 10 testing etc I see some people here that I know should be raising their hands that's fine this isn't hackers anonymous it's fine middle but it's like we should also be comfortable with the product teams making some of those same mistakes you don't want to give them everything at once right you know it's like it's this idea of like Lego blocks you want to give them maybe some of the bigger blocks you don't want to give them the things that they can choke on etc you want to give them chances to actually

ramp up give them the tools and support those so that when they do make mistakes the impact of that mistake it's just minimal I just realized I'm pretty sure everyone in this room is a security professional and I'm kind of lobbying to get rid of your job that's ok look not actually the point of my talk though but it is one of things that people key I think hold on to you may even wonder reasonable we've held on to these these red Legos is because we think that's the thing that defines us that's what keeps us employed etc there's still a ton of work to do the things I'm advocating for pushing down are the things that are

best handled by the development teams etc I would argue that the things that the security team is best positioned to do and are the most impactful for our different set of skills and actually the skills that we really enjoy so this idea of actually consulting with teams and I'm like hey let's sit down and talk with your design you don't have to listen to me if you want my help I'm happy to you know sit down look through the design talked about the product features you're about to make etcetera and just say hey this is maybe one of the risk and some trade-offs you might wanna consider oh you identified this risk yourself here's some of the things

I think of when I think I keep mitigating those things you get to be creative and actually build again this idea of security is kind of being that lens for the rest of the company to really understand risk and actually see the entire ecosystem so a product team can think about their individual risk but they may not be aware of all the other teams that are involved in some decisions they make and security is a good area to actually kind of focus at in but I think probably one of the things that security could be a little more powerful at and should work a little bit more at its culture building culture scales if we can convince other people

to care about security to care about privacy to care about the humans at the end of the bits and bytes our job is almost one that's like--you one of the more powerful thinking I could do as security game is educate your users and to encourage them to be excited about security by pushing a lot of the JIRA tickets and the approvals and interviews off you can also get back that you're doing real security work you can do deep research now you can specialize on some really really complex problems one of the things that was really exciting for people in the square security team because the gachy spent most of their time writing code how do you get the

right code anymore how many I could get to do beat reversing how many you actually get to do what you signed up for when you were just a little baby hacker going back to this idea of security being the lens around like risk etc we still need to you know help Shepherd vulnerabilities it's not your job to fix stuffs not your job to patch but it is your job to help people stay on top of their phones and then of course the thing that we are unfortunately I guess really good at is actually handling incidents in doing in forensics I personally think incidents can be fun I don't want any but they can be interesting so this idea of having a

team that a city providing that lends and creating like holistic risk visibility it's like yeah you get to think about and search for those like really really deep nuanced security issues you can also help the company understand what exactly conflicts of risk decisions so maybe the marketing team wants to put something on the website and they feel like they're empowered to do so and they should but one of the product teams who wants to alter how cookies work inside of the ecosystem and it connects to be a conflict that the marketing team would not know about and the product team may not know about and that's actually a great thing that security can provide this whole whole

lenz of the entire risk in the ecosystem I'm also interpreting the threatened landscape for people your normal coworker probably is not looking at every single zero day that's been released or not reading all the same papers that we are they don't understand speculative execution they just heard it on the news and it's kind of our job to interpret those people and help them understand how does this impact the company how does it impact your team what should you be prioritizing and where she do prioritize and then finally probably the hardest problem in computer science is actually finding out where everything is this idea of cataloging things it's also fundamental to the security and it helps us do our job

better when we think about education and this role of security is almost like a missionary slash evangelist it's like yeah you want to provide role specific role specific security training to people I've fallen through this book or just given people just you know oh here's your generic but wash top ten security training yep you're a firmware engineer I'm never gonna care about this but you have to take it that's how you lose insecurity it's by giving just generic security training but role specific trainings actually really engaging and developers love it and they want it all the time every developer wants to be a better engineer something I don't see enough of is teaching people about

privacy you know for me that's actually deeply personal I want more and more people that if you think more about their privacy and I think if we do and educate the rest of our company companies will make better decisions so that people will actually start using our products as opposed to fighting our products I think yet another internet statistic it's like one out of ten registrations is a fake email address because people worry about spam so they're no longer actually getting a they're no longer active getting the full value of your service and you're also not getting the full value of that relationship if we can actually get companies think more about privacy though we can actually bring more people

to our platforms everybody needs to learn about social engineering including security people like my favorite thing is when I hear security people brag about how great they are at social engineering and then find out they can't get people inside their company dapat phones it's again hmm just an opinion if you also want to get people highly engaged and you can actually do this with every person in your company teach them how to hack teach them the same things that we learn every single person in here was a noob at one point every single person here started from zero and what that means is that every single person out there can also learn the things that we do probably one of

the more controversial things is telling people decided pragmatic risk yep there's just gonna be some things you're gonna live with it's gonna make you feel bad hopefully it makes you feel bad but we know that you can't fix and solve everything at once you can't address every single risk and also taking risk is what allows companies to grow if we did not take the risk of saying hey let's allow somebody to take a credit card on the internet we wouldn't have them in Jordan companies we have here that sounds like a crazy idea we think about it back like back in my day you know back in the 90s and things like that putting your Craig on and it was scary

but that risk allowed other companies to flourish if you really want to have fun and get people engaged do a tabletop exercise everybody likes a DND they just don't know they like dandy when you introduce them the table tops they get it super excited even people that I would never have expected so we have to did a tabletop exercise with one of our chief people officer and she can't stop ranting about it like how awesome it was and how exciting was etcetera they want to be engaged we just have to actually go to them and engage them shepherding bones the bones seem to tend to wander they will stay out in the pasture and graze for much longer than we'd ever

actually like but one of the things that security team can also do is part of the reason why they oftentimes don't get patched is that the teams aren't getting them properly prioritized and we don't help them understand okay what are the things you should be fixing right now and they just stopped just in just pure bone overload I'm sure there's actually some scanning vendors out here I used to be one of those horrible vendors as well you know you still work at four to five giving like tons and tons of results and it turns out you can overwhelm somebody with that but the security team connect yourself there and there's a key one the key things you understand what the

results actually mean and what that impact is when you work along from the other team hold teams accountable holding somebody accountable does not mean that you're going up and yelling at them one of my favorite things to do is to just publish it everybody in the company gets to see who's meeting their SLA is who's not meeting their SLA it's who are there really really good actors inside the company and it turns out that sunlight is a great disinfectant and when you make things visible people change their behavior identifying patterns that Vons really being said like hey wait a second it turns out this team here has a lot of cross-site scripting this other team here also has

cross-site scripting okay that's the pattern inside our company it's like you figure out a true systemic fix how do we actually resolve this issue remembering to right-size the Vaughn management process for each team how an infrastructure / DevOps team wants to patch 200 servers is different than what a developer wants to do when it's just submitting one code one line of code we still get to pin tests with stone it actually go out and hunt we thankfully in this model get more time to think about these things to go out and actually look for those deep nuanced bugs and vulnerabilities that may be residing inside of our infrastructure the other is that you get to recognize

and look for some of those like just bad patterns what I call it you know quote unquote code smells we're often called upon to actually you know Don the hazmat suits I think it's actually a great thing for a security team to do it is a skill that most of us already have learned you get into introduced to it actually pretty early and so it's something you can actually help other teams learn helped them become better incident responders and even assist with non security incidents for better or worse we deal with this maybe a little bit more often some other people inside the organization and we can assist them that helps level up the entire company and they start to see

security as they team they want to run to for help as opposed to the team they want to avoid so they can ship Legos have these really really small tiny pieces that like these one singular piece Legos are only meant for like you know people three years old or above there's a lot of stuff that we still have to stay on top of because yeah you can choke on Legos if you don't like you're doing you put them into the wrong hands etc you got to be a little bit a little bit smart about how you actually roll some of these things out some of my favorite things that can help people avoid with that is this idea of like hey you

flagged sensitive security operations this thing you're working on looks like it's critical to the company's security you know we can actually just have a get hook or something like that that actually sends an alert it's like hey security wants to talk to you because we think you might be doing something that is a little bit scary help people also monitor but ideally not only just monitor their vulnerable dependencies help your Mac you Auto patch the biggest thing that you should be doing though in the security team it's just shift more you should be riding today you should be building if you do not see yourself as a builder come talk to me I want to change your

mind creating gold and past making the right thing easy and the obvious answer is the way we win the way we scale and not only that it accelerates teams one of the favorite experiences that I have at gussto is teams asking me to hire more security people Sonic eight I want to work on features can you hire some more security people so they can help me build these things it's just a phenomenal experience and completely different than what you see in quote unquote traditional companies or traditional security teams helping infrastructure teams or teams in general define and ideally codify known goods if you know what known good is you can always detect any deviation something

that's different than good doesn't mean it's bad but it's not what we set out to do and even I start doing things like Auto remediation around that this idea of also making it much more difficult for people to shoot themselves in the foot when it comes to sensitive data so building PII service tokenization serves as crypto services etc so that you have these strong fences and that people aren't afraid to experiment because they know now they kind of have these guardrails if you don't want to worry about or don't want to wear with the small block you can always just give your team Duplo blocks make some of those things that move more complex a little bit more friendly

easier for them to consume and they don't need the same level of security knowledge we should be putting ourselves out of a job build robots automate automate automate automate automate anything that you can do that seems like taking you out of a job you should be doing that and the more you can make things self-service the better for you the better for your co-workers and última actually the better for the customer because you can start pushing quicker and have better security an entire ecosystem so to wrap it up because I've been getting to sign a couple of times really what I Mikey trying to get is for more people to start thinking about their security

organization as a building organization you have security engineer in your title be an engineer build every single person in this room is capable of writing code if you don't write code you can learn every person can learn to write code and it is such a phenomenally powerful thing to do and that is how we truly scale and if we can actually do those things and get it right we have fun and everything is awesome so yeah

I don't do a halftime / what oh I have six minutes for questions so yeah if there are any questions I've also welcome heckling oh wow they're not here some here and I probably should have brought glasses yeah oh this is a key this is good man you mentioned it's crucial that everyone should be held accountable on the subject of owning their own risk well what's the material way to do that in ways actually I like to do that is as boring as it sounds risk registers and just publishing those top risks to the company and the risk that we're still carrying and which team's own those risk it's amazing how quick people will make

different choices once they know that all of the execs are going to see the decision that they made that changes behavior immediately when execs see that oh this is also gonna be presented to the board immediate behavioral change sunlight is the best disinfectant another question who do judges typically say it's responsible accountable for information security and a breached company they generally always hold the executives accountable but it's a C so that gets fired every single time and this has happened to friends among where I know they were literally doing the right thing and I know that they were advocating for the right behavior and there's a reason why the gallows humor for CSO is cheap chief

scapegoat officer yeah we're kind of like the first ones to get thrown underneath the bus or the sacrificial lamb but it's still an enjoyable job that is the whoops another question popped up how do you maintain publish all risk and asila breaks without building a culture of shaming debs that's like a really good question it's just data and and and I am maybe you know I don't here adhere to the guidance as well I can occasionally be an ass and it's like the data is the data if you want to change the data to change your behavior if you are unhappy with having other people know that you're not living up to your obligations live up to your obligation

suppose the owner of a small feature accepts the risk but a breach blows up the reputation the whole company or crease a path to a larger breach that's a risk that we take every day I don't not actually solve that problem I do know that if we empower people more and build more golden past we can actually reduce the likelihood of that happening by us being so involved in some of the bureaucracy we don't have the time and the resources to actually build the tools to minimize impact and risk and so I believe that it is time and yeah work with gusto I don't have the little bracelet on but I will be down in the hall if you have any other

questions and particularly have a question about come and get a job at gusto more than half a key field those as well thank all of you for actually coming out here yeah and hope you have a great day [Applause]