Top 5 Lessons in Building and Scaling Cybersecurity at a Cloud-Native Startup

By

I'm the Director of Cybersecurity at Esper, a cloud-native startup that offers powerful cloud tooling for Android device deployment and application management at scale. 

During my tenure at Esper, I've worked on everything from achieving compliance with no budget, deploying multi-cloud environments to empowering business counterparts, and managing a distributed DevSecOps team with JupiterOne. One could say I'm a huge advocate of the platform. 

That being said, security can be a tough program to grow from zero and scale as an organization grows. I am partnering with JupiterOne to share my biggest lessons learned and how to stay sane while scaling a cybersecurity strategy and team at a fast-growing cloud-native startup.

Lesson 1: Trust is Business Value

One of the Security Chief's ultimate duties is to foster trust with customers and employees. Trust is business value. Customers and employee relationships are more profitable if there's a strong foundation of trust. Jeff Pollard, VP at Forrester, calls this idea the "trust imperative."

The most effective CISOs create revenue by strengthening trust at each stage of the customer journey. The best security leaders also work hard on employee trust, sinc trust is essential to get anything done internally. Of course, some teams lead by authority, but it's more effective and way less painful to create trust and lead cross-functional projects with influence.  

As I've scaled Esper's security, I've continued to learn the critical value of trust. . Luckily, I've never had to experience a loss of trust. I hope I'm always able to maintain my coworkers' and customers' trust. 

Lesson 2: Be Conscious of Intervention

In an agile organization, every security control has consequences. Controls that tax productivity have massive consequences, and they're also ineffective. Employee users are likely to find unauthorized workarounds security controls sap their productivity.

Scaling up security in a startup is a balancing act, where you constantly have to weigh the impact on productivity, agility, user tolerance, and risk. In addition, you have to fine-tune your controls to keep your employees feeling free and happy, especially since many organizations compete on talent and employee retention. 

Maximizing employee freedom with minimal controls was a huge theme in the recent "No Rules Rules" book about Netflix's startup journey. But, scaling security controls is tricky since you can't put them in place right after something breaks. Instead, security needs to exist before there's an issue.

Regardless of size, age or industry, all organizations are ultimately competing on speed. Security is critical, and it's critical that security teams must be hyper-conscious of employee productivity. The secure path should never be painful to users, it has to be the path of least resistance and greatest productivity. 

Lesson 3: Mange Your Policies via Git

I have few regrets so far, but I wish I'd managed our security policies via Git from day one. I think it's never too easy for an organization to start managing its  policies via Git.

You can manage your security policies via Google Docs. It has a sweet version history feature that will get you through audits, but Git is way more scalable. 

Lesson 4: GRC is Technical and Compliance Does Equal Security

Historically, security teams believed that governance, risk, and compliance (GRC) is non-technical paper pushing. But, security teams have also traditionally been an IT hobby shop that lives and dies by perimeter security. Times have changed, and we need to embrace new attitudes and tools for GRC. 

Two-thirds of CISOs  manage audits via spreadsheets or Sharepoint, and they're struggling since spreadsheets do not scale to a cloud development model. CISOs need automation (tools like JupiterOne) to understand distributed, immutable, and ephemeral cloud assets. 

Traditionally, compliance has not been the same team as security, but they need to become more similar concepts. As an industry, it's time to develop a little appreciation for GRC and acknowledge that secure cloud compliance is technical as hell

Lesson 5: Be Unreachable Every Once in a While

The crisis of CISO burnout is real. Security is hard, and security at a hyper-growth startup is probably even harder.

I don't have answers to the security burnout crisis, but I've learned to step back every once in a while. I've mentored rising security talent inside and outside my organization because mentoring is something that energizes me and gives me hope for the future. I often try to connect with other security leaders because it puts me in a good headspace to know wewe face the same challenges.

Perhaps most importantly, I vacationed at a cabin near Mt. Hood, Oregon a few weeks back. I turned my phone off for four whole days, and I did a ton of NYTimes crossword puzzles. So, step back completely at least a few days per year. If you've set a strong foundation for security, there will be no dumpster fires while you're offline. 


Interested in learning more about building scaling a better cybersecurity program? Join our upcoming webinar "The CISO's Role In The Trust Imperative" with Jasmine on Thursday, October 21, 2021 at 1pm EST. 

Jasmine Henry
Jasmine Henry

Jasmine Henry is a security practitioner who's used JupiterOne to create a compliant security function at a cloud-native startup. She has 10 years of experience leading security programs, an MS in Informatics and Analytics, and a commitment to mentoring rising security practitioners from underrepresented backgrounds. Jasmine is a Career Village co-organizer for The Diana Initiative security conference. She lives in the Capitol Hill neighborhood of Seattle, WA.

To hear more from Jasmine, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.