I'm the Director of Cybersecurity at Esper, a cloud-native startup that offers powerful cloud tooling for Android device deployment and application management at scale.
During my tenure at Esper, I've worked on everything from achieving compliance with no budget, deploying multi-cloud environments to empowering business counterparts, and managing a distributed DevSecOps team with JupiterOne. One could say I'm a huge advocate of the platform.
That being said, security can be a tough program to grow from zero and scale as an organization grows. I am partnering with JupiterOne to share my biggest lessons learned and how to stay sane while scaling a cybersecurity strategy and team at a fast-growing cloud-native startup.
Lesson 1: Trust is Business Value
One of the Security Chief's ultimate duties is to foster trust with customers and employees. Trust is business value. Customers and employee relationships are more profitable if there's a strong foundation of trust. Jeff Pollard, VP at Forrester, calls this idea the "trust imperative."
The most effective CISOs create revenue by strengthening trust at each stage of the customer journey. The best security leaders also work hard on employee trust, sinc trust is essential to get anything done internally. Of course, some teams lead by authority, but it's more effective and way less painful to create trust and lead cross-functional projects with influence.
As I've scaled Esper's security, I've continued to learn the critical value of trust. . Luckily, I've never had to experience a loss of trust. I hope I'm always able to maintain my coworkers' and customers' trust.
Lesson 2: Be Conscious of Intervention
In an agile organization, every security control has consequences. Controls that tax productivity have massive consequences, and they're also ineffective. Employee users are likely to find unauthorized workarounds security controls sap their productivity.
Scaling up security in a startup is a balancing act, where you constantly have to weigh the impact on productivity, agility, user tolerance, and risk. In addition, you have to fine-tune your controls to keep your employees feeling free and happy, especially since many organizations compete on talent and employee retention.
Maximizing employee freedom with minimal controls was a huge theme in the recent "No Rules Rules" book about Netflix's startup journey. But, scaling security controls is tricky since you can't put them in place right after something breaks. Instead, security needs to exist before there's an issue.
Regardless of size, age or industry, all organizations are ultimately competing on speed. Security is critical, and it's critical that security teams must be hyper-conscious of employee productivity. The secure path should never be painful to users, it has to be the path of least resistance and greatest productivity.
Lesson 3: Mange Your Policies via Git
I have few regrets so far, but I wish I'd managed our security policies via Git from day one. I think it's never too easy for an organization to start managing its policies via Git.
You can manage your security policies via Google Docs. It has a sweet version history feature that will get you through audits, but Git is way more scalable.
Lesson 4: GRC is Technical and Compliance Does Equal Security
Historically, security teams believed that governance, risk, and compliance (GRC) is non-technical paper pushing. But, security teams have also traditionally been an IT hobby shop that lives and dies by perimeter security. Times have changed, and we need to embrace new attitudes and tools for GRC.
Two-thirds of CISOs manage audits via spreadsheets or Sharepoint, and they're struggling since spreadsheets do not scale to a cloud development model. CISOs need automation (tools like JupiterOne) to understand distributed, immutable, and ephemeral cloud assets.
Traditionally, compliance has not been the same team as security, but they need to become more similar concepts. As an industry, it's time to develop a little appreciation for GRC and acknowledge that secure cloud compliance is technical as hell.
Lesson 5: Be Unreachable Every Once in a While
The crisis of CISO burnout is real. Security is hard, and security at a hyper-growth startup is probably even harder.
I don't have answers to the security burnout crisis, but I've learned to step back every once in a while. I've mentored rising security talent inside and outside my organization because mentoring is something that energizes me and gives me hope for the future. I often try to connect with other security leaders because it puts me in a good headspace to know wewe face the same challenges.
Perhaps most importantly, I vacationed at a cabin near Mt. Hood, Oregon a few weeks back. I turned my phone off for four whole days, and I did a ton of NYTimes crossword puzzles. So, step back completely at least a few days per year. If you've set a strong foundation for security, there will be no dumpster fires while you're offline.
Interested in learning more about building scaling a better cybersecurity program? Join our upcoming webinar "The CISO's Role In The Trust Imperative" with Jasmine on Thursday, October 21, 2021 at 1pm EST.