DeepSec2017 Talk: Building Security Teams – Astera Schneeweisz
While ‘security is not a team’, you’ll find that most companies growing just beyond 60-80 people start employing a group of people focusing primarily on the topic. But the culture of secure engineering in a company does not only strongly correlate with when you start building a security team – it becomes (and grows as) a matter of how they connect with the rest of your organization, and make security, adversarial thinking, and the care for user safety and privacy part of everyone’s concern. In this talk, Astera will review what the purposes of a security team can be, which challenges you’ll face, how you can make it scale beyond the team’s boundaries; as well as proven good practices of running (fairly operational) engineering teams themselves. Whether your organization already has a security team or is currently distributing security demands across areas, you’ll be able to take away how to build (out) a dedicated security team and make your engineers (and, spoiler alert, other teams!) happy, healthy, and sustainable for the years to come.
Please tell us the top 5 facts about your talk.
At a certain organizational size, you might (very likely) need a dedicated security team – but you shall never think of security as a team. You’ll need to consider the boundaries of responsibility for that team, or you won’t be able to scale. The way to get your products and users more secure, is through making security part of your company’s (engineering) culture. You want your teams across the org to work together, because they care about a common cause, and be happy doing so. There’s nothing magical-unicorn-y around security, and we should actively make people stop thinking that security engineers are more special than other people.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I often receive the same questions again and again from people (think VP of engineering more than security lead) working at other organizations, not about vulnerabilities or tools or some sort of snakeoil they might have heard of, but about how we managed to get our teams to work together as they do, and deliver the results they do. I figured I’d put the common questions (minus everything about compliance) into one handy talk.
Why do you think this is an important topic?
Because people >> technology, and we should talk more about how we meet what’s expected of us today with the teams we get to build.
Is there something you want everybody to know – some good advice for our readers maybe?
If I wanted attendees to at least remember one single thing from my talk, it would be: Hire people with empathy, not 0days.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?
I’m afraid I don’t have an answer to that 😉
Astera has always been fascinated with machines and how to make them do her own bidding, working in defensive security for the past decade. More recently, she’s grown to love and prioritize the challenge of working with real humans in her life, and exciting others about this frontier. She works as the Director of Security at SoundCloud’s Berlin headquarters, overseeing the Security, User Auth, Anti-Abuse, and Corporate IT teams.