- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
About This Episode
This week we are joined by Daniel Leslie at Namely who shares his take on the human side of security, and what security at scale looks like for his team. Max, Justin, and Daniel discuss the 3 core things to good company-wide security: psychological safety, vulnerability, and purpose. You have to address these things in a comprehensive manner.
Listen to the podcast:
About The Hosts
Justin McCarthy
Justin McCarthy is the co-founder and CTO of StrongDM, the database authentication platform. He has spent his entire career building highly scalable software. As CTO of Rafter, he processed transactions worth over $1B collectively. He also led the engineering teams at Preact, the predictive churn analytics platform, and Cafe Press..
Max Saltonstall
Max Saltonstall loves to talk about security, collaboration and process improvement. He's on the Developer Advocacy team in Google Cloud, yelling at the internet full time. Since joining Google in 2011 Max has worked on video monetization products, internal change management, IT externalization and coding puzzles. He has a degree in Computer Science and Psychology from Yale.
About Token Security
At Token Security our goal is to teach the core curriculum for modern DevSecOps. Each week we will deep dive with an expert so you walk away with practical advice to apply to your team today. No fluff, no buzzwords.
Transcript:
Justin McCarthy 0:20
And today, we’ve got Daniel Leslie. He’s the director of security, intelligence and IT operations at namely,
Daniel Leslie 0:26
Thanks for having me.
Justin McCarthy 0:28
Thanks for joining us. So namely, is a an HR platform,
Daniel Leslie 0:32
Yes, I’ve been in this space, I can talk to it. I’ve seen the problems firsthand. Here’s how we were dealing with certain things and plainly put: we know at the end the day security boils down to people and in HR, they’re the human resources department. So it starts there.
Daniel Leslie 0:50
And over my observations and past going on five years here at Namely, it’s like, I’ve been able to rapidly accelerate the program and get it in shape due to the partnership with our HR team, just hey, here’s what we need to do. And then just like buying into it, helping push these initiatives, whether it’s a policy change, whether it fits, you know, we need to do more training, or wait, we’re spinning up another office, okay, here’s what IT and security needs to do this. And they just been readily supportive of being able to do these things, and just enabling us do the common things.
Justin McCarthy 1:18
Well, so that evokes, I think, it’s almost like because your product is an HR product, you kind of have to take HR seriously. And then once you take HR seriously, then you can ask, what can HR do for info sec, what can it do for security. And then it turns out, there’s a lot of helpful what communication and policy distribution and all that stuff that probably goes under that umbrella,
Daniel Leslie 1:41
And then taking it to another level. Traditionally, security has been the forefront of the security engineers, the security architects and the CISOs and typically, it’s very procedural. We kind of abstract ourselves away from the fundamental human element, the EQ, the emotional quotient. Making sure were coming from that side of being empathetic, understanding the processes, and understanding that some things just need to take a little bit slower due to the nature of just human tendencies.
Daniel Leslie 2:11
And being more aware of that. And I think I’ve gotten a lot more awareness by working with our HR team on that front, which has made some of the things in a security front, roll out a little bit smoother, because I’ve had those conversations, and they’re already asking the questions, and proposing the potential hiccups a little bit sooner and broadening the perspective with regard to organizational management.
Justin McCarthy 2:35
It sounds like you have developed some empathy and some sort of a team feeling with HR. I’m curious if it’s actually gone the other way around, have you been able to sort of recruit the HR folks into the fold and show him a security point of view, and any of them feel sort of fun are excited about the security mission?
Daniel Leslie 2:50
Yeah, I can’t say I’ve convinced them, I think they were just already knew. Like, I think what they’ve definitely gained an appreciation for is the structure because I bring with a structured analytical approach to looking at a particular problem deconstructing it, and then looking at what are the obvious things that we should just be addressing right away, and then being able to communicate that to folks to get everyone on board?
Daniel Leslie 3:11
And not to say that I figured it out, or it’s perfect, trust me, I’ve had other problems. I’m like, oh, wow, we definitely could have done better here. And I’m pretty sure they have a whole list of stuff. They wish I was doing better.
Daniel Leslie 3:22
But I think at the end of the day, it’s been more of that collaborative approach. Making sure as we are practicing what we preach was all in one HR platform processing, payroll, benefit brokerage services, performance reviews.
Daniel Leslie 3:37
And then of course, all of our clients data is sitting in our system is our HR team doing the fundamentals as well. So that way, when we look at how we deal with different features on the platform, it makes sense, right? It makes sense from a practical use case and the buy in is just there organically, it’s not forced. And then people have a stronger sense of ownership right now they kind of like on it, because they already cosign that take one at this.
Daniel Leslie 4:06
So they want to make sure it’s successful as well. The other thing to like on the empathy side, I met Bruce Schneier, couple weeks ago, at a CISO dinner, he’s just brilliant at weaving in real world examples, to anchor his ideas are just like, the points he’s trying to make. And he’s saying that like we do these security trainings, we tell people not to click on things, right. But the internet is completely designed to click on things. And he’s like looking at every new so you have to laugh at it like yeah, like, I’m pretty sure I just literally said that last week to folks not to click them.
Daniel Leslie 4:40
But how do you deal with that? How do you reconcile that people aspect of like, hey, we’ve designed something for you to do it. And then we’re telling you not to do something the next day. So
Justin McCarthy 4:49
Sounds like the grocery store too? You know, one thing I think that would be helpful for the audience, and for me is to learn a bit about just what is the scope of the namely product, and gotta give us good idea of the kinds of topics that come up for you every day.
Daniel Leslie 5:03
The scope of the name of the product, first and foremost is empowering organizations to make a better workplace. Giving them a central point of focus with regards to communication with regards to onboarding, with regards to performance reviews, goal setting, workflows for HR professionals for the day to day procedural stuff, or quarterly or whatever the cadences hiring, onboarding, promotion, things like promotions, right, being able to track the promotions and being able to just run the payroll, all in one spot. Exactly. And then benefits, right, so you have a life changing event. Before I was at, namely, I had to go to like two different sites to make an update to something right, if I wanted to make a change. And login here, if I want to look at my pay stub, I log in there, if I wanted to look at the performance thing, I had to log in another spot. So namely centralized that, which is initially what attracted me to join the organization was that vision, so
Justin McCarthy 6:01
And then it is a SaaS product. So it sounds like you’re hosting not only your own company’s data, but it sounds like the data that you’re responsible for securing is actually the sum of all your customers.
Max Saltonstall 6:10
Yes, yep. There’s an interesting platform security piece there, too. I don’t know if that’s within your realm around, how are you choosing what technologies you’re going to depend on to make sure that your stakes are fair, right? Because it seems like you’ve got this mother lode of really appealing PII between financials and addresses and birth dates and all that stuff. And you’re putting it somewhere, and you’re exposing yourself to vendor risk. That’s something I love to touch on as well.
Max Saltonstall 6:45
How do you handle the risk to you and your clients when you’re working with the vendor, whether cloud provider or any other places going to be able to touch your data.
Daniel Leslie 6:55
So I was very lucky to come in pretty early on with namely, when I first started, there wasn’t a security team, there wasn’t an IT team. So you know, I had to support to be able to design an architect IT systems that I knew were going to be mitigating risks out of the box, don’t even adopt the technologies that are forward thinking. So for example, network security, right, we want to make sure we got a network security, a networking platform, that gave me the top five of the top 20 critical security controls.
Daniel Leslie 7:27
So out of the box, I knew just by turning this on and deploying it, we were covering those bases from day one, and then we’re in AWS. And then AWS has a lot of native security, monitoring, alerting, and just making sure we’re leveraging those mechanisms appropriately. And obviously mapping those to like our risk, what are the things we immediately need to worry about?
Max Saltonstall 7:47
It seemed like you definitely had to make some compromises, there are some trade offs, right? If you’re not going to be able to handle all of those top 20 right off the bat, especially in a small company that’s hiring now you have a security team of one. So how did you figure out? What do I address right now? What do I want for six months or 12 months, or what’s just not a big enough rest for me to spend the person energy?
Daniel Leslie 8:09
When I first started that mainly, there was maybe 50, or 60 people. And the mandate came down from up top that, oh, we need to hire another at 220 people in the next eight to 12 months. So I was like, wow, there’s no IT team. And so it was pretty much just being pragmatic, just being like, Hey, we want to hire this many people. Let’s get a ticketing system. Let’s hire some IT personnel, let’s make sure that it personnel that we hire, come out of the box with these fundamental experience security experiences and practices.
Daniel Leslie 8:39
So that way, they can help us hit the ground running pretty fast. So it was really a matter of looking at what the immediate business needs were point in time. And then also making sure that I was forecasting based on what I’m seeing with this trend or these immediate asks to map ourselves into a over IT infrastructure that going to enable us to grow and bacon, those baseline security protocols.
Max Saltonstall 9:05
It sounds like you had to predict both, what kind of capacity am I going to need in terms of human bandwidth for? Do I need a team of two or five or 20? But also, what skills do you need? Because when you’re growing that fast, you’re kind of guessing it, what the skills six months from now the rest of the company is going to turn to you. So when you’re thinking about security, in particular, and securing all the aspects of that company in that phase, how did you figure out what for to predict to get ahead of that growth?
Daniel Leslie 9:33
To me, it was really straightforward, hiring people who innately like to learn. Because at the end of the day, that you have to adapt, you have to evolve, and you have to have this mental flexibility to adjust and pivot as needed. So that was one of the key characteristics I looked for when hiring people.
Daniel Leslie 9:51
And it’s definitely served well, all of the guys on the IT team. They’ve been here, they’re all the original team members from like, early 2015. So we’ve been doing well, in that regard. And then even on the security side, and here’s what I kinda like to explain to some folks how I coined this phrase, I don’t know, maybe somebody else already acquainted, but like, there’s this thing, you have to be a jack of all trades, and a master of none. I kind of like flip that over and say, well, you need to be a master at being a jack of all trades. That means Yeah, you could be a jack of all trades and Master of None. But you need to master the ability to be a jack of all trades, which means you need to be able to learn —
Max Saltonstall 10:27
Pick up new skills quickly or adapt —
Daniel Leslie 10:29
Adapt, because you can be a jack of all trades and just be not really good at that. You can say I’m just picking this up and you know, like dabblers exactly like the dabbler. So it’s really coming. And it’s a lot of pressure at the same time, right? Because like we just recently rolled out Istio to our production environment last quarter, that was a big deal.
Daniel Leslie 10:50
It was a lot of testing, it was a lot of things that were going wrong, there was a lot of deep rooted bugs in that code base that but as a team, we’re solving and actually contributing to the open source code, and they got it working. But it’s like that mental resilience to just stick with the problem. Until you get to that point, or at the same time not subscribing to the sunk cost fallacy.
Daniel Leslie 11:11
Instead going down the path, even though you’re failing, and it’s not working, you just are so committed and married to it, you can’t see the fact that you should just give up and pivot and move on to something else. So it’s like being able to have that kind of awareness. Yeah, the reality of your situation, you know?
Justin McCarthy 11:25
Yeah, totally. One thing you mentioned. So it sounds like you went from that 50 to over 200 team pretty quickly, if you just had some advice for that team out there, which let’s say they’re about to undergo that growth. And let’s say there’s a new head of HR, and there’s a new head of security. What are the three pillars that those two folks, you’d say, you guys just got to agree to do these three things together, you have to be allies on these three points, one of those three points. So that contract between HR and security that you’re going to want to ensure is in place before that growth phase?
Daniel Leslie 11:58
Some good question.
Justin McCarthy 12:00
Don’t leave home without these three practices.
Daniel Leslie 12:03
My first thought is like, well, I don’t know what services they’re providing. I don’t know what regulatory requirements they have to adhere to and deal with. But generically speaking, they need to identify clearly the roles and responsibilities and being able to problem solve effectively. It’s important, for example, that the HR team has that fundamental partnership, right?
Daniel Leslie 12:27
They’re coming together, looking at their roles, identifying the immediate challenge for the company, and being disciplined but not rigid, about how to address the challenges. So one, definitely policies, what are your onboarding policies? What are your onboarding policies, because if you’re going fast, you just got to be tight. And HR has, first and foremost, they’re leaving the frontlines onboarding, awkward, because they’re the ones that are telling us who’s starting. And they’re the ones who are telling us who’s leaving. And if they don’t tell us someone left for a month, that’s a problem. Right?
Daniel Leslie 13:02
Especially if they’re like, oh, sorry, this person is pretty much as the keys to everything. And now that they’re no longer with us, not definitely a friend use case like people are going to notice when the your site reliability engineer just doesn’t show up for multiple weeks. But that’s the first one was like, make sure your policies are tight with regards to kind of like onboarding, off boarding, the acceptable use, and identifying your key risks, doing like that, quote, unquote, the pre mortem, like what could go wrong. And then making sure you’re having those conversations, and also checking egos at the door.
Daniel Leslie 13:35
That’s one of the things that I’ve noticed, too, is like, when you’re growing fast, people are feeling a lot of pressures, like all of a sudden, you you came in to do this one job. Two weeks later, you’re doing five jobs. And then having that kind of like emotional intelligence to recognize and people are getting spread thin, and not compounding those pressures on the individual. And then at the same time, again, being respectful of the roles and how people need to hold themselves accountable, and how the to hold each other accountable. So you’re going to ask question,
Max Saltonstall 14:03
oh, I was thinking about how, as your onboarding lot of people as you’re growing quickly, you need to also educate those new employees on what to look out for, right? What are the risks? What are you you know, information security, really worried about? That they whether sales or marketing or software engineering or legal can help you?
Max Saltonstall 14:20
So how do you communicate that in a way that informs them or make them useful allies instead of either scaring them or just browbeating them like don’t ever click a link because not very useful advice.
Daniel Leslie 14:32
So that was like one of the first things that when I started at Namely, we we made a cadence would like for all the new hires, they attended an in person training with IT and security. First, we need to onboard them with the equipment. But then on the security side, I wanted to make sure from day one, people understood the breadth and depth in the scope with regard to their role in relationship to namely in the mission in really just looking people in the face and like creating that too way street have a conversation like hey, here’s what we’re dealing with. Here’s what our clients are expecting of us.
Daniel Leslie 15:06
And then also making sure people, new hires and team members continuously feel empowered to challenge assumptions about a process, even if they suspect something is wrong, still bring it up, even if they’re not sure. So just having that fundamental security awareness training in place was key. And of course, you know, HR has to enable that and approve that, as we move forward. And as we need to change it and pivot getting that support.
Max Saltonstall 15:31
Yeah, I feel like everyone does the security awareness training, but most of them are terrible. So how do you make good security awareness training for those employees?
Daniel Leslie 15:39
Well, good is, that’s definitely a relative thing. Like what’s good to one person is maybe not to another. I think, at the end of the day, you need to just make sure you’re covering your bases, right? All of the common things that must be addressed, for your space for your risk profile. And then from there, you can fit figure out, how can we make this more engaging? What can we do to elicit that sense of ownership?
Daniel Leslie 16:07
One of the things that we talked about in our role specific trainings is the do care principle. At the end of the day, we want to make sure we’re exercising do care. And what does that mean for you do care means slowing down, double checking your work, challenging assumptions on the process? If you don’t know your team is immediately available to you to answer questions, if they don’t know the answer, escalate to your manager, or escalate to security, like making people just feel empowered, that they’re not going to be chastised for asking questions that they might think people will think they don’t know what they’re doing, right? Because a lot of times people are shy, they might feel embarrassed, they might be reluctant to ask a question about a fear of people perceiving them as incompetent.
Daniel Leslie 16:55
Safe to fail. Yep, exactly. So you hit the nail on it. This is like the culture code. These are the three core things, psychological safety, vulnerability and purpose, you got to make sure you’re addressing those things. It just says, As a manager, as a team, as an organization, because those are reinforcing variables in the day to day mindset of people.
Max Saltonstall 17:15
I’m curious, with all of that PII, you’re managing crucial HR data for tons of clients. Plus, I’m assuming all of your employees, so you’ve got the most sought after data. Do you have different gradations as you think about security rigor for your systems that are going to handle that PII versus like systems? They’re going to handle what snacks you ordered last week? Are there different realms that you’re trying to treat from different security angles?
Daniel Leslie 17:43
Yes, just like any other organization, we have a role based access controls, we have systems that are high risk, the shared fake systems, and based on those risk profiles determines how they get managed and handled.
Max Saltonstall 17:57
Can you tell me more about those gradations mean? Is it really just high risk, low risk? Are you Do you have something or their methods that you’ve had to use to make sure that those high risk systems stay safe over time? As you’ve refined it?
Daniel Leslie 18:09
Yeah, it’s an ongoing process, right, the process and never ends as our technologies changes, as new features get pushed to production? It’s a constant evaluation of how has this risk profile changed since the last time we looked at it last quarter? Or how has this system changed since we moved into this new data schema, right? And just constant evaluation of that? And following those principles of probability of something going wrong severity, if it did go wrong? And what are the mechanisms are the things available for us to mitigate? So nothing, no nothing, particularly novel or original here, just run of the mill risk management, data security practices?
Max Saltonstall 18:57
Now you’ve got a company that’s been growing really quickly over the last few years. So I’m guessing you’re also weighing in on the design processes, new features, and new capabilities are being added to this suite of tools? So how do you help the folks on the product and the engineering side think about designing for security as they’re building out new parts of the platform?
Daniel Leslie 19:18
So our tech leads, by and large, are the ones leading that forefront and they come to security in the event that there is additional support needed? Or if it’s not clear, or there’s something that might be a little bit more ambiguous? We have a design process. And then within the design process, there’s a section about security and privacy. It does this new feature, impact or encroach on confidentiality, security and privacy?
Daniel Leslie 19:43
If so, let’s look at how, let’s look at what in May controls already exist in the ecosystem? And if not, what are the things that are going to be included into this designed to address those things? So it’s really a matter of just following the trip additional software development lifecycle practices, but making sure security is on that checklist.
Daniel Leslie 20:06
There’s always room for improvement. I think every organization looks at these things and like, wants to iterate and make sure they’re adhering to best practices and demonstrating do care and diligence on these front. At least I hope organizations are taking that into consideration. You never know.
Daniel Leslie 20:22
No, it’s fine. We’ve solved it. We’re done.
Max Saltonstall 20:25
Yeah, exactly. Right. Next problem.
Justin McCarthy 20:30
So since you guys are an HR platform, and since you have some respect and empathy for the HR role as a result, one area that comes to mind for me, every time I think about that intersection between security and HR, actually, there’s a couple of areas. One that’s just really concrete, and really practical, is the role of background checks. So is that something that’s sort of a pervasive and part of your process, and any new twist on that you can offer or just do them?
Daniel Leslie 20:55
Definitely baked into our process. We even have it as a part of our it workflow where we know a new hires coming in. But yes, this person’s been hired, pending background check clearance, right? So it is like a little checkbox that you see their true or false Yes, Pastor. If not, then it’s going to get removed off the list. So it’s baked in. So it knows and everyone has linear line of sight of what that statuses and it’s each industry is different, right? Like we have a high standard of diligence with regards to not only just the team members we want to hire in terms of their capacity, their skills, or emotional intelligence or technical acumen.
Daniel Leslie 21:32
But also general safety, right? Is this person coming in and not bringing in? I don’t know, like some sort of thing that wouldn’t reflect well, on the brand of namely, right? If someone comes in, it’s like a conflict of interest that this person was charged with something and was pled guilty, or whatever it might be like that scenario, we got to think about those things, let’s say for someone who’s just like committed fraud, or they did like insider trading, as personally went to jail for insider trading.
Daniel Leslie 21:58
And here they are working at a technical company that is hosting data for other tech companies, right? Let’s say for example, we have a client that’s getting bought out by another company, that person might be privy to it, like coming up with like a scenario that I would think through to explain why this would be relevant to an HR person like, hey, this might be a risk for us, because, or whatever. Typically, I don’t get involved in like that level of stuff. HR usually deals with it, and they have their protocol. But those are the sort of conversations I would have to explain scenarios that are, why these questions are relevant.
Max Saltonstall 22:31
Have there been new steps in that vetting process or validating process that you wanted to add where you really needed to work hard to get buy in from other stakeholders, whether from HR elsewhere, like a security thing that you thought the company needs, but other people weren’t quite seeing it until you laid the story out differently? Or provided some more evidence?
Daniel Leslie 22:52
I’m trying to think a lot of times I have to provide context, why we should introduce a feature or a process or something along those lines. But typically, the I think I’ve just been pretty lucky that folks just get it. You know, it’s kind of like, hey, like, I think we should be doing this. Here’s why. And it’s sometimes it’s not even coming from me, sometimes people come to me, because they want me to help give them support, they want me to co sign something that they’re pushing for whether it’s just a process change, right, let’s say, hey, this process is just an efficient, and but also, here’s the additional risk that we’re incurring by having these four extra steps.
Daniel Leslie 23:27
What do you think Daniel? And I look at that, but yeah, that makes sense. It’s like, all right, they went to security intelligence team to weigh in, and add that other push from that angle. So it’s been a two way street like me coming unilaterally from the security side. And then other business units coming to me looking for additional support on things that they want to prioritize on a process change or something along those lines.
Daniel Leslie 23:50
And that’s great. That’s the sort of ecosystem you want, in your collaborative sounds like, exactly, because you have other people have folks who are dealing with the stuff day to day, challenging the summer of a process, recognizing a potential risk, feeling empowered to raise that up to their managers, or to the engineering team, or the product team and to the security team, and, you know, helps drive progress and continuous improvement, relevant continuous improvement, too, because sometimes you can have continuous improvement, totally going the wrong direction. Again, we continuously improved our way off the cliff, we want to continuously improve our way, in a direction that keeps us innovative and relevant to the industry into our clients.
Justin McCarthy 24:30
Yeah. So back to the relationship with HR one area that I know I always think about is, especially in the growth phase, that candidate experience. So that new hire experience so from interviewing that the company through getting the offer through onboarding, so I feel like I’ve spent a lot of hours working on that in my career, where I’ve spent far less time.
Justin McCarthy 24:50
And attention is the other side of that. And I’m not talking about separations where this person went into retirement, I’m talking about the uncomfortable separations. So when you have a term nation, there is a spectrum of ways that you can do it where that person feels just absolutely burned, or can kind of understand maybe why they needed to happen. And that is there’s absolutely an intersection with security there. So any wisdom you can offer about really mastery of that unfortunate but necessary part of life?
Daniel Leslie 25:21
You know, that’s always the tough part of the job. And like you said, necessary at times, and some people get it. And my thing, at least from a security mindset is that disgruntled employee who, like you said does feel like they were treated unfairly does feel like they have a grudge. And bottom line, to me just being respectful to an end of the day, and being transparent. And also your it and security team having a rigorous checklist for off working to make sure that you know when that time comes, you have a high degree of confidence that you’ve sorted out all of the potential access that that person could if they do want to be described, build and do something damaging, they can’t.
Daniel Leslie 26:02
And that’s what it really boils down to get respecting people, making sure your onboarding process is tight. Single Sign On has been great for that for like, majority of your stuff is single sign on, you just turn off your single sign on access. The other thing too, is also sessions. And I’ve mentioned this to another colleague, I shared our checklist with them say, Hey, here’s what you need to do. Here’s how to quantify and it shows you what percentage of the checklist is complete.
Daniel Leslie 26:26
And then there’s a thing in there it says kill sessions. He’s like, what do you mean kill sessions like, well, if you’re logged into your browser, that session still might be valid, even though you turned it off in one login unless there’s a mechanism or Okta that is going to go in and kill the session automatically. I don’t know for sure I’ve tested it, and it didn’t. So when I saw that, I was like, Oh, wait a minute, guys, we’re adding this new step to check that when we did this, like years ago. So that would be kind of like the one tidbit I would add is like to double check. The sessions are also killed as well.
Max Saltonstall 26:57
When you’re thinking about stuff you want to add, but there’s to that checklist or to onboarding process. How do you prioritize? Because you, I’m sure you have way more things you’d like to do for your team that you actually have the bandwidth to accomplish?
Max Saltonstall 27:10
How do we prioritize what you’re going to add? Or what you’re going to develop? In a checklist in general, then security in general, like for that continuous improvement you’re talking about? There’s still so many options for what could you do tomorrow? Right, or, you know, next week?
Daniel Leslie 27:25
Great question. And there’s two ways of going about this over the past several years. And something that I’ve used when I was working at a healthcare tech company, where we develop class one class to medical devices. So FDA was really involved in making sure our processes were tight. But it’s just a framework, like for example, for like, we use the NIST cybersecurity framework.
Daniel Leslie 27:45
And it has like the five categories, knowing your posture, and each one of those categories, like if you’re for identify, on a scale of one to 10, where do you rate yourself? How do you know, you don’t need to spend too much more resources focusing on identify, then protect, right? So basically, I look at each one of those categories there, which one is needs more work? All right. So we obviously see that this area, this particular core area, from the framework needs more work, what are the things that we could be doing this quarter, or this year to focus in on that, and then just map it, say, Hey, we want it to be for this aspect of our capability.
Daniel Leslie 28:24
Here’s what we’ve done. Oh, you want to know why we wanted to spend time focusing on this aspect of our capability? Well, because when we did our assessment and the framework, this was kind of the weaker one out of all the rest. And then even for the top 20, critical security controls. Same thing for number one, there’s like 10 different things you can do to meet that criteria. Give yourself a grade, like out of the 10 are you doing five or six, right?
Daniel Leslie 28:47
And then you have a you have a letter grade for each one of those categories, and then simply a matter of looking at that metric, and focusing your attention appropriately. Nothing novel, just stuff that I hope security professionals out there are doing and the risk professionals are doing anyway. But you know, it’s served us. And it’s doing its job. Right.
Justin McCarthy 29:06
One thing that of course, is a normal thing on the technology teams normal thing on an IT team is just the reliance on ticketing. So you mentioned it before. That’s something that actually the experience with and the reliance on, ticketing is pervasive in the tech teams and maybe in some other teams, folks aren’t accustomed to sort of living their whole lives inside of tickets. Have you had any unpleasant or maybe not yet perfect experiences trying to sort of breach the idea of structure and traceability maybe and just sort of commingling some of these, let’s say security checklists with some other more pure HR checklists.
Justin McCarthy 29:43
Give me some context on that from China. So your onboarding me to the team yet makes sense that there’s some training that I’m going through and make sense that that would exist in some document that’s controlled by HR, let’s say, but then if there’s some implication, if I need a VPN account created or something like that, that may be handed out to another sub team or something in the way you might do that as with the JIRA ticket, because that’s sort of the ticketing scheme that that team speaks. So how do you connect the traceability of these activities? How you connected together so that you can actually spend some of these actions across teams?
Daniel Leslie 30:15
So how do I take a request in have traceability around the approval, the appropriateness of the access?
Justin McCarthy 30:23
Yeah, I just know that something that, like I said, it’s very familiar to folks from certain backgrounds, and the idea that, essentially, like you always need a ticket to talk to be your follow up on a topic might be new to some other folks.
Max Saltonstall 30:35
I need a ticket to do anything.
Daniel Leslie 30:38
Yeah, pretty much same at Namely, at trying to figure out, so for traceability, I think, reflecting back when we first rolled out our ticketing system back in early 2015. The first thing I did was we did a mind map. So we went to the whiteboard and just mapped out all the core categories of the sub categories, before we even started configuring the ticketing system to make sure it just made sense. And then we have that as like a change control back. If something we need to add a new system to it, we like hey, let’s update the Master Mind Map of our ticketing system categories, and keep it updated that way.
Daniel Leslie 31:14
And then how we, from a traceability standpoint, it ends up just boiling down to the reporting like does your ticketing system come with the robust reporting? You need to demonstrate that show traceability? And if so, you better hope your categories got mapped effectively or that report? Is it really going to make much sense, or it’s going to make you look really bad? So I think it’s important to to do the upfront work and just scoping out what categories are, require approval versus ones that don’t require approval?
Daniel Leslie 31:43
Which ones Can you drop, create some macros for. So your team can simply just drop the macro on it and move on to the next ticket. One thing that has served pretty well over the past couple years, is how the security team is able to drill into our metrics, like I’m able to report or the team is able to report on every single incident that we’re aware of that has come up. And we’re able to see which system which team, the general sequence of events, due to the way we’ve set up our reporting structure and collaboration with our legal team, and in alignment with our incident response. So I can look at if someone says, hey, what were the biggest problems that popped up for you during 2018?
Daniel Leslie 32:24
I could go in and run a report and say, Hey, here’s where we’ve seen some of the errors. Most of the errors this year that during 2018. All right, now that we see that, what are we doing about it to bring that number down going into 2019. And that’s sir very well, from respect to being able to generate a report for our board of directors.
Daniel Leslie 32:43
Those of you who are new york based the Department of Financial Services for New York passed legislation a couple years ago, requiring that you write a report to the board of directors, demonstrating the material risks to your organization. Any findings are things that would be immediately relevant within the scope operating a business such as namely, that is processing a billion plus dollars a month. And having that granularity baked into our ticketing system has served really well of being able to demonstrate how we focused attention where we need to double down where we’re doing well. And then at the same time, traceability back to your point, like how do you have traceability around how these things are started and how they’re being dealt with.
Max Saltonstall 33:25
You talk a little bit more about that reporting upwards, when you’re delivering summary information to folks who are not security experts, what do you find is helpful to paint a good picture, but also not either alarm them or get them suddenly breathing down your neck to fix everything that you’ve called out as wrong
Daniel Leslie 33:44
Context. And at the end of the day, it’s like you have to be able to illustrate how you’ve come to your conclusions. Here’s why I’m saying this, and then walk the reader through or the audience through that process is in a way that we moved out. I’m pretty sure you and other folk and the security we’ve always probably scrutinizing, like how do you know this no trust but verify.
Daniel Leslie 34:11
So making sure that the process in the the conclusions that you present, can be reproduced. And then in the event that folks are technical, I don’t really talk about technical things in that kind of report, right is pretty high level, it’s enough of a description to say, hey, for data leak prevention, here’s what we’ve done. Daily prevention is going to mitigate the risk of data leaking out or sensitive data being mishandled. And these are the mechanisms we have in place for that, or for whatever the scenario might be, like just being able to walk through the thinking process in a pithy way at the same time, right? Because you can go and write a book on daily prevention and no one’s going to read it.
Daniel Leslie 34:55
Or they’re just going to come to the same conclusion that that everyone else already knew. Anyway.
Daniel Leslie 35:03
So for the report I had to do is just kind of like, hey, here are the relevant sections that the legislation is saying we have to address or communicate to the board. Here’s what we’ve done. Here’s how we’re dealing with it. quick summary and then recommendations.
Daniel Leslie 35:14
Hey, here’s what happened last year. Here’s what we did about it since last year. Here’s what we got better for the recommendations, quick, pithy bullet points, and metrics, say, Hey, we had over the past four years, five years, we’ve had penetration tests by third party look at how our, our ratings have gone down over the past several years, or might be the case where, Hey, your ratings have gone up? Why the heck is that going up? And being able to talk to those points as needed?
Justin McCarthy 35:42
As you look forward, is there anything on your roadmap that is becoming possible because of its either enabled by some new average skilled workforce, or it’s enabled by some change in technology? Is there something you’re looking forward to in 2019? And beyond?
Daniel Leslie 35:57
Who, what am I looking forward to from like a scale or like a technology?
Justin McCarthy 36:01
Yeah, like, Is there a new practice or a new philosophy that you’re imagining, like, if we can complete the rollout of this idea, then things are going to feel different to me in 2020?
Daniel Leslie 36:12
I don’t know. So one of the things from like an authentication standpoint, there’s like that web authN is
Justin McCarthy 36:19
That we did an episode on that,
Daniel Leslie 36:20
oh, I must have missed that one. But that’s something I’m excited to see how that really starts to matriculate and become like the norm. So excited about that. There’s so much out there like I’m trying not to like be to vendors specific here, you know. But yeah, I have to think about that a little bit more.
Justin McCarthy 36:38
Every topic that I sort of scratched on my list is crossed off now. So Max, you have any of their high level ones you
Max Saltonstall 36:42
want to the other question I was thinking about this is you’re working on expanding on partnering with these other orbs within? namely, how do you go about balancing security and usability? Because there’s a lot of pole and both ways. And I’m guessing a lot of the times, your HR colleagues are trying to make things as smooth or as fast as possible.
Daniel Leslie 37:05
So my approach to balancing security and usability, nothing unique here, right? It’s like,
Max Saltonstall 37:11
No, but I want your perspective.
Daniel Leslie 37:12
Yeah. So my perspective is like, are we addressing the risk? And is the risk high enough that warrants the additional loss of usability or the extra friction? If so, so be it. One of the things I’ve said to some folks like, hey, like, if maybe if you don’t like this, or if this is you feel like it’s too much pressure, this might not be the right field for you.
Daniel Leslie 37:33
Like you shouldn’t take a job that you just can’t deal with some of the pressures. I’m not going to be a firefighter, and then be mad that I have to like, go and run into a building or like deal with a problem, right? Like, that’s part of the job.
Daniel Leslie 37:48
So I think, at least for me, the folks that I’ve been working with over the past years have just been realistic and practical. And like in the cases where we were splitting hairs is just coming to a common understanding ending of like, all right, what’s going to be in the best interest of the clients and what’s going to be in the best interest of the team and the org, letting that run its course, nothing special there about balancing balancing that I wish I had, like a true like novel idea and how to solve that are like, Hey, here’s the formula, but pretty straightforward.
Max Saltonstall 38:19
Yeah. Thank you very much. I really appreciate getting your opinion on how to navigate these security challenges in the small and growing company and what you’re thinking about, it’s great.
Daniel Leslie 38:28
No problem. Thanks for inviting me again, and looking forward to hearing some of the other podcasts coming down the pipeline as well.
About the Author
Schuyler Brown, Chairman of the Board, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.