BSidesSF 2020 - So You’re the First Security Hire (Bryan Zimmer)
Summary
TLDRBrian, a seasoned security expert, shares his journey from protecting data in 2002 to leading Netflix's Zero Trust implementation. He offers insights for building a security program from scratch, emphasizing the importance of understanding business values, compliance, and risk tolerance. Brian advocates for a security culture that serves the business, not hinders it, and stresses the need for simplicity, transparency, and positive relationships with colleagues to effectively integrate security into a company's fabric.
Takeaways
- 🛡️ Starting a security program from scratch requires a multifaceted approach, including understanding the business's 'crown jewels' and legal compliance requirements.
- 👷 Wearing many hats is common in startups, where a security engineer might also be responsible for non-security tasks like fixing coffee machines.
- 🤝 Building a security culture is crucial, emphasizing the importance of social skills to interact with various teams within the company.
- 💡 Being an advisor, not the police, means understanding the business's priorities and offering security advice that aligns with its goals.
- 💰 Recognizing that security's purpose is to support business operations, which includes protecting customer data and ensuring compliance for financial and legal reasons.
- 🚀 Starting with security early in the business or product development process is more efficient than trying to retrofit security measures later.
- 🔍 Conducting a risk assessment involves evaluating the company's valuable assets, compliance requirements, and the level of risk the business is willing to accept.
- 📝 Keeping policies simple and straightforward helps maintainability and reduces the likelihood of people circumventing them.
- 🤖 Leveraging technology platforms and services, like PaaS and zero trust architectures, can simplify security management and reduce the attack surface.
- 🤝 Cultivating a positive security culture involves being approachable, transparent, and humble, which encourages collaboration and trust.
- 🔑 Empowering employees to be part of the security process through education and tools helps extend the security team's reach and effectiveness.
Q & A
What was Brian's initial career focus in 2002?
-Brian's initial career focus in 2002 was in security, specifically protecting ones and zeros, before cyber security became a prominent field.
What is the significance of the term 'crown jewels' in the context of the script?
-In the context of the script, 'crown jewels' refers to the most valuable assets of a business, such as customer data, intellectual property, and bank accounts, which need to be protected.
What is the importance of understanding the business's risk tolerance when setting up a security program?
-Understanding the business's risk tolerance is crucial because it helps determine the level of risk the company is comfortable accepting and influences the security measures and policies that are put in place.
Why is it recommended to outsource certain compliance tasks when setting up a security program?
-Outsourcing certain compliance tasks can help reduce the workload and allow the security team to focus on more critical aspects of security. It also leverages specialized expertise that may not be available in-house.
What is the role of culture in building an effective security program?
-Culture plays a significant role in building an effective security program as it helps integrate security into the business, fosters trust, and encourages collaboration across different teams.
What is the acronym 'START' mentioned in the script, and what does it stand for?
-The script does not explicitly mention the acronym 'START', but based on the context, it could be inferred that 'START' could stand for 'Security, Threats, Assets, Risk, and Training', which are key components in building a security strategy.
Why is it important for a security professional to be more than just a 'heads down' engineer?
-A security professional should be more than just a 'heads down' engineer because they need to interact with various teams, understand the business's needs, and advise on security measures that align with the company's goals.
What is the significance of the 'Security Shark Award' mentioned in the script?
-The 'Security Shark Award' is a creative way to recognize and reward employees who contribute positively to security within the company, helping to foster a culture of security awareness.
What is the role of physical security in a startup, and why should it be considered?
-Physical security plays a crucial role in protecting the company's assets and ensuring the safety of employees. It includes access controls, surveillance, and measures to prevent theft and other security incidents.
How can a security professional integrate into the business and build trust across different teams?
-A security professional can integrate into the business and build trust by being transparent, approachable, and collaborative. This includes engaging with different teams, participating in company events, and being open to feedback and learning from others.
Outlines
🛡️ Embracing Security Challenges at Startups
The speaker, Brian, introduces his background in cybersecurity, starting from 2002 with various roles in security, including a leadership position at Netflix. He addresses the audience, particularly Dr. Seuss fans, with a playful tone. The paragraph focuses on the challenges and opportunities of setting up a security program from scratch, whether at a small company or for an individual taking on a new role. Brian emphasizes the importance of being ready to wear many hats and not limiting oneself to a narrow scope of security. He also discusses the subjective nature of what is considered the 'right way' to do security, acknowledging that what is set up now might be questioned in the future.
🤔 Navigating the Complexities of Security Roles
This paragraph delves into the multifaceted nature of security roles, especially at startups. Brian discusses the necessity of having strong social skills to interact with various teams within a company. He stresses the importance of establishing a security culture and understanding the business's goals and values. The speaker outlines three key responsibilities: preventing hacks, dealing with compliance, and managing security questionnaires, all of which contribute to the business's financial health. Brian also advises on the advisory role of a security professional, highlighting the need to balance business needs with security measures.
🏢 Building a Security Strategy from the Ground Up
Brian outlines the initial steps for creating a security strategy in a startup environment. He advises finding management support and understanding the company's security posture and goals. The speaker suggests asking critical questions during the interview process to gauge the company's commitment to security. He also emphasizes the importance of identifying the company's 'crown jewels' and understanding the legal and compliance requirements that will shape the security framework. Brian introduces the concept of determining the business's risk tolerance and the need for a basic risk assessment.
📝 Crafting a Security Culture and Strategy
The speaker discusses the importance of developing a security culture that is approachable and positive, which encourages people to engage with security practices rather than avoid them. He highlights the need for simplicity in policies and procedures to ensure they are maintainable and effective. Brian introduces the 'guardrails not gates' philosophy, advocating for security measures that enable rather than hinder business operations. He also stresses the importance of being a trusted advisor, fostering self-reliance among employees, and leveraging technology to simplify security management.
🔄 Integrating Security into Business Operations
Brian talks about the importance of integrating security into the business by building relationships and trust across different departments. He suggests being transparent, appreciative, and humble to foster a good working relationship with colleagues. The speaker emphasizes the need for empathy and clear, non-technical communication to ensure everyone understands security practices. He also discusses the importance of engaging with the business to understand its needs and tailor security solutions accordingly.
🎭 Enhancing Security Engagement with Creativity
In this paragraph, Brian shares creative ways to make security engaging and fun. He talks about the 'Security Shark Award' and other initiatives like security education posters and interactive gifts to keep security top of mind for employees. The speaker encourages finding unique ways to communicate security messages to avoid alert fatigue and to make security an enjoyable part of the workplace culture.
👮♂️ The Role of Physical Security in a Startup
Brian briefly touches on the importance of physical security, drawing parallels with information security practices. He mentions the basics of physical security such as access controls, cameras, and alarms, and how they apply to a startup environment. The speaker also discusses the potential need for guards and addressing issues like theft and domestic violence as the company grows. He wraps up by emphasizing the role of physical security in meeting auditor requirements and maintaining a secure workplace.
Mindmap
Keywords
💡Security
💡Cybersecurity
💡Zero Trust
💡Compliance
💡Risk Assessment
💡Security Culture
💡Phishing Attacks
💡Two-Factor Authentication (2FA)
💡Third-Party Risk
💡Security Controls
💡Advisor
Highlights
Brian began his career in security in 2002, before cyber became a prominent field, and has since worked in various sectors including the Department of Defense, banks, universities, and Netflix.
Led Netflix's implementation of Zero Trust, a security model that has become a must for many corporations.
Discusses the importance of wearing many hats at a startup, especially in security roles, and the evolution of responsibilities over time.
Stresses the need for critical social skills in addition to technical skills for security professionals to interact effectively with various company teams.
Outlines the three most important contributions of security to a business: preventing hacks, dealing with compliance, and filling out security questionnaires.
Advises being an advisor rather than the police within a business, understanding the importance of the business's priorities over personal security preferences.
Highlights the reality of small companies being targeted by attacks and the importance of not underestimating security needs due to size.
Emphasizes the need for management support and buy-in for security initiatives to be successful within a company.
Introduces the concept of 'guardrails not gates' as a guiding principle for security, allowing for business flow while providing necessary security.
Advocates for simplicity in security policies and procedures to ensure they are maintainable and not inviting workarounds.
Suggests using acronyms and frameworks to identify and prioritize what matters most to the business in terms of security.
Recommends outsourcing parts of compliance where possible and focusing on in-house development of security culture.
Details the importance of understanding and managing third-party and subprocessor risks in security.
Describes creating a basic risk spreadsheet as a method for tracking assets and assessing risk levels.
Talks about the importance of integrating security into the business by building relationships and trust across different teams.
Shares creative ideas for engaging employees with security practices, such as the Security Shark Award and interactive gifts.
Mentions the significance of physical security in a business, including badge systems, access controls, and monitoring.
Provides insights on the importance of setting a positive security culture, being approachable, and making security an ally rather than a feared entity.
Transcripts
please join me in welcoming Brian from
whom ooh so Who am I this one goes out
to all the dr. Seuss fans in the
audience at the far out of town where
the Grieco grass grows I began my career
in security protecting ones and zeros
back in 2002 before cyber was a thing
and clouds were just something about
what you might sing from the Department
of Defense to banks and universities
then on to Netflix to get paid to watch
movies
I led Netflix's implementation of Xero
trust for which most people think beyond
Corpse a must now sit back and get comfy
I'll spin you a yarn of how to use one
pair of hands to protect your business
from harm oh thank you
so what have you gotten yourself into
let's say you're taking over a security
program we're starting the security
program from scratch of a small company
or maybe a security engineer leveling up
maybe your manager whose role is
expanded or maybe you're the poor IT guy
or girl that drew the short straw so
first congratulations also second I'm
sorry so on the plus side you get to do
things from scratch quote-unquote do it
the right way but just remember that the
right way is very subjective so two
years from now people could be looking
back and think well what idiot did this
and you'll have to own up and say oh
sorry that was me be ready to wear many
hats at a startup you're definitely
gonna do ton of different roles
definitely outside of securities so
don't don't scope your role too narrowly
at first it'll definitely narrow
naturally over time for example I'm kind
of Handy so I spent a lot of time fixing
coffee machine luckily now we have a
third party that does that
let's see ideally you're not gonna want
to be just a heads down security
engineer you're definitely to need those
skills but you also want critical social
skills shall we say because you're gonna
be interacting with a lot of different
teams around the company engineering IT
legal sales leadership ideally so
remember that you're not just setting up
security controls and all the techie
stuff you definitely have to start
setting security culture how do you want
your security team to interact with
people how do you want them to interact
with you how do you want security to be
valued in the company so why do you
exist as the wu-tang clan says cream or
cash rules everything around me you need
to help that the business get that dolla
dolla bill y'all so the three most
important things I do for the business
are making sure we don't get hacked
dealing with compliance and filling out
secured incoming security questionnaires
they all either directly or indirectly
bring in money so you're either winning
customers are you closing those deals
your media legal requirements to stay in
business or your
keeping the lights on and by the way
just because I didn't directly bring
money always remember to protect your
customers data because it's the right
thing to do keep in mind that you're an
advisor you're not the police people the
people can in the business can take your
advice or just leave it you need to
understand what's important for the
business and not just you so maybe you
have an urgent phone to fix or maybe
gotten shiny a new tool to buy but the
business might weigh the risk benefit
and cost benefit and say and it's really
not worth it sorry you have to be okay
with that and move on you might think
steered you to start but really that big
of a deal because we're too small to get
attacked but no there's I mean as we
know there spray-and-pray attacks but
also even just on LinkedIn there's
plenty of information to launch spear
phishing attacks against you we've seen
that definitely we're a small company
depending on your customer data and the
industry you're in you may start getting
more targeted attacks from I like to put
out the equation of startup - security
equals easy money for attackers because
you're gonna space you're gonna face all
the same attacks like ransomware
extortion data theft all the sort of
stuff that the big companies do but
attackers know that you do not have a
security team or maybe if you're lucky
one person so strategy the first part
here so first step is finding a company
with management support security you
definitely need buy-in from the top to
get anything done otherwise you are
gonna start crying very soon ask you
know during the interview process start
asking some questions like who's the
position report to can you talk to CEO
about your strategy what's the budget
what's the timeline for like how big
does the team want to get and and what
are the goals and what's the timeline
that sort of thing because you're trying
to figure out are they trying to check a
box for security or do they actually
deeply care about security ideally the
company wants to start caring about
security early because as we all know
bolting on security at the end for
either the business or the product is
going to take a lot more time and effort
and money example would be like see
becoming see see see CPA and JP are
compliant trying to both those features
onto a product after the fact are gonna
be a big huge pain and then before
putting in the controls and processes
and procedures always ask why so take a
step back and think okay well what are
we trying to do here so what's the
reason behind it how will it actually
benefit us is there a new or a better
way to do it which is one of the
benefits of starting from scratch you
can you can do that so for example
traditionally people have said you know
hey we need a crazy long passwords that
are rotated every 90 days but then you
take a step back and you realize oh
actually we can take care of this issue
and we can take care of a bunch of
different attacks account takeover stuff
but just by requiring more memorable
passwords but 2fa you know you might
traditionally buy fancy was paying
firewall with a bunch of security
features I won't mention names but then
you take a step back and you realize oh
actually we can solve all these problems
and eliminate a whole bunch of other
problems by going with the encore and
just a simple firewall so now on to the
strategy or the the tote the the meat of
the strategy if you or the tofu if you
prefer if this Chromebook would scroll
oh there we go
so you've got one pair of hands so how
do you make sure that you are spending
your limited amount of time on the most
critical things so I've created one
simple you need to remember acronym
there for you first part is finding what
matters most to the business the
valuables the crown jewels talk to the
the founders the heads of each group
what data applications process this
procedures matter most to the to the
company into things like customer data
intellectual property bank accounts you
know internal apps blah blah blah blah
blah and then find what laws you have to
comply with and certifications that the
business's wants in addition to those
legal requirements that's going to
determine determine what frameworks you
have to use what controls you're gonna
put in place policies and generally how
fast and loose you can play with
security dealing with compliance might
be one of the reasons one of the big
reasons why your position was created in
the first place so a lot of people hate
to admit that but there will likely be
some some compliance parts of your job
my recommendation is outsource as much
of the compliance stuff as you can like
GAAP assessments and audits and getting
policies but realize you're still gonna
be doing a bunch of the heavy lifting
putting that in place and then find out
what level of risk the business is
comfortable accepting so getting a
general feel from the co founders like
do they want to move faster and accept
more risk or do they want to go move a
little more slowly and dot all the i's
and cross all the t's some basic
examples would be you know if there's a
medium risk of exposing customer data
with this new feature but the new
feature is gonna close a giant deal you
know do they want to move forward with
that or do they want to fix the issue
first before moving on or do you block
installation of software on employees
laptops or do you trust them to use
their best judgment and and let them
install whatever they want or do you
have air gap systems free most sensitive
a slight tangent here related to risk
third party risk do you really know
where your data is so you might think
you have a small AWS and GCV or GCP
footprint but your data could be going
to all kinds of places thanks to G suite
plug-ins slack plugins Chrome extensions
all that sort of
so I recommend turning on a lot
whitelisting from the beginning so you
can start getting a handle on this sort
of stuff especially things that have
access to G Drive because that's where a
ton of sensitive business information is
these days definitely don't take more
than like a day to answer those requests
otherwise you're gonna be holding up the
business which pisses off a lot of
people which I'll go into a little bit
later and then take an inventory of
applications and and integrations try to
gather some security information on them
good luck if you're a small company and
trying to get any sort of response out
of security at whatever company calm and
then create a basic risk spreadsheet so
you can track your assets and your risk
I do something basic like likelihood of
compromised times impact / remediation
effectiveness equals your risk just a
good basic idea you can get fancy or
something like cbss if you want remember
that third party and subprocessor
inventory is kind of important for GDP R
and C CPA you definitely need to know
where your data is going and who your
sub processors are back to little more
the strategy threats so finding your
your cyber threats and ideally your
physical threats as well you can use
miters attack framework for some ideas
you can also use Verizon's D bi report
shout out to Alex Pinto I know you're in
the audience riding a capybara somewhere
and then you can use this CB SS for
ranking them unauthorized access to data
data being held ransom using trusted
access to access your customer or attack
your customers those those are some of
the big ones
talk to the co-founders and get their
input see if they agree with you see if
they've got some other ideas see what
are the biggest threats next you're
gonna start setting culture because
security isn't just about technology
it's definitely the people - I'll get
more into that in a couple slides and
then good security culture makes it
easier to integrate into the business
start building trust and getting into
those important teams and workflows and
I'll get more into that too in a second
and the last part of the strategy here
so then comes every engineers favorite
part the policies you might be able to
actually skip these if you're lucky if
you don't have a bunch of laws and
certifications to comply with but you
may actually have large customers that
the man do you have certifications so
you're back to square one I recommend
getting templates from whoever you're
outsourcing compliance to also if you
want to go the cheap route which might
take a little more effort you can go to
most universities websites all their
policies are typically public work
smarter not harder harder copy and paste
and let's see then - of course tweak
them to fit your business so do you
really need that 10 page password policy
or you can just go with you know a
paragraph you don't really need to go
crazy and then lastly you start putting
the controls in place this is where all
of us engineering types are most
comfortable so
things like 2fa anti-malware inventory
access control yada yada yada you're
gonna select those controls based on
these inputs you've gotten in the
previous steps and select what's right
for the business so you know you're
probably not gonna have three FA on an
air-gap network with you're just selling
cad emojis so keep it simple that's one
of my guiding principles that I'll go
into in a minute and then iterate put
the basics in place and then improve as
you go along so if you haven't been in a
small company before you might be most
comfortable with like hey I need to get
this done 100% right the first time but
you're gonna realize that you know
you're gonna want to get like 80% there
at a startup cuz you're gonna be moving
in tons of directions with one pair of
hands and then come back and finish the
20% later remember that perfect is the
enemy the good guiding principles so
guardrails not gates is a saying I got
from Jason Shannon from my time at
Netflix so people hate hearing no it
definitely gets in their way prevents
them from doing their job yeah you
become a source of their anger so they
won't want to come work with you again
they'll definitely try to go around you
so don't hold up the business unless
it's something critical let people get
their jobs done and like I said you're
here to serve as an advisor you're not
the military and be wanted not feared
you know do you want to be this feared
security person or do you want to the
one that people love to work with which
one is going to get better results for
you definitely create an approachable
and positive security culture people are
gonna want to bring you their questions
and issues rather than you having to go
and dig them up which takes a lot a lot
more time
I'll go into that in a little bit and
then keep it simple like I mentioned
here so complex policies and procedures
are gonna be hard to maintain and there
we go scroll and they're definitely
gonna invite people to the point of
going around them so choose short
policies she's paying the security
reviews choose platforms of service
choose erode trust choose life choose
Trainspotting references keep it simple
and you're gonna remove an entire class
of security concerns like
platform-as-a-service has almost no
infrastructure to administer remained
IRB's insecure zero trust is gonna you
know eliminate a bunch of traditional
network security architecture and and
network security concerns so you've got
one pair hands so let AWS and GCP take
care of all those old school security
issues for you shameless plug for
minding my talk from a couple years ago
on zero trust and it flicks and then
make people self reliance so they can be
your hands your hand or sorry your eyes
and ears because you can't be everywhere
at once so give them the tools you know
to be on that paved path that's inside
the guardrails and the education to use
them because you won't
have the time de birria around and be
involved in every single security
decision
let me start getting the culture here
how well you integrate into the business
is Howie
well you integrate security into the
business is gonna depend on the
principles you set like the also the
culture and how your you and your future
team interact with people so be
transparent you know if you're gonna
install something on someone's laptop
the first thing they're gonna be like
what's what's going on here you've
spying on me it's like no we're this
thing is gonna catch malware for you
it's gonna it's gonna protect you
there's literally no way can spy on you
here's the manual if you want to double
check just having some some rapport with
the person showing them what's going on
and and being transparent on your
decisions I appreciate people so say
thank you it's simple but it goes a long
way just hearing thank you in the office
really goes really improves a lot of
things like a relationship with people
you know what I do is if someone that
has helped improve security some way or
they report a good phishing attack or
whatever I give a security shark award
at our All Hands meetings so it's like a
Amazon gift certificate I'll say hey
person X did this thank you very much
and give them a little reward gets gets
the word out there keep security in
people's minds and also says thank you
to the person and be humble so no one
works no one wants to work with a
brilliant jerk we've all worked with
brilliant jerks I do jujitsu and it's
taught me many things most importantly
is that you're gonna learn of course
from people above you and you know your
peers probably ideally but you're also
gonna learn from people below you so
treat everyone with respect to treat
everyone as a pro that you can learn
something from you know say like hey
this area is not my area of expertise
can you teach can you teach me how
something about this and we can work
together on this issue it's exactly what
I did with some apps egg phones we had I
can barely spell apps X so I went to our
head engineer was like hey we've got
this issue can you explain it to me can
we work together like how can we fix
this and the two of us worked on it
together which goes much better than
just like hey fix this for me feedback
so you can't improve and you definitely
should want to improve so you can't
improve in a vacuum ask people for
feedback see the conversation with
examples like hey we just rolled out
this tool would you think about it or
we're gonna do this what you think about
that or in this meeting I said this did
I sound like a jackass what do you think
how can i how can I improve empathy so
always assume good intent you know
people are just trying to get their jobs
done you know some traditional security
person might hear like oh hey person
comes up to you and says I need an FTP
server right now like I need to transfer
this file and you might go whoa
head explode but no take take a step
back and realize okay let's dig in a
little bit this person's trying to get
their job done okay they have this
important file for the CEO or whoever
they need to transfer it now they just
didn't realize that we've got a paved
path here to like get this transferred
security and quick it's securely and
quickly or maybe they don't have an
option right now so then you come up you
work with them to come up with a more
secure solution so I always assume good
intent the little things speak English
not techie either couple these points
were in some of the other talks as well
it definitely alienates people if you're
going to talk about the lithium crystals
and rotating your cables every hundred
thousand packets that sort of thing you
know if you're talking to legal they're
gonna be like what in the hell are you
talking about they're not gonna want to
come back and talk to you again so
tailor your your level of techie to the
audience and say hi in the hallway make
eye contact just basic interpersonal
skills I mean not just on your team but
like random people in the office it
definitely improves the the culture and
it helps get you get you integrated into
the company let's see and also try it
out in the real world it's nice and then
last thing on security culture is
setting the elevator back down so use
your position of power at the top to
help out others below you we're never
gonna increase diversity or fill hiring
gaps if you don't get out they like
spend some effort trying to get out
there finding women of minorities who
either work with you or outside the
office interns recent college graduates
we're trying to start their careers
invite them to conversations and
projects and write them to industry
events try to help them try to help them
build their network give them career
advice high school teachers definitely
need people to come talk and inspire
their students
you can skip fancy universities people
at community colleges high schools and
poor school districts are gonna
definitely appreciate it and use it a
lot more integrating the companies
socialize so start building
relationships and trust across the
business you know you you're gonna need
to work with engineering for production
type stuff IT for malware and corporate
type stuff legal for contract review
sales for incoming Security
questionnaires go talk the sales team
and ask how many deals if you we lost
because we didn't have security thing X
and that'll show that you're trying to
help out the security team you can also
take that number to leadership and say
hey we need to spend a bunch of money
and here's one of the reasons why we've
you know
trade-off of cost there times really
running out and then find that the major
stakeholders and the team leaders meet
with them regularly over lunch and
one-on-ones and then try to build a
relationship you like I talk
about increasing visibility so you want
to find the security issues and also
keep yourself visible in the eyes of the
rest of the company so you know have new
employee security training yearly
security training developer security
training go to the other teams all hands
it's like a fly on the wall to keep your
finger on the pulse and hear what's
going on security related there of
course don't over communicate because
people are gonna because people are
gonna get alert fatigue and just start
ignoring you after a while and remember
to tailor the content to the specific
audience don't blast out email to the
entire company if it only applies to
half the company and then recruit people
on the other teams who are interested in
securities to be your to be your eyes
and ears and potentially hands to help
you fix issues and report things
collaborate don't be a dictator don't
just throw stuff over the fence like I
mentioned earlier it's gonna go much
better if you could say hey how can we
work on this together rather than just
like here please fix this problem
[Music]
engagement so we all know security is a
dry topic like hey pick a strong
password don't share your password don't
do this don't do that I like to get
creative make a little fun here's the
security shark award that I hand out
with the Amazon gift certificate at the
All Hands meetings when I was at Netflix
did some security education posters
around the office in October this one
was pushing password managers who
doesn't love hedgehogs the head of legal
said she loved this one also two-factor
off I know somebody here was attending
had an icon of a sloth thank you
and then a little last one or a couple
more slides our white elephant Christmas
party a couple years ago my contribution
for the gift pile was a picture of
myself which people thought was
hilarious until I told them that there
was a hidden gift card in there so they
did the trading and then eventually
pulled apart they didn't find a gift
card so what they did they took awhile
but they eventually found out if you
held the picture over heat source the
Amazon gift card was written in lemon
juice and then it appeared the CEO loved
that so much that he now hides this
picture regularly around the office with
another card hidden in it a coffee card
and then if you find it you get to hide
it for the next person people love that
so much that they took my picture and
then put it on put on t-shirts for our
one of our Halloween costume competition
things and on the back you'll see
there's a bunch of letters and if you
unscramble that you found out where the
prize was now I have a picture a write
up a t-shirt with my picture on it which
is weird
anyway I love wearing it around it's
great make me look famous or something
and last thing oh good I think it's
gonna work out physical security why
would you care about physical security
you know maybe you want to learn
something new you know really who else
is gonna do it at startup so there's a
lot of similarities with InfoSec so
you've got badges and doors for
authentication and access controls you
got cameras facing ideally out the
external doors for after the fact
monitoring Remer do not face the cameras
in that tends to creep people out and
likely you're not gonna have alarms
because ideally people are taking their
laptops homes at home at the end of the
day you've gotta be on Corp Network so
if someone does plug into your network
whatever that's nice and then you know
people also forget to set alarms anyway
so they're kind of useless yes sir thank
you and then other things you know like
you're only gonna have to worry about
theft for really the first few years but
as you get bigger you might want to
start investing in guards and there
could be domestic violence issues is one
of the big ones that comes up targeted
attacks higher you know as you is your
leadership gets higher profile maybe
attacks against them that sort of stuff
you know I've heard of things like teams
of doing international extractions on
like big physical security teams but
don't worry about that really all you
have to worry about his theft keeping
the doors locked and then auditors to
satisfy cameras to satisfy the auditors
and potentially like tracking down what
got stolen and I went a little fast
because we lost some time with filling
the theater but I think I got in under
the wire I don't think I have any time
for questions but I'll take softball
questions outside and then if you want
to you can add me on LinkedIn I will be
happily answer any questions via
LinkedIn or just find me outside and ask
your questions thank you
[Applause]
Посмотреть больше похожих видео
5.0 / 5 (0 votes)