BSidesSF 2020 - So You’re the First Security Hire (Bryan Zimmer)
Summary
TLDRBrian, a seasoned security expert, shares his journey from protecting data in 2002 to leading Netflix's Zero Trust implementation. He offers insights for building a security program from scratch, emphasizing the importance of understanding business values, compliance, and risk tolerance. Brian advocates for a security culture that serves the business, not hinders it, and stresses the need for simplicity, transparency, and positive relationships with colleagues to effectively integrate security into a company's fabric.
Takeaways
- 🛡️ Starting a security program from scratch requires a multifaceted approach, including understanding the business's 'crown jewels' and legal compliance requirements.
- 👷 Wearing many hats is common in startups, where a security engineer might also be responsible for non-security tasks like fixing coffee machines.
- 🤝 Building a security culture is crucial, emphasizing the importance of social skills to interact with various teams within the company.
- 💡 Being an advisor, not the police, means understanding the business's priorities and offering security advice that aligns with its goals.
- 💰 Recognizing that security's purpose is to support business operations, which includes protecting customer data and ensuring compliance for financial and legal reasons.
- 🚀 Starting with security early in the business or product development process is more efficient than trying to retrofit security measures later.
- 🔍 Conducting a risk assessment involves evaluating the company's valuable assets, compliance requirements, and the level of risk the business is willing to accept.
- 📝 Keeping policies simple and straightforward helps maintainability and reduces the likelihood of people circumventing them.
- 🤖 Leveraging technology platforms and services, like PaaS and zero trust architectures, can simplify security management and reduce the attack surface.
- 🤝 Cultivating a positive security culture involves being approachable, transparent, and humble, which encourages collaboration and trust.
- 🔑 Empowering employees to be part of the security process through education and tools helps extend the security team's reach and effectiveness.
Q & A
What was Brian's initial career focus in 2002?
-Brian's initial career focus in 2002 was in security, specifically protecting ones and zeros, before cyber security became a prominent field.
What is the significance of the term 'crown jewels' in the context of the script?
-In the context of the script, 'crown jewels' refers to the most valuable assets of a business, such as customer data, intellectual property, and bank accounts, which need to be protected.
What is the importance of understanding the business's risk tolerance when setting up a security program?
-Understanding the business's risk tolerance is crucial because it helps determine the level of risk the company is comfortable accepting and influences the security measures and policies that are put in place.
Why is it recommended to outsource certain compliance tasks when setting up a security program?
-Outsourcing certain compliance tasks can help reduce the workload and allow the security team to focus on more critical aspects of security. It also leverages specialized expertise that may not be available in-house.
What is the role of culture in building an effective security program?
-Culture plays a significant role in building an effective security program as it helps integrate security into the business, fosters trust, and encourages collaboration across different teams.
What is the acronym 'START' mentioned in the script, and what does it stand for?
-The script does not explicitly mention the acronym 'START', but based on the context, it could be inferred that 'START' could stand for 'Security, Threats, Assets, Risk, and Training', which are key components in building a security strategy.
Why is it important for a security professional to be more than just a 'heads down' engineer?
-A security professional should be more than just a 'heads down' engineer because they need to interact with various teams, understand the business's needs, and advise on security measures that align with the company's goals.
What is the significance of the 'Security Shark Award' mentioned in the script?
-The 'Security Shark Award' is a creative way to recognize and reward employees who contribute positively to security within the company, helping to foster a culture of security awareness.
What is the role of physical security in a startup, and why should it be considered?
-Physical security plays a crucial role in protecting the company's assets and ensuring the safety of employees. It includes access controls, surveillance, and measures to prevent theft and other security incidents.
How can a security professional integrate into the business and build trust across different teams?
-A security professional can integrate into the business and build trust by being transparent, approachable, and collaborative. This includes engaging with different teams, participating in company events, and being open to feedback and learning from others.
Outlines
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowMindmap
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowKeywords
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowHighlights
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowTranscripts
This section is available to paid users only. Please upgrade to access this part.
Upgrade Now
5.0 / 5 (0 votes)
