“Marie Kondo your services and data… they don’t spark joy” – Leigh Honeywell
MC: Michael Schell of EdgeScan
John Heasman | Deputy CISO, VP Security Engineering | DocuSign
Justin Calmus | CSO | OneLogin
Leigh Honeywell | CEO | Tall Poppy
Maximilian Burkhardt | Security Engineer | Airbnb
Joshua Kuiros | Sr. Software Engineer | DataGrail
Enterprise Ireland hosts this edition of: Data + Donuts
While Marie Kondo has amassed an entourage of those set out to declutter their wardrobes and that sadly neglected junk drawer, the idea of decluttering has also made waves within businesses with the rise of new privacy regulations. Laws such as the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), and more soon to go into effect, continue to encourage companies to re-examine their security operations, data collection practices, developer infrastructure, and how to collectively triage the most critical threats to the overall enterprise.
Security executives and developers from DocuSign, OneLogin, Tall Poppy, Airbnb, and DataGrail sat down with Enterprise Ireland to share the challenges their teams face and how the tactical solutions they’ve instituted have helped in shaping a cohesive culture based on the importance of feedback, setting clear guidelines, and leading with humility. Below we recap the ways in which their teams together drive business continuity and lay the foundations for a secure and privacy focused operation:
1. Developing your Prioritization Stack
- “Developers have a lot of competing priorities…security coming in reviewing the code, implementation, and design…customer support…security legacy and bugs. And they need leadership buy-in to unpick that and {set up} clear guidelines for developers to work with.” – John Heasman, Docusign
- “When you have buy-in on security as a first class feature… It can really help make the hard decisions. Nothing else really matters if you can’t keep your application safe.” – Josh Kuiros, DataGrail
2. A New Era of Data Collection
- “A part of the culture is keeping people’s data safe, not just for GDPR compliance, but because it is the right thing to do. Moral and ethical values are important to hold true to.” – Leigh Honeywell, Tall Poppy
- “Our philosophy on data is we don’t want it. If a user still wants to give us their data, we are questioning why….If you don’t need the data, don’t maintain the data.” – Justin Calmus, OneLogin
3. Data Privacy vs Data Security
- “Building a culture around data minimization is huge, asking the questions: what data do we have and do we need it? {Then} make sure you are being responsible with it. And security obviously plays a huge role. {As} with these regulations, these infractions, now come with real penalties” – Josh Kuiros, DataGrail
- “As you are shifting…produce clear guidelines…and GDPR training where necessary. We do a lot of threat modeling…We turned “stride” into “striped”… added the extra ‘P’ for privacy…at first we worried, should we keep these discussions separate? However, it’s really two sides of the same coin… protecting data and privacy. We brought in the privacy team to those threat modeling meetings…the benefit is we learn off each other…and we have one meeting where we cover all concerns.” – John Heasman, Docusign
4. See your Security and Developers as Consultants
- “It’s really crucial to remember that security is part of business continuity. You are there to keep your users safe and keep the business running. And doing that involves the right balancing of factors….So that when you do cry wolf and this is what we need to do… everyone agrees with you and hops to it.” – Maximilian Burkhardt, Airbnb
- “It’s nearly impossible for any one team to know everything security… people often realize in the devops world… there are all these new technologies popping up with new vulnerabilities… these are areas where security can provide guidance… that is the why security ops are more a consultant than just the team of verifiers.” – Justin Calmus, OneLogin
5. Is Cyber Security Failing as an Industry?
- “I think there’s a real gap in the market between – the kinds of solutions that work in the modern devops world where nobody’s running their own infrastructure {everybody is using GCS or AMZN} and the sort of traditional cyber security that are effectively like this rock protects you from lions. Buy this rock like you won’t get eaten by lions. That’s sort of the traditional model of enterprise cybersecurity” – Leigh Honeywell, Tall Poppy
- “If you look at some of the tools that everyone on this panel uses we’d probably give you the same opinion and it’s not a particularly high opinion… despite all of this innovation and security…products actually lag behind what engineers are actually doing. We were using a dynamic application scanner tool, and we tested it against our single page app. We never got it to log in successfully.” – John Heasman, DocuSign
Curious about what it’s like to work with Josh Kuiros? Learn more about DataGrail’s career opportunities and how our engineering team is helping solve data privacy challenges for businesses globally here!