After working in the application security consulting industry for nearly two decades and helping to solve my clients’ most difficult challenges, it was time to put what I used to tell others into practice. These are my lessons from the first 100 days.
I’ve created security teams, bug bounty programs, set up tooling strategies, hiring plans, and more. I thought I’d hit the ground running and start making an impact on day 1, or at least day 99, while I made some impact early I had a lot to learn. As I passed my 100th day I learned so much about what makes a successful product and a successful product security team. In this article I’ll walk you through the successes, challenges, and failures I’ve faced in my transition from seasoned security vendor to Senior Director of Product Security at Highspot .
Highspot builds a product that increases the performance of sales teams by bridging the gap between strategy and execution. Throughout my career I’ve seen engineering and sales teams fail to collaborate. I’ve seen sales team members fail because the organization wasn’t able to effectively support them. Highspot is focused on solving these problems.
We’re building a team of exceptional security engineers to help deliver this promise while building and maintaining trust with our customers. We’re hiring security engineers at all levels to execute this vision, if you’re passionate about security, please apply!
This series includes three posts. This first post discusses how I discovered Highspot, my first days, and how I framed my thinking to be effective and efficient at Highspot. Joining any new company is challenging, but joining remotely comes with additional challenges. My second post focuses on the shift in security thinking from being an impediment to empowerment for engineering teams. We want to shift from gates to responsibilities through training, support, tooling, automation and more. The final section explores my past assumptions and how I had to shift my thinking further to learn the Highspot culture. Past assumptions from outside a company can be both an asset and a liability. I had to change my approach in a number of ways for maximum effectiveness. In that post I also discuss how to balance immediate security needs with long term security strategy. I hope you’ll enjoy the journey of my first 100 days at Highspot and learn a few things along the way.
Just like preparing to make an incredible meal, it’s important to start by getting organized. Photo by Rudy Issa on Unsplash
When I started to look for a new role, I started preparation. At my previous company I’d had the opportunity to build the engineering team over the course of many years. As a result I was able to build out an engineering culture of respect, support, growth, and technical competency. My biggest concern was walking away from a team of the best engineers I’ve known into a cultural unknown. I interviewed at a number of companies and found Highspot to hold a set of inclusive, growth-based values that appealed to me. I didn’t relish the idea of having to win the hearts and minds of the people I work with to convince them of the importance of security. But that was truly not the case at Highspot, I am consistently met with “This is great! The security team is here! Let’s partner with them to understand how we can make our customers more secure.”
To prepare for my new role I brushed up on all of the technical skills I thought I would need. I read books and articles, watched videos, created personal projects, read source code, and exploited systems with newly discovered vulnerabilities. This is a journey I’ve been on throughout my career, but it took a fever pitch when I started to interview for new roles and continued after I was hired and stepped into my role at Highspot. I’m a strong believer in leaders staying technical and being able to dive in deeply when necessary. Managers who lose touch with technology can rarely inspire, direct, or lead effectively or efficiently. While the world of consulting has helped me stay on top of many of the newly emerging trends for software, security, risks, and threats, there is always more to learn.
My first few months at Highspot seemed to revolve around shoveling as much information into my brain as possible. One of a consultant’s superpowers is the ability to ramp up on new technology quickly. While that’s an important skill to have, it’s not one I wanted to fall back on. If I could front load that knowledge before needing it, that would be best. So I set to work trying to determine what I would need to ramp up on, before I needed to know it.
One of the books I read, and would recommend for anybody in a significant career transition is The First 90 Days by Michael D. Watkins. Originally published in 2003, but updated recently, this book helps leaders transitioning into a new role create a roadmap of accomplishments broken down by week and month. One of the key takeaways from the book is that what made you successful in your previous role, will not necessarily make you successful in your new role. In fact, it may hinder you! This was a critical takeaway for me. As a consultant I was frequently asked my opinion or guidance because of my position and background. In my new role that knowledge is helpful, but I need to make sure I understand the history and decisions of my new co-workers to support and direct them within that context instead of coming in, guns blazing, with a roadmap full of presumptions.
At Highspot, we’re creating a product that is used by millions of people all across the world. We have been called Seattle’s newest unicorn and have staggering growth, customer demand, and feature requests. The product delivers on a vision that enables sales and marketing teams to deliver value to their customers without harvesting their privacy for profit. Building trust with our customers and our customer’s customers through sound security and privacy decisions is a cornerstone of Highspot.
I see my security role having two parts:
Getting the ship and crew ready to sail through rough waters - meeting immediate demand
Maintaining a best-in-class ship as we cross the Atlantic - maintaining a secure product into the future
Photo by Meg Jerrard on Unsplash
Getting the ship seaworthy
As Highspot’s first Sr. Dir. of Product Security there are a number of things we need to do right away. Hire a product security team, respond to our current risks, understand our baseline in security through penetration testing and code review, improve our tooling and external assessment vendors, and build out new security training are a few of those goals.
Until we hire more security engineers (did I mention we’re hiring Security Engineers at all levels?) I am acting as a full time individual contributor. Our team does code reviews on PRs, reviews requirements and specifications, sets security goals for the engineering team, and more. These day-to-day activities are critical right now as they represent ways to mitigate real and present risk to the organization. If we miss an architecture review we could introduce a new vulnerability that would be expensive to fix in the future. However, Highspot is growing so quickly that we can be quickly overwhelmed by incoming requests. If I haven’t replaced these duties by hiring better security engineers than myself in a year something will have gone terribly wrong.
We will explore this phase in more depth throughout these articles, but my strategy is focused on these two things: arming every engineer at Highspot with the security awareness and enablement they need to make good security decisions in real time, and hiring a team of security experts that can scale with the company and lead those security decisions.
Photo by Michael Blum on Unsplash
Maintaining our best in class ship
Once we have provisioned our ship with training and crew, it’s time to set out on the water. The journey Highspot is on is not a short one. Highspot has been around for over nine years and will be around for many more to come. Understanding what that means for the trajectory of this hyper-growth company is critical to the success of the security program as much as it is the success of the company as a whole.
To maintain our ship, we must build security in, make security easy, and figure out how to be self-healing. The security team and I cannot be the gateway of secure software. With over 200 engineers, there’s no way our security team will ever be able to perform every design review, code review, or penetration test needed; we must enlist the help of our entire organization, and even those outside: bug bounty, customers feedback, and pentests. We respond to every security inquiry, after all, it takes more than just our security team to make the internet a safer place.
When writing about user experience, Jeff Atwood wrote a great article about making your UI/UX so great your users would Fall Into The Pit of Success , in other words they couldn’t help but do the right thing. I want to make building a secure product that easy for all of our engineers at Highspot.
Again, we will explore what it takes to maintain a best in class ship later in the seris, but this includes: great security culture, integrated security tools, exceptional security partnerships, and long term security training for new and existing employees.
Taking on a new position at a new company can be fraught with challenges. I’m lucky to have found Highspot and happy to discover it fits my goals for a great culture and interesting challenges. Establishing goals before making a jump, both in what to accomplish before a departure and objectives to guide the first 100 days at a new organization can make the transition easier and will help establish meaningful results early in the new role. In my role at Highspot it is clear there are activities to be done immediately, but we also need to continue to have an eye to the future, to establish best practices, culture, and process that will infuse security into every role.
In the next post I will discuss how we can be more successful by moving from security gates to making security everyone’s responsibility; by selecting enabling tools and automation; by picking great defaults, libraries, and frameworks. In the coming posts I will also tackle how I’ve vetted my own past assumptions and learned the processes and values of Highspot to be more effective and how to balance immediate needs with future goals.