Duo Security Summit San Francisco: Can Security Enable Velocity?
Duo Security hosted a security summit on October 26th, inviting experienced security leaders with wide-ranging backgrounds for a Q&A panel discussion. The core question for the discussion: can security measures go further than simply not slowing down your organization’s productivity, and help to accelerate it instead?
Keynote on Network De-Perimeterization and Evolving Security
Jon Oberheide, Duo’s Chief Technology Officer, opened the summit with a keynote reviewing the history and advancement of de-perimeterization, beginning with a 2006 research paper on de-perimeterized architecture. The Jericho Forum, responsible for this research, was an international group of CISOs and security leaders looking for a strategy to respond to “the erosion of the traditional ‘secure’ perimeters” and relying on those network boundaries as an indicator of trust.
As cloud-hosted and remotely-managed services grew in popularity, this erosion and how to address it became a critical concern. Progressive security organizations like Netflix and Slack adapted and expanded on these strategies, creating tools to increase visibility and prepare their teams to effectively participate in the security process regardless of their location.
Finally, Jon outlined how Duo built the Trusted Access model around the same “zero trust” philosophy, designing universal solutions to secure access for traditional, hybrid and cloud-forward environments.
Panel on Enabling Velocity Through Security
The panel discussion was introduced and hosted by Josh Yavor, Duo’s Director of Corporate Security. Panel participants included Marisa Fagan, Product Security Lead at Synopsys; Ben Hagen, Director of Corporate Security at Facebook; Julie Tsai, Senior Director of Security Operations at Box; and Brendan O’Connor, Security CTO for ServiceNow.
To open the conversation, Josh asked what “velocity” meant within each panelist’s business. Each panelist discussed the importance of not sacrificing quality for speed, and focusing on removing roadblocks where they are able.
When asked for examples from their experience where velocity was a challenge, Brendan highlighted the need to “get the ‘basic hygiene’ parts of security” right, and “make your organization excellent at the ordinary.”
Julie expanded on this idea, saying that developers may gravitate towards uncommon or unique problems, but the day-to-day processes and controls are more important. With security often being seen as “the blockers,” adding gates or process steps only when they were most effective was key, according to Marisa.
When asked for the foundational elements of velocity, Ben answered with clear communication for both expectations and processes. Marisa and Julie emphasized the need for reviewing and measuring what is happening in the environment today, as well as looking at past incidents for insight on areas of improvement.
As a common challenge for engineering-heavy organizations, Josh asked the panel about their methods to “go from being a team that says ‘no’ to the team that says ‘yes, but’ or ‘yes, and.’” All panelists agreed that building rapport and an understanding of each teams’ technical needs and business drivers was crucial.
Julie added,“Start with respect, users don’t want to be talked down to.” Brendan pointed out that security’s role was to bring a realistic perspective of risk: “Security is not the judge, we’re the prosecutor. We can present the indicators, and educate the leadership, but often we don’t get to make the final call.”
Panelists also spoke on the importance of education and metrics, with Ben clarifying that the useful metrics are those that move with the organization; a less-precise metric that reflects changes in the organization is more helpful than a precise, static indicator. Panelists stressed communication, user understanding and other people-focused “soft skills” as critical to enabling velocity throughout the conversation.
To close the panel, Josh asked each guest to share where process and automation fit into a streamlined strategy. Julie shared her preference for “self healing” tools that go beyond tracking history, to checking current status and automatically applying updates and fixes. Marisa answered that safeguards at the development stage and catching problems before they start was key in her product security role. Brendan and Ben both said to seek out the routine and repetitive tasks that can be automated, alerting security team members whenever there is an anomaly that merits review.
Following the panel, panelists and guests joined a happy hour peer discussion, sharing their own insights and lessons learned with one another over wine and appetizers. As the summit drew to a close, a common theme emerged that there is no “silver bullet” for high-velocity security, but many effective strategies to improve it. Armed with practical advice and strategies from their security peers and industry leaders, attendees went home with plenty of ideas how they could streamline their own organization.