This document provides guidance on building an effective security team in 2016. It recommends distributing security responsibilities across business units by embedding security-focused people within teams like product, infrastructure, and compliance. This integrated approach allows security to better support business goals while increasing visibility. Key benefits include improved productivity, reduced need for a large centralized security team, and motivating employees through a sense of shared success.

1. BUILDING AN EFFECTIVE SECURITY
TEAM IN 2016
SECURITY

2. WHO AM I?
▸ I am Mike Mackintosh
▸ On Twitter: @mikemackintosh
▸ On GitHub: @mikemackintosh
▸ I was a Principle Engineer, VZW - Infrastructure
Security
▸ I ran Security at Shutterstock
▸ I currently run Security at Signal Sciences

3. OBJECTIVE: SHOW THE VALUE IN BUILDING A SMART,
INTEGRATED AND BUSINESS-MINDED SECURITY TEAM

5. WHAT GOES INTO MAINTAINING A SECURITY ORG?
▸ A lot.
▸ Advocating for better security practices to protect the end-user/consumer
▸ Advocating for better security practices to protect the company
▸ Supporting the internal organization’s infrastructure and applications
▸ Providing tools and knowledge to employees to help support security-driven
development
▸ Making sure the company doesn’t get hacked isn’t a goal, it’s a byproduct

6. ARE YOU THINKING TO YOURSELF “WE DON’T HAVE A BIG SECURITY TEAM”
▸ Actually, you probably don’t have a security team at all…
▸ Or at least not an effective team

7. GREAT NEWS!
▸ You don’t need a traditional silo’d security team working on secret projects that
no one else in the company knows about.
▸ You need to make security more visible
▸ If integrating services into your web app makes them better, so can integrating
security teams with other business units

8. ULTIMATE SECTEAM LIFE-HACK
▸ Hire security-focused people with skills in different business units, and attach
them to those units.
▸ Don’t look at me sideways, look at me with batted eyelids

10. NO MORE OF THIS
▸ The following used to run directly under Director/VP of Security/CISO
▸ Application Security Engineers
▸ Security Operation Engineers
▸ Risk Assessment Engineers
▸ Information Security Engineers

11. BUT THAT’S A BIG SECURITY TEAM
▸ You’re right. And sometimes, especially in smaller businesses, there’s not a
CONSTANT need for a ________ security engineer.
▸ That’s actually O.K.
▸ Instead, hire the same amount of security engineers, but have them benefit the
business in other ways too.

12. WHY WOULD THIS
WORK?
BECAUSE THEY CAN NOW HAVE KICKASS TEAM NAMES AND LOGOS.
SERIOUSLY, IT CREATES A SENSE OF PRIDE AND A “FREE” SOURCE OF
MOTIVATION.

13. WHERE DO THE SECURITY-RELATED RESPONSIBILITIES LIVE?
▸ Product Security - Defined by the use of existing sales, frontend, and application engineers that work on customer features
to fix security issues. Security responsibilities include:
▸ AppSec
▸ Brand Integrity
▸ Bug Bounties
▸ Corporate Security - Infrastructure and Information security engineers responsible for the security at a device/node level,
which can serve many responsibilities of Ops and traditional IT teams:
▸ Infrastructure Hardening (opsy-style things)
▸ Endpoint Defense (endpoints, firewalls, etc)
▸ Automation
▸ Training

14. WHAT DO THE SECURITY OUTFITS BECOME?
▸ Security Planning - Planning is made up of security risk assessors and/or
analysts and fit perfectly with a team under the CFO or Legal. These people are
responsible for identifying and protecting against literal financial attacks.
▸ Security Tooling - Security tooling is one of the most valuable assets to a
company by means of increasing productivity for the company while creating
the toolsets required for both security and non-security personnel to complete
their jobs.

15. COMPLIANCE IS NOT A SECURITY PROBLEM
▸ Compliance != Security
▸ Sometimes being compliant makes things more secure
▸ Sometimes being more secure makes things compliant
▸ Validating the integrity of scan results could be useful with a security team; but
the security team should not be making/implementing all the changes to
enforce compliance
▸ Security leadership should be an enabler, not a doer.

16. WHY SHOULD THEY REPORT WITHIN THE BUSINESS ORG TREE?
▸ Security is not a joke. People lose jobs because companies tank because
people don’t take security seriously.
▸ Having security leadership in any team is important, and that leadership is best
prepared and equipped for handling both technical and personal incidents.
▸ Engineering, ops, and other leadership historically have interest in keeping up
with product demands, regardless of security concerns.
▸ Security must adapt with a companies’ move to a more cross-functional
culture, and begin embedding with other parts of the org

17. HOW WOULD THIS HELP?
▸ Because security teams using sprints are the worst… They’re just the worst…
▸ An engineering team using sprints is pretty effective.
▸ An engineering team that has a dedicated security engineer working within a
sprint while ensuring the product doesn’t outpace security posture is the most
effective use of the companies time and money.
▸ Turn bug fixes and incident response into learning experiences for the devs, ops
and sales.
▸ It’s better than patching fixes after massive amounts of public embarrassment.

18. I STILL DON’T GET IT
▸ You have to hire engineers to work on your product and you have to hire
people in sales as well as operations.
▸ Have one person from each of those teams report to your security team lead.
▸ This planted security engineer can help deliver company wide goals with the
product or internal milestones while supporting that smaller team’s security
requirements.

19. WHAT YOUR FLOW LOOKS LIKE
RIGHT NOW (IF YOU HAVE ONE) LOL

21. WHAT YOUR FLOW WILL LOOK
LIKE (IF YOU LISTEN TO ME)

23. WHY WOULD I DO THIS?
▸ Your attackers are motivated by success.
▸ Your employees are motivated by success.

24. SUCCESS CAN BE…
financial: bug bounty payout, raise,
bonus, promotion, selling stolen
goods on the `dark` web

25. SUCCESS CAN BE…
Recognition: bug bounty attribution,
peer recognition (giving `props`)

26. SUCCESS CAN BE…
Thrill and Knowledge: learning
something new, solving an
`impossible` challenge

27. EMPLOYEES ARE MOTIVATED
▸ If you are in a leadership position, find your motivated employees.
▸ If you are motivated, find your manager.
▸ Inspiration + Motivation = Success
MOTIVATE YOUR EMPLOYEES WITH SUCCESS TO PREVENT A SUCCESSFUL ATTACKER

28. YOU JUST TRIPLED YOUR SECURITY COVERAGE BY NOT HIRING ANYONE
▸ All you needed to do was a simple reorg.
▸ Tasks need to be completed. People need to complete them.
▸ Have a security SME for that area work with the team to deliver on company
goals and disseminate their security knowledge while allowing someone to
advocate for them.
▸ They won’t always be understood by traditional managers.
▸ Having security leadership support them creates a successful secure
environment.

29. AND GIVE OUT T-SHIRTS
People. Love. Swag.