At Threat Stack, we believe in building a security culture that starts at the top and functions as a cross-organizational discipline. Achieving this goal requires education and transparency among business partners. That’s why we at Threat Stack have built our own internal security council, which meets regularly and reviews issues that are relevant and timely for our organization.
The security council is made up of folks on the leadership team whose roles intersect with security in some way, and I can say firsthand that it has been a very beneficial practice for us as an organization.
This is the first security company I’ve worked at, and the first company in my direct experience that has made security such an integral part of the business. As the CFO, I’ve been impressed with how seriously security is taken within our own four walls, on our own platform, and with our customers’ data. It’s not an exaggeration to say the team here practices what they preach.
Today, we thought we’d pull back the curtain a bit and share how we structure our meetings, as well as our best practices for other teams that would like to adopt the security council model.
The representatives on our security council include a variety of leaders from our company, including the CEO, CFO (myself), head of engineering, head of HR, and head of customer success. The fact that we include high-level leadership team members in these meetings demonstrates that we don’t see security as a purely technical function, or something to be left to security practitioners alone. It matters to the entire business, and so we invite members from several departments. Sam Bisbee, our CSO , leads the meetings.
Best Practice: If you are starting your own security council, we highly recommend that you invite representatives (ideally leadership team members) from your executive team, finance, human relations, engineering, and operations. You may also want to include individuals who have regular interactions with customers, such as a director of customer support or a head of field engineering. It generally makes sense to have the most senior person on your security team lead the meeting, especially if they also own compliance and risk. If you don’t have a CSO or similar, then you want to empower whoever owns security and compliance for your company, which may be the CTO or DevOps lead team member, to lead these meetings. Regardless, a high functioning security council can act as a steering committee for whoever owns security in your organization.
Our security council meets on a regular basis, anywhere from weekly to bi-weekly depending on what we’re tracking. We think this cadence reinforces the importance of security and keeps it from becoming an afterthought. On the contrary, it is a regular part of the way we do business and is always top of mind for us. We allot about thirty minutes for these meetings.
Best Practice: We recommend that you hold your own security council meetings at least twice a month, and weekly if you can make the time. Thirty minutes should be plenty of time in most instances.
At this point, you may be wondering what exactly we cover during these meetings. We think of security in a broad and holistic way, so the meetings include any security issue that has arisen over the last week or that is still in progress from a previous meeting. We see security as encompassing everything from our platform and data (the technical, digital aspects) to our offices (the physical aspects) to our favorite category of trivia (everything else, especially the unexpected).
We use the time to discuss potential threats to our business and platform. We go over ways we are fortifying Threat Stack against these risks and make sure the entire team is well-versed in our approach, in case questions arise from customers, board members, or partners. We may also discuss compliance activities, particularly when we are in the process of adopting a new ruleset or going through an audit.
We also discuss any news items or headlines that may affect our business — such as well-publicized vulnerabilities like Meltdown and Spectre or big-name data breaches like Target and Home Depot. In some cases, there may not be any immediate action items for our organization from these developments, but it’s good for us to be aware of them regardless. When there are next steps for us to take, this meeting is a good time to determine who will own them and what the plan of action looks like.
Best Practice: Your security council meetings will be unique to your organization, but as a rule, a good agenda might include:
- Current threats and concerns to your organization
- Compliance next steps
- Major news items
- Improvements or next steps for your security posture
Start with categories of information that you could see on an “executive dashboard” for your company. This will give you a framework to begin with, and from there you will likely find several rich veins that merit weekly discussion and action items.
To be honest, at first I was genuinely surprised to learn that Threat Stack held a weekly security council meeting involving a large swath of the leadership team. Now that I’ve been aboard for a while, I can very clearly see the value of this meeting. It has increased my own knowledge and familiarity with security considerations, improving both my personal and corporate state of security. Most importantly, the practice of these weekly meetings helps us keep our platform secure and our business healthy. It demonstrates to our customers, partners, and investors that we don’t just sell a security solution, but actually take security to heart.
Best Practice: If you don’t have a security council in place, 2018 is a great time to start! We hope the preceding tips will give you a solid framework to get going.
Final Words . . .
Security plays a foundational role in product development, operations, revenue generation, company reputation, and the trust of customers and is integral to any company’s success. In our view, the best way to address security issues on a comprehensive, company-wide basis is through a security council. Taking a proactive stance is the best way to stay prepared.