Jason Chan

I recently came back from my first trip to Israel, one of the centers of the cybersecurity industry. In addition to meeting so many peers and talented cyber teams, I also had the chance to speak at CyberWeekTLV with Asaf Kochan, President of Sentra, and former commander of Unit 8200 (Israel’s NSA). We discussed the different security challenges facing cloud first enterprises, but also some of the business opportunities the cloud makes possible and how I tried to use cloud security as a business enabler during my time at Netflix

Organizations move to the cloud or choose to be cloud native because they value speed. They want to be able to spin up thousands of VMs whenever they want and move massive amounts of data through their cloud infrastructure. We can think of the old way of cybersecurity as basically putting a gate on a road. We make the user stop, we inspect them and their data, and then open the gate and let them go wherever the business needs them. I always encouraged my team at Netflix to think in terms of ‘guardrails, not gates’. Let the business move as fast as it needs - with appropriate guardrails to prevent users from ‘flying off the road’, so to speak. 

The truth is that the best engineers and security teams want to help the business get to where they’re going as fast as possible. They understand that the business doesn’t exist to serve security. At Netflix, the business model was to put out high quality entertainment at a rapid pace. Our job was to help them do that while staying secure.

Besides the benefit of helping the business, there’s an important talent boost that comes with being cloud first.  The best engineers want to work on the newest technologies. It’s going to be harder and harder to find dedicated talent who are passionate about maintaining legacy and on-prem architectures. One of the major advantages I had recruiting talent at Netflix (besides the prestige of the brand) was that we were building security programs for a new type of infrastructure, and that was exciting.

Back to my guardrail metaphor. When you drive along a road you’ll notice that some areas have stronger guardrails. These are the areas where accidents are most likely to happen. Similarly in security, prepositioning is key. The reason new security leaders stay awake at night is because they’re imagining worst case scenarios all the time. But there’s a way to use that type of thinking for good. As Asaf said in my discussion with him, prepositioning by playing the ‘what if’ game is how you minimize the likelihood and impact of breaches. Think about the data that would do the most damage in the event of a breach, think where that data might be, and then make sure it has the proper security posture. Then do that for the next most critical assets, until the risk of the worst case scenario coming true has reached an acceptable level. 

Cloud data security is about helping your company leverage the cloud. The whole point of the cloud is speed and scalability. Security leaders for cloud first enterprises that don’t get in the way are the ones that are going to prosper in their careers and allow their companies to reach their full potential. 

Any attempt to perfectly prescribe exactly what you need to build an effective data security role or team is a fool’s errand. There are simply too many variables you need to take into account - the size of the organization, the amount of data it has, the type of data that needs to be secured, the organization’s culture and risk appetite- all of these need to be weighed and balanced.

However, with that disclaimer and caveat in place, I do think there are some broad best practices that apply to almost every data security role, and those are the ones I want to focus on in this blog. 

Know Your Inputs and Restrictions - and Document them

Every data security team has a certain set of ‘inputs’ and restrictions under whose framework they need to operate. These can be regulatory frameworks like GDPR and CCPA, but they also include agreements with customers and partners and the level of risk the company is willing to accept. 

These inputs exist for every data security role. And the first thing you need to do when stepping into a data security position is to document these inputs and ensure that everyone’s on the same page. This isn’t the type of project that can be done by a single person or even a single team. Legal needs to be involved. Privacy needs to be involved. Security needs to be involved. The scope of this varies by company, but the main point is that there needs to be a governance arm telling you what the requirements and policies are before you can get to work enforcing anything.

It’s also important to remember that there are two different groups here. You have the leaders from the teams I mentioned. And then you have the engineers and executors that implement those policies. All the documentation in the world won’t help if there’s a communication breakdown between the deciders and the implementers. 

Managing Risk, Managing People

Whether you’re an individual or a team responsible for data security, it’s important to keep in mind the big picture - your answer can’t always be ‘no’ when asked ‘can I do this with our data’. Understand that there’s a business reason behind the question - and find a way to help them achieve their goals without violating the risk and legal parameters you’ve already established. 

The data security role also shouldn’t be responsible for actually going into the platforms to remediate issues. As far as possible, the actual remediation should be done by the teams that manage those platforms every day. If there’s 10 different data sources, the security team should be identifying those issues using data security tools. But they should also be - with minimal friction- dispatching the alerts, tasks, and remediation steps to the relevant teams. And the security team should be assisting these teams with developing, rolling out, and managing secure configurations so that, ideally, alerts and remediation tasks become less frequent over time.

Besides managing systems, there’s an enormous human component when it comes to data security success. (In general, I believe that most of our problems in security have a human dimension.) There are egos and authority on the line in discussions around data and how it should be used. The business side of the company may want to gather and retain as much data as possible. The privacy and legal teams may want as little as possible. Security leaders in general and particularly data security leaders will need to get along well with the heads of these various departments. They need to play the role of harmonizer between the competing demands and be able to get things done. This involves working with the peers of the CISO - head of legal, head of privacy, and making judgment calls in a space (data security)  that historically hasn’t had that much authority. Of course, that’s all changing now as every country and region adopts new data security regulations.

Managing up, down, and across the company is the main data security skill. It’s what helps separate  effective security leaders. Working well with engineers gets the data secured. Working well with legal, privacy, and compliance is the scaffolding that supports all of your effort. And like every security role, working well with the CISO is critical.

Data Security's a Great Career - Just Take Care Not to Burn Out

To wrap up, I’d say - there’s never been a better time to get into data security. The growth of regulations - and associated consequences for non compliance- means companies are investing in data security talent. For anyone looking to move from a general security or IT role into a data security role, a great first step is to improve your cloud and data skills. Understanding your company’s cloud environment, its different use cases, tools, and business objectives will give you the context you need to be successful in the role. It will help you understand the inputs and pressures on the different teams, and grow your perspective beyond just the technical part of the job.

The key to avoiding burnout is understanding the nature of the job. There’s always going to be a new tool, stakeholder, or regulation that you’re going to face. There’s no ‘finishing’ the work in any final sense. What you spent all month working on might be irrelevant overnight. That’s the game. And if it’s for you, I hope this blog helps in some small way think about what makes a successful data security professional.