Understanding people, and not just technology, is critical in building a successful Security team. Much has been spoken about Etsy's engineering culture, and how continuous deployment and 'devops' have been embraced and developed, but how does security operate in such an environment? This presentation will discuss the progressive approaches taken by the Etsy security team to provide security while not destroying the freedoms of the Etsy engineering culture that are loved so much.
Discussion will cover the building of an effective security organisation that is people rather than technology centric, and one that positions security to facilitate problem solving with fellow engineers rather than blocking progress through the fear of increased risk. The aim of this discussion is to start a dialogue that will hopefully result in a more honest and inclusive security environment, in contrast to the more common scenario where a false perception of security exists that becomes increasingly divergent from reality as the imposed constraints are actively circumvented.
The approaches discussed are those that we have found work for Etsy but should not be seen as a one-size-fits-all solution. Every organisation is different and has its own cultural needs, but it is hoped attendees will be able to adapt our learnings to best meet their own organisation and in doing so share these experiences back with the wider community.
Rich Smith, Director of Security Engineering at Etsy, leads a fearless band of cyber-guardians in defending Etsy's members, sellers, and knitted goods from the evils of the Interwebs. Cross-site-stitching and sequin-injection are all taken in stride daily. Prior to his role at Etsy, Rich co-founded Syndis, Iceland’s premier technical security consultancy, where he continues to be an advisor and board member. Rich previously led Kyrus Technology's Commerical Attack Services, held the role of Vice President of Cyber Threat at Morgan Stanley, was a senior researcher at Immunity Inc, and led the Research In Offensive Technologies and Threats group at Hewlett-Packard Research Labs. In his spare time Rich likes beer, noisy music and Python.