The Dept. of Know Live!: what we learned about the future of web app and API security
This spring, we launched The Dept. of Know Live!, a security speaker series designed to make you think differently about web app and API security. We know that security professionals want to be proactive and hopeful about the future of security, but that the everyday realities of the industry — constant tech innovations, a worsening threat landscape, and ever-changing compliance regulations — force them to act reactively and err on the side of no. With The Dept. of Know Live!, we wanted to start bold, forward-thinking conversations around web app and API security and empower our audiences to imagine a new way of doing security.
Every Thursday in March, Kelly Shortridge, Senior Principal Product Technologist at Fastly, and Bea Hughes, Staff Security Engineer at PagerDuty, hosted a 15-minute conversation and 20-minute live Q&A with a different special guest. We learned a lot, challenged some of our security assumptions, and were inspired by our engaged and curious attendees.
Read on to learn more about our takeaways from the series, how it resonated, and where we go from here.
The security ties that bind us
Throughout the course of The Dept. of Know Live! series, we delved into a variety of security topics with different guest speakers of varying backgrounds and dispositions. As different as these industry thought leaders were, we noticed some common themes emerge from the conversations. Here are a few takeaways you may find valuable, regardless of your area of focus in security:
Security is a true business enabler
One of our top takeaways from the series is that security is moving away from being seen as a blocker of business innovation. It’s not uncommon for development and engineering teams to be at odds with the security team because they believe security requirements get in the way of their daily jobs, but the collective mood is shifting. More organizations are starting to see security not just as a necessary evil, but as a competitive advantage that can actually enable business goals.
Buy-in from the top can make or break an initiative
No matter the security initiative, executive buy-in is critical to its success. Those at the top are models for those below, so the more that executives prioritize and champion security, the likelier it is that everyone will do the same. Security leaders should partner with business leaders to ensure they are aware of security priorities, understand why initiatives are imperative, and can speak about security with intelligence and enthusiasm. That’s how you begin to build a positive culture around security within your organization that’s conducive to accomplishing goals.
Prioritize the end user experience
Whether you’re trying to integrate security practices earlier in your DevOps lifecycle or building an asset management program, it’s important to keep the end user in mind and be empathetic to their needs. Consider the impact the security initiative will have on the person who will be implementing it as part of their job. Security tooling and processes need to be as consumable as possible by developers and engineers to reduce friction and ensure they will be understood and used. Before implementing something new, do some research to learn how the end user’s workflows will be impacted, and make adjustments to align with their priorities and expectations.
Tailor your messaging to your target audience
Similarly, get inside the heads of your target audience when you’re communicating a new security initiative. Maybe you need to surface security risks to certain teams. Consider how you will control the flow and volume of information or how you will highlight the meaning of the metrics you’re tracking for specific roles. Individual teams need to understand how their work ties to risks. Whether you’re trying to get buy-in from a finance team or an engineering team, your messaging should take into account their impact on your organization’s security posture, and why they should care.
The Dept. of Know Live! by the numbers
Another takeaway from The Dept. of Know Live? The security community is inspiring. Throughout the course of the series, we were inspired by how engaged, thoughtful, and curious our audiences were and couldn’t wait to hear the questions and insights they contributed to the conversation each week.
Here’s an overview of the community we reached with The Dept. of Know Live!:
Over 48,000 site engagements with our online hub
Attendees from Twitter, JPMorgan Chase, Kohl’s, PagerDuty, Target, Time Inc., AT&T, VMware, JupiterOne and more
Participation by CISOs; VPs and directors of InfoSec; VPs and directors of engineering and infrastructure; cybersecurity architects; staff security engineers; and heads of cloud security from top companies
This is what they thought of the series:
100% said they’d recommend the series to their colleagues
80% said they left with actionable perspectives they would begin implementing to make changes within their organizations
We learned so much from The Dept. of Know Live! And we hope you did too, but we know the conversations only scratched the surface of everything there is to discuss when it comes to the current and future states of web app and API security.
Going forward, we’ll continue to foster these conversations. We want to lead the charge in discovering new ways that security programs and tooling can empower businesses to meet their goals and create exceptional digital experiences for their customers, and we’ll keep finding ways to involve you in those discussions.
If you missed any episode in the series or want to rewatch your favorites, you can watch them all on-demand.