Startup Security

When we do quarterly planning, my team categorizes our goals within four evergreen outcomes:

  1. Reduce the risk of information security incidents
  2. Increase trust in Vanta's information security program
  3. Reduce the friction caused by information security controls
  4. Use security expertise to support the business

In this article, I'm going to focus on number three: reducing friction.

Declaring your intentions

There is value in making "reducing friction" an explicit goal of your security program. It sets the right tone with your counterparts across the organization, and is one step toward building a positive security culture.

The first time I presented those outcomes in a company-wide forum, I received a Slack message from a senior leader who had just joined the company:

"fantastic to hear about the security's teams focus on removing invisible security controls. Excellent philosophy for the security team

[...]

its just awesome

too many security teams view security as an exclusive tradeoff between team operating power and security"

Hidden friction

Sometimes, when introducing new security controls, you are making a well considered tradeoff between security and user experience. There are a number of scenarios where friction isn't so clearly understood:

  1. The friction caused by a security control is not well understood by you or your team ahead of time
  2. An individual outside of your organization is enabling security controls with good intentions, but without informing you or your team
  3. Employees attribute an annoying control to the security team, but it was actually implemented for completely unrelated reasons

Each of these scenarios results in hidden friction. Hidden friction corrodes trust in your team, and pushes your security culture toward negativity.

A solution to hidden friction is the friction survey.

Finding hidden friction

At Vanta, we run a bi-annual employee survey to find hidden friction. To avoid "survey fatigue" when employees are also getting polled through engagement surveys, we join with two other teams: Enterprise Engineering and Privacy, Risk, and Compliance.

Each of our three teams puts together a small number of questions to better understand how the company views friction caused by our work.

On the security team, we ask three questions:

  1. How would you rate the friction caused by Vanta's security controls in performing your day-to-day activities? (1-5 scale)
  2. Please describe how and where security controls affect your work at Vanta.
  3. Any other thoughts on or comments about the Security Team or our work? (We'd especially love to hear from you if you selected 3/neutral or below for any of the questions above.)

The first time we ran this survey was in Q2 2022. We received positive ratings, and not much actionable feedback. I tend to look at this as a sign of limited engagement, rather than a rave review.

We ran the survey again in Q4 2022, and we had much more interesting results. We discovered major sources of friction that were attributed to security, but had nothing to do with our team.

We also discovered that many people were running into issues with new authentication policies we had begun rolling out. They didn't know what the expected flow was, so when they ran into bugs requiring them to authenticate multiple times per day, they assumed it was just part of the policy.

Taking action

As a result of the survey, we put together a document to share with the company summarizing the results and the actions we plan to take. We want to be as transparent as possible. The goal is to make it clear when something has friction because we made an explicit tradeoff, when we made a mistake, and when there is additional context that will help people understand the controls better.

Results

The friction survey is a valuable tool in fighting against the legacy norms of security culture. By having positive working relationships with every coworker, we will be far more effective in the other outcomes our team seeks to accomplish.

Over time, these results make for a potent program metric and can be tracked as part of your KPIs.

Note: This expertly contributed article is written by Rob Picard, Security Lead at Vanta. Rob Picard leads Vanta's information security program. Prior to joining, he was the founder of a Y Combinator backed security startup, a long-time security consultant, and built several security functions at Robinhood. He enjoys using the lessons he has learned to help startups build modern, effective, and efficient security programs. This article was originally published on LinkedIn.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.