One of our guiding philosophies on the PagerDuty security team is that we’re here to work together with everyone in the org, and not just to say “No” to folks. Security teams can often be seen as a blocking force within tech companies, with employees reluctant to engage security teams as they already know the answer they will receive is “No.” We’ve consciously taken a different approach here at PagerDuty. We spoke with Guy about our philosophy and how our job as a security team is to build tools and policies that make it easy for people to automatically do the right thing.
“We’re here to make it easy for people to do the right thing.”
We talked about how we work with other teams in the company — from Engineering to Sales — to figure out what needs to be accomplished to get the job done in a secure way, without getting in people’s way.
One of the ways we work with other teams is through our internal security training program.
We took a different approach from the standard training programs we’ve seen and developed our security training in-house. The training makes a big point to teach all employees concepts such as how to crack passwords. Showing everyone just how easy it can be opened up a lot of people to the idea of password managers and has helped to keep our employees’ information secure not just at work, but in their personal online lives too.
We discuss how security is becoming more of an operational problem and how we’re starting to see the same trends as we did in the Ops to DevOps transition a few years ago. The problems are different, but the learnings are the same. We talk about how we’re approaching this changing terrain and what our plans for the future are.
Tools are important, and we didn’t shy away from discussing various tools we’ve used and continue to use. We tell the story of how we implemented two-factor authentication for SSH using Duo and Yubikeys, how we beta tested it with our teams, and iterated to get a solution that worked well for everyone. We touch on how we use tools typically designed for operational problems for security, too, such as Splunk and Chef. It’s not all been smooth though, Guy asked us about other tools we use and we explained some troubles we’ve had implementing various tools, and what goes into the decision of whether we use a new tool or not.
Listen to our entire episode of The Secure Developer: Keeping PagerDuty Secure to get the full scoop.