Building a Security Department – Values, Culture and Thoughts

Introduction

In today's fast-paced world of high-tech companies, security departments play a crucial role in organizational success. A key promise of any modern global SAAS company is to provide its customers, employees, and investors with a secure and reliable platform to host any use case needed for seamless business growth.

As the hi-tech industry traditionally focuses on R&D and technological advancement, security has gained significance in recent years. 

In this blog post, I will share my thoughts about the evolution of security departments in hi-tech, the significance of a solid security culture, and the core values that drive growth and excellence in monday.com security teams.

 

Evolution of Security Departments in Hi-Tech

Until about a decade ago, most security departments existed in large enterprise software companies but were uncommon in small-medium hi-tech companies.

When cloud and SAAS companies became more popular and used in enterprises, the need for protecting customer data information grew, as did the requirements and security standards, which encouraged small to medium Hi-Tech companies to establish their security departments. And much like pioneers, security experts in Hi-Tech are faced with unique challenges when protecting customers' data in the culture of hypergrowth companies.

 

The Power of Culture

As the saying goes, "Culture eats strategy for breakfast." Regardless of how well-crafted a strategic plan may be, its success ultimately depends on the people who execute it and the culture they share. Developing a solid security culture is essential for driving growth and ensuring the effectiveness of security initiatives within Hi-Tech companies.

One of the first things we did at monday.com was crafting our mission statement, which is our north star, and we continually check ourselves against it. Our mission statement is 'To promote our business goals and company growth by continually and proactively providing our customers, employees, and management the best-in-class security.'

Let's dive into the values and principles that shape our security culture at monday.com and support our journey toward success. Below are a few of our top values that we integrate into our daily work.

 

It's all about the people. 

Our security organization is a "mini-me" of monday.com - we work closely with R&D, Infrastructure, IT, Legal, Sales, Customer Success, and Customer Experience departments. To accomplish this, we aim to have a diverse team composed of people with a wide range of experience, competencies, and cultures.

It's essential that our security team members have diverse backgrounds -–lawyers, developers, IT personnel, ex-pre-sales experts, DevOps, and ex-R&D managers -– we believe security is a layer above people's professional experience rather than the other way around. 

It’s an ongoing challenge that starts from diverse recruiting and personal-professional development - we believe that having our security experts share the same language as their friends within the different departments is extremely valuable to foster a healthy work environment.

 

 

 

 

Leadership

Being humble and honest is critical for leaders and people managers. Our goal at is to communicate as openly as possible- "first between equals." As well as listening and sharing insights, business status, retrospectives, and lessons learned, leaders are accessible (physically, we all share an open space, and conceptually, everyone is welcome to talk with anyone) and we avoid status symbols/behaviors - this is an essential factor for any communication - both internal (within the security teams) and external (within other business units.)

 

"Enablers"/ “Business Enablers” should be just the start (or: Beyond Enabler) 

Building new capabilities, thinking about what can be improved, running fast, and staying embedded differs greatly from "enabling company growth" - it might sound unimportant. Still, I believe the word has a meaning, and "Enabler" could impact the mindset of your team. It simply needs to be more proactive.

 

Security as a value proposition (or: Have a product mindset)

We push security to be a central part of our value proposition to our customers - it's a game changer and a differentiator expected by mature customers and critical for our company's growth with upmarket.

We are doing our best to look at security improvements as a product - avoid friction, measure our users' (employees and customers) experience, think about what can go wrong, how good and clear our guidance/configuration is for a non-technical person and make decisions based on data and risk appetite before implementing new changes. 

 

With great power comes great responsibility

We expect our teams to look wide and see the whole picture and the company's interest. Sometimes there is a conflict between the value that the company will achieve vs. a growing risk. This is where we expect our people to be leaders, have deep discussions, and challenge our risk appetite. For that, we need the best people with us.

 

The opposite of "advisor culture." 

We always aim to see the big picture and have responsible and achievable decisions that consider the company's interest that bring short, mid, and long-term solutions, versus an advisor culture that might look at the organization from the outside with less responsibility and ownership.

We take the driver's seat, understand the pros and cons of any idea, the impact on security, customer experience, and employees experience - discuss alternatives, and aim for a comprehensive agreement about the problem and the suggested solution. This ensures that all stakeholders understand the problem and the proposed solution and that the decision is based on a consensus opinion. It also allows for thoroughly evaluating any proposed idea's potential risks and benefits.

 

Comfort zones are moving targets.

The process and technology life cycle has a few stages: Running (an existing process), → Building (a new one), → Improving (productivity), → Rebuilding (efficiency). The stage of an IC (individual contributor) depends on their seniority and experience. A team leader who can transfer between the different stages per situation and cover all aspects is a good signal that they have bottom-up and top-down capabilities. That's the leadership expertise you want in security teams.

 

Efficiency

Aim to think in terms of efficacy and "real security." We challenge ourselves and our vendors to ask for evidence for their assumptions and be data-driven in our day-to-day work. Data helps us remove the noise and focus on things that make a real security impact.

 

A few tips for a proactive approach 

• Stay connected and have a vision but stay down to earth - "in an ideal world, I would like to have…" could mean that we are not connected to day-2-day challenges.
• The best way to gain independence and trust is by defining the KPIs which indicate the health status of your domain. 
• Don't have the "No news is good news" mindset and aim to have evidence for your AppSec, ITsec, Infrastructure, and Compliance status. 
• Define how you measure "real security" - focus on Impact and data-driven decisions. 
• Aim for the best security team in the world, and create a gold standard for SAAS security!
• Speed is a value - make things happen and then improve.

 

In conclusion, security departments ensure organizational success in the rapidly evolving Hi-Tech industry. Cultivating a strong security culture, embracing a product mindset, and continuously improving security practices are crucial to mitigating risks, gaining customer trust, and ensuring business growth.