See the full webinar here!
Cybersecurity is an ever-evolving field that requires constant vigilance and innovative solutions to keep systems secure. One of the key strategies discussed by industry veterans is the concept of "paved paths," which simplifies and standardizes cybersecurity practices across organizations. In this blog post, we'll dive into a webinar discussion between Travis McPeak, co-founder and CEO of Resourcely, and Caleb Sima, a pioneer in cybersecurity, as they share their experiences and insights on building paved paths.
Introduction to Paved Paths
The idea of "paved paths" is to create streamlined, user-friendly processes that enforce security best practices without burdening the engineering teams. This approach not only makes it easier for developers to follow security protocols but also ensures consistency and scalability across projects.
The Journey at Capital One
Caleb Sima shared an enlightening example of implementing paved paths at Capital One. When Sima joined, the organization had over 3,500 app development teams, each managing their own security protocols, leading to inefficiencies and inconsistencies. The traditional consulting approach of working individually with each team was not sustainable.
Sima’s team shifted to a product-led approach, treating their internal security tools as consumer products. They built a comprehensive development pipeline that streamlined the security processes, integrating code scanning and vulnerability assessments into the development lifecycle. This approach automated many tasks, allowing teams to focus on their primary responsibilities while ensuring security was maintained. The result was an impressive uptake, with over 75% of development teams voluntarily adopting the new system within a year and a half.
Overcoming Challenges with Paved Paths
One significant challenge with paved paths is the initial resistance from engineering teams and leadership. At Capital One, Sima adopted a phased approach, focusing on one class of vulnerabilities at a time, such as SQL injection. By simplifying the process and making it manageable, they reduced the friction engineers faced and encouraged adoption through positive reinforcement—mainly through "green lights" indicating secure code.
Another major challenge is managing the vast array of potential vulnerabilities. Instead of overwhelming teams with thousands of issues, Sima’s team focused on the most critical vulnerabilities, gamifying the process to maintain engagement and momentum.
Transition to Databricks
At Databricks, a smaller, fast-growing startup, Sima faced a different set of challenges. With limited resources, he had to prioritize basic security processes over paved paths initially. His approach was to establish foundational security practices, such as vulnerability management, incident response, and compliance, before moving on to more advanced initiatives like paved paths.
Interestingly, when Databricks reached a critical size, Sima brought in Travis McPeak to build paved paths similar to those at Capital One. They focused on consistent vulnerability management and easy integration within the existing systems, ensuring that even busy engineering teams could address high-priority security issues effectively.
The Robinhood Experience
At Robinhood, Sima joined during a period of rapid growth and high stakes, notably during the GameStop trading frenzy. Here, Sima’s team could invest in advanced security initiatives early, thanks to a sizable budget and strong executive support. They developed secure libraries and golden images, making secure practices more accessible and appealing to engineers.
Sima emphasized the importance of having dedicated resources to build, support, and promote these secure libraries, ensuring they were widely adopted and effectively utilized.
Navigating Complex Infrastructures
One of the more challenging areas for implementing paved paths is cloud and infrastructure management. Organizations like Robinhood have diverse and rapidly evolving environments, making it difficult to enforce standardized security practices universally. However, Sima’s team at Robinhood collaborated closely with the platform team to embed security analyses into the infrastructure, ensuring security was built-in rather than bolted-on.
Conclusion: The Future of Paved Paths
Building paved paths in cybersecurity is not just about enforcing security protocols; it's about creating a seamless, user-friendly experience that naturally integrates into the developer's workflow. Both Sima and McPeak’s experiences highlight the importance of starting with the basics, gaining buy-in from engineering teams, and continuously evolving the process to address new challenges and technologies.
As organizations continue to grow and the threat landscape evolves, the principles of paved paths—automation, simplification, and scalability—will be crucial in maintaining robust cybersecurity practices without hindering innovation and productivity.
See the full replay, and stay tuned for more insights and strategies from leading experts in the field as we continue to explore the best practices for securing our digital world.
