Building Paved Paths in Cybersecurity: Insights from an Industry Leader

AUTHOR
PUBLISH DATE
August 7, 2024

See the full webinar here!

Cybersecurity is an ever-evolving field that requires constant vigilance and innovative solutions to keep systems secure. One of the key strategies discussed by industry veterans is the concept of "paved paths," which simplifies and standardizes cybersecurity practices across organizations. In this blog post, we'll dive into a webinar discussion between Travis McPeak, co-founder and CEO of Resourcely, and Caleb Sima, a pioneer in cybersecurity, as they share their experiences and insights on building paved paths.

Introduction to Paved Paths

The idea of "paved paths" is to create streamlined, user-friendly processes that enforce security best practices without burdening the engineering teams. This approach not only makes it easier for developers to follow security protocols but also ensures consistency and scalability across projects.

The Journey at Capital One

Caleb Sima shared an enlightening example of implementing paved paths at Capital One. When Sima joined, the organization had over 3,500 app development teams, each managing their own security protocols, leading to inefficiencies and inconsistencies. The traditional consulting approach of working individually with each team was not sustainable.

Sima’s team shifted to a product-led approach, treating their internal security tools as consumer products. They built a comprehensive development pipeline that streamlined the security processes, integrating code scanning and vulnerability assessments into the development lifecycle. This approach automated many tasks, allowing teams to focus on their primary responsibilities while ensuring security was maintained. The result was an impressive uptake, with over 75% of development teams voluntarily adopting the new system within a year and a half.

Overcoming Challenges with Paved Paths

One significant challenge with paved paths is the initial resistance from engineering teams and leadership. At Capital One, Sima adopted a phased approach, focusing on one class of vulnerabilities at a time, such as SQL injection. By simplifying the process and making it manageable, they reduced the friction engineers faced and encouraged adoption through positive reinforcement—mainly through "green lights" indicating secure code.

Another major challenge is managing the vast array of potential vulnerabilities. Instead of overwhelming teams with thousands of issues, Sima’s team focused on the most critical vulnerabilities, gamifying the process to maintain engagement and momentum.

Transition to Databricks

At Databricks, a smaller, fast-growing startup, Sima faced a different set of challenges. With limited resources, he had to prioritize basic security processes over paved paths initially. His approach was to establish foundational security practices, such as vulnerability management, incident response, and compliance, before moving on to more advanced initiatives like paved paths.

Interestingly, when Databricks reached a critical size, Sima brought in Travis McPeak to build paved paths similar to those at Capital One. They focused on consistent vulnerability management and easy integration within the existing systems, ensuring that even busy engineering teams could address high-priority security issues effectively.

The Robinhood Experience

At Robinhood, Sima joined during a period of rapid growth and high stakes, notably during the GameStop trading frenzy. Here, Sima’s team could invest in advanced security initiatives early, thanks to a sizable budget and strong executive support. They developed secure libraries and golden images, making secure practices more accessible and appealing to engineers.

Sima emphasized the importance of having dedicated resources to build, support, and promote these secure libraries, ensuring they were widely adopted and effectively utilized.

Navigating Complex Infrastructures

One of the more challenging areas for implementing paved paths is cloud and infrastructure management. Organizations like Robinhood have diverse and rapidly evolving environments, making it difficult to enforce standardized security practices universally. However, Sima’s team at Robinhood collaborated closely with the platform team to embed security analyses into the infrastructure, ensuring security was built-in rather than bolted-on.

Conclusion: The Future of Paved Paths

Building paved paths in cybersecurity is not just about enforcing security protocols; it's about creating a seamless, user-friendly experience that naturally integrates into the developer's workflow. Both Sima and McPeak’s experiences highlight the importance of starting with the basics, gaining buy-in from engineering teams, and continuously evolving the process to address new challenges and technologies.

As organizations continue to grow and the threat landscape evolves, the principles of paved paths—automation, simplification, and scalability—will be crucial in maintaining robust cybersecurity practices without hindering innovation and productivity.

See the full replay, and stay tuned for more insights and strategies from leading experts in the field as we continue to explore the best practices for securing our digital world.

Ready to get started?

Set up a time to talk to our team to get started with Resourcely.

Get in touch

More posts

View all
October 31, 2024

Creating an IAM factory featuring AWS IAM

Give developers a flexible, guided form for configuring and deploying IAM
November 11, 2024

Configuration perspectives: AWS S3

Best practices for configuring S3 using Terraform, while taking into account input from a variety of stakeholders
September 9, 2024

The Road to Simplicity

What platform engineering can learn from automobile design

Talk to a Human

See Resourcely in action and learn how it can help you secure and manage your cloud infrastructure today!