'Inside Security' with Varun Prusty (Staff Security Engineer, Asana)

Blog
Leen Security
July 8, 2024

In the fast-paced world of cybersecurity, where threats are constantly evolving and the stakes are incredibly high, effective communication within security engineering teams is paramount. It serves as the backbone of a cohesive team, driving successful threat detection, response, and mitigation efforts.

In this week's edition of 'Inside Security', we sit down with Varun Prusty, Staff Security Engineer at Asana, and delve deeper into the importance of communication in security culture, how to establish best practices for effective communication, and the impact of fostering a proactive and collaborative approach to security challenges.

Early Beginnings

Throughout this series, we’ve discovered that everyone's journey into security is unique and incredibly interesting. Some have chosen to attend graduate school to deepen their knowledge after being exposed to security during their undergraduate studies, while others have naturally gravitated toward the field out of sheer curiosity.

Varun's story is a bit of both.

As one of the first people in his village in Chhattisgarh to own a computer, he began tinkering with various use cases from a young age. His love for security has roots that trace back to his childhood.

From a very young age, I was fascinated by computers. The sheer possibility of what could be done with them was incredibly exciting. I loved having a keyboard full of buttons to press, experimenting to see what worked and what broke. If I broke something, I had to understand why it happened to fix it, as there was no one else to help me—being the first person in my village to own a computer. This curiosity set me on a path into the world of computer science. And when we got dial-up internet during my teenage years, it opened up a whole new realm of networking and communication for me. I explored various aspects of the internet, from torrents to OWASP. These experiences sparked my interest in network security, leading me to pursue it further through formal education.

Since then, Varun has played key roles as a security engineer at Rapid7, Spirent Communications, and Coupa Software, before taking on a leadership position at Asana.

The Distinction Between A Security Engineer & A Security Leader Lies In One Key Element

And that key element is effective communication.

While excelling academically and acquiring the technical skills needed to be an effective security engineer, Varun attributes his rise to leadership to his mastery of effective communication.

A great security engineer excels in technical expertise, problem-solving, and staying ahead of evolving threats. However, a great security leader goes beyond technical skills; they are adept at articulating complex security concepts in ways that are understandable to non-technical stakeholders, fostering collaboration across teams, and inspiring a culture of security awareness throughout the organization.

Learning how to take technical knowledge and communicate the risks, pros and cons, and the importance of certain actions in clear, simple language is crucial. It's about presenting complex information in an equitable way that everyone can understand and appreciate. This skill ensures that the significance of security measures is conveyed effectively to all stakeholders, making it easier to gain their support and cooperation.

Effective communication allows a security leader to build strong relationships, influence decision-making, and drive the adoption of security best practices. By bridging the gap between technical details and strategic vision, a great security leader ensures that security is integrated into every aspect of the organization's operations. This ability to communicate effectively is what transforms a proficient security engineer into an impactful security leader.

Security Is Not The Boogeyman

Security engineers tend to be paranoid, and for good reason.

Unfortunately, security is often viewed negatively, which is counterproductive. This perspective is detrimental because it leads to people working against security measures or trying to bypass them, rather than collaborating and working with you to achieve common goals.

In the dynamic world of cybersecurity, the challenges we face extend far beyond the realm of technical expertise alone. As threats evolve and attack vectors become increasingly sophisticated, it is imperative that we adopt a holistic approach that encompasses not only cutting-edge security measures but also effective communication strategies.

If a leader wants to achieve a specific security outcome for their team and the company, they need to communicate effectively how this aligns with the goals of the company, the team, partner teams, and customers. It's important for them to explain how this outcome will impact a metric that everyone cares about and why it matters.

“Instead of always being a doomsayer or focusing on probabilistic numerical risks, they should craft a story that assumes the best in people. This approach helps foster a sense of unity and collaboration, emphasizing that everyone is in this together, rather than framing it as a battle against hackers or a conflict between individuals.”

As security increasingly becomes a cornerstone of a company’s product development strategy, the importance of effective communication cannot be overstated. Organizations must establish robust communication frameworks to ensure that security policies are comprehensively understood and consistently followed.

By framing security as a shared responsibility and a collective effort, leaders can cultivate a culture of trust and collaboration, where everyone feels empowered to contribute to the organization's security posture.

Clear communication channels are essential for addressing vulnerabilities, disseminating crucial information, and fostering collaboration across departments. By embedding security into every phase of product development through well-defined communication practices, companies not only protect their assets but also build trust with customers and stakeholders. This proactive communication approach is fundamental to creating a secure and resilient organizational environment, underscoring the critical role of communication in the modern security landscape.

Over the past few years of my career, I’ve realized that making security successful and getting people to care about it requires more than just technical expertise. It's a completely different skill set. Being the best technical security expert doesn’t necessarily mean I can lead the best security outcomes.

It's about translating complex security concepts into understandable terms, fostering a culture of security awareness, and encouraging proactive participation from all team members. Additionally, it involves strategic thinking, empathy, and the ability to navigate organizational dynamics to align security initiatives with broader business goals. In essence, while technical proficiency is crucial, the human element—engaging, educating, and empowering people—is equally important in achieving comprehensive and effective security outcomes.

Education Is Crucial For Effective Communication

Education is everything when it comes to effective communication about security. It forms the foundation for understanding and implementing robust security practices across an organization. Starting from the onboarding process, educating employees about security protocols and compliance requirements ensures that everyone is on the same page from day one. Varun seconds this opinion:

One thing that has genuinely shifted my perspective over the years is the importance of education. What has truly proven effective is starting with thorough onboarding, which includes comprehensive security training and compliance requirements. Honestly, I never really believed in it at first. I didn't think anyone took those security trainings seriously, and I doubted compliance was the right motivation for going through them. Coming from a culture where you just join a company and hit the ground running, I didn’t initially see the importance of onboarding, especially with a focus on security.

This continuous education fosters a culture of security awareness, making it second nature for employees to follow best practices. It demystifies complex security concepts, making them accessible and actionable, which is crucial in maintaining a secure environment.

By incorporating gamification, real-life scenarios, and hands-on activities, we can transform security education from a mundane task into an exciting experience. Varun cites an example:

We strive to make everyone in the company feel security-focused, taking innovative steps to build a culture that prioritizes security. As part of this, we introduced an interactive Threat Modeling session. Instead of calling it a threat model, we framed it as a challenge: "This is what we've built. Now break it. Tell me how to break it." By making the process fun and engaging, we saw a positive shift over time. As people completed the training and onboarded, over time, they began partnering with the security team while building product, when incidents cropped up, and while setting any new processes in place.  They started coming in with a new attitude, saying things like, "Hey, I'm part of this, I built this," and appreciating the aspects they had never considered before. This proactive and engaged mindset significantly improved our overall security culture.

This approach not only ensures that everyone understands the critical importance of security but also makes the learning process enjoyable, fostering a proactive and enthusiastic culture around compliance and security practices.

Fostering A Culture Of Communication Within Security Teams

Security engineers often adopt a paranoid mindset, not out of irrational fear, but as a necessary response to the constantly evolving landscape of cyber threats. This vigilance helps them anticipate and mitigate risks before they become significant problems.

However, bad news can be particularly unwelcome, as it often indicates vulnerabilities, breaches, or potential threats. Yet, it's essential to acknowledge that this is inevitable. Such is the nature of the world we live in. What matters is addressing these problems promptly to maintain a secure environment, and effective communication across the board is crucial in achieving this.

When security incidents occur, reactions can vary widely. Some engineers and senior executives might panic and scramble to respond, while others might not react at all. Ensuring robust security measures in an organization requires a balanced approach and a clear understanding of roles and responsibilities.

It's not uncommon for individuals to view security incidents as thrilling opportunities to jump into action, driven by the excitement of the moment. However, this mindset can be counterproductive and potentially hazardous.

"Often, security can be perceived as exciting for the wrong reasons, with people wanting to get involved during a suspected breach or attack for the adrenaline rush. This can lead to inappropriate responses, such as hastily involving others or taking drastic measures like taking services offline. It's essential to involve the right stakeholders to make informed decisions and maintain a calm and composed approach."

Varun emphasizes the importance of key elements that have significantly improved security processes, such as documenting and adhering to standardized risk assessment procedures. These standards can be customized to fit an organization’s policies and industry norms, ensuring engineers follow a clear, structured process rather than relying on gut feelings when incidents occur.

Drawing from his own experience, Varun explains:

"For example, when an incident happens, we assess its severity based on predefined criteria, determining if it is a Priority 1 (P1) on a scale of one to four. This logical, data-driven approach has gradually gained stakeholder support. At every stage, we focus on driving towards the desired outcome, following a structured response process."

The goal of such an approach is to ensure that all participants stay focused on the next goal, containing any deviations. After the immediate response, teams can analyze what went wrong and why, learning from each incident.

Varun also advises using the "Five Whys" technique—a problem-solving method that involves asking "why" repeatedly to identify the root cause of a problem—and maintaining a blameless approach. A dedicated Five Whys orchestrator ensures objectivity and prevents individuals from feeling targeted.

"It's about our team collectively addressing and overcoming vulnerabilities, not placing blame. This effort to keep the process objective and blameless is crucial for fostering a collaborative environment where everyone works together against vulnerabilities."

How To Become An Effective Security Leader & Communicator

Becoming an effective security leader and communicator requires a blend of technical expertise, strategic thinking, and interpersonal skills. You need the right combination of all these elements, and perhaps a bit of a personal touch to excel. However, many engineers, including quite a few we had approached for this interview series, shy away from such opportunities.

Today, Varun is a highly respected security leader, whose expertise is sought after by other security professionals and key stakeholders within his company, including the board. To achieve this, he had to prove himself not only by excelling technically but also by effectively collaborating with his peers, pitching new ideas and frameworks to senior leadership, and, as he advanced in his career, serving as a trusted advisor to help key decision-makers make critical choices.

Despite being an introvert, Varun emphasizes that mastering the art of communication is a valuable skill that can enhance interactions in any situation or setting, especially within the field of security.

He notes that being introverted doesn’t automatically mean being poor at communication, just as being extroverted doesn’t guarantee mastery.

“I’ve come to understand that effective communication is a unique skill. It requires more than just talking to people; it involves using metrics and thinking long-term. Instead of being overly prescriptive and detailing every step that will happen, it's better to guide others toward the desired outcome by equipping them with the tools to think through it themselves. This involves using specific metrics and data points strategically and telling a compelling story.”

We often expect the best from ourselves, which can be a great standard to set. However, when tackling something unfamiliar or daunting, like becoming a public speaker or thought leader, an overly self-critical approach can be overwhelming. Varun advises security professionals to make incremental changes and to be forgiving of themselves.

"One of the biggest lessons I've learned is to forgive myself for not being exactly who I thought I would be or who I think I should be. I am a certain way, with both strengths and weaknesses. I have certain desires and goals, and there are habits I can develop to achieve them. Some habits will work out, and some won't. I won't beat myself up over it. I don't want to be upset when something doesn't work out. Instead, I'll focus on what I can learn from the experience and keep moving forward. To me, making small, incremental changes, like stepping out of my comfort zone and meeting challenges head-on, has been crucial for my personal happiness and growth."

Effective communication is also strengthened through curiosity, as it promotes active listening and thoughtful questioning. Leaders who are curious engage more deeply in conversations, understanding not just the surface-level information but the underlying motivations and concerns. This deeper connection leads to clearer, more empathetic communication, ultimately fostering a more cohesive and effective team. Varun emphasizes this ideology further:

"In my opinion, to become an effective communicator, one needs to lead with curiosity. This means approaching situations with a mindset of learning and self-education, rather than assuming you already know everything. Forgiving myself, setting small achievable goals, and taking it one step at a time have been key strategies. Progress takes time, and nothing is achieved overnight. These principles have helped me steadily improve and grow over time."

Conclusion

As we conclude the third edition of the 'Inside Security' series, Varun's journey reminds us that mastering communication is essential for transforming technical expertise into effective leadership. It highlights the importance of not just understanding complex security concepts but also being able to convey them clearly and persuasively to diverse audiences.

His path illustrates that true leadership in security involves building strong relationships, fostering collaboration, and inspiring a culture of security awareness. Varun's experience underscores that the ability to communicate effectively can bridge the gap between technical proficiency and strategic influence, ultimately driving the success of security initiatives within an organization.

To connect with Varun, you can reach out to him via LinkedIn.