Tony Cassell: Security is part of the culture at Dropbox
DELRAY BEACH, Fla.—In his keynote address at TechSec Solutions this week, Dropbox global security director Tony Cassell shared principles and lessons for designing and implementing a security program, and he emphasized the importance of integrating security into company culture.
"Making security a part of the culture is much easier than forcing it on your employees," Cassell said.
Cassell has worked at several startups. Before joining Dropbox he designed the first security system for Facebook. He joined Facebook when the company had fewer than 400 employees. How did he incorporate security into the culture at Facebook?
"I chose the lowest common denominator: beer," he said.
"Working with some engineers, we rigged up a beer keg with a badge reader and linked our badge numbers to our Facebook profiles. When you swiped your badge, it would pour you a pint, and then take a picture of you with your pint and post it to your Facebook feed. This was a great incentive for people to remember to bring their badge to work. For clarification, I did not install this at every office door," Cassell said, laughing.
The principles Cassell touched on included: identifying a holistic threat and risk awareness. "What are we trying to protect, from whom and why? If we don't know the answer to this, then we are always reactive," he said.
Aligning with the organization's mission means security won't be a hindrance, he said.
Cassell said the most important "building block" is trust. "Your customers have to trust you to keep them or their data safe. Your inside customers have to trust you to protect their well being and have their best interests at heart. The priority is mission, then your people at all levels, and then you, in that order," Cassell said.
Learning to "fail fast" is vital.
"Nothing can prepare you for the velocity of growth at a startup like Facebook. It doesn't matter where you've worked, or what you've done. When you're hiring more than a hundred people a week then everything has to grow really quickly to keep pace," Cassell said.
Cassell said the upside to rapid growth is that it enables you to "test your processes, like installing security systems in one office after another in rapid succession. You get to define a process, execute it, learn from it, improve upon it and then execute it again a few weeks later."
Write everything down, Cassell advised. And "assume nothing." Cassell told the story of building a Facebook office in India. The project was taking longer than expected. He investigated and learned that the techs only had one set of tools, which they were sharing. He "bought basic toolkits for the technicians and we quickly got back on schedule."
Making the security program at Dropbox "dropboxy" meant adhering to the company values that the company has identified as a "way to think about how to approach ideas, colleagues and customers."
Those values are: Be worthy of trust; Sweat the details; Aim higher; We, not I; Cupcake (or, a "little bit of magic.")
To choose an integrator, Cassell sent a detailed RFI out to "many of the popular providers, and got down to a short list of three."
Cassell invited the three in, listened to their presentations and explained that he would probably be the most challenging customers that they could have. "After explaining that, one of the candidates dropped out and I ended up with two choices," Cassell said.
He had the integrators run two parallel test projects. Northland Controls, a global systems integrator based in Fremont, Calif., came out ahead. He called Northland "an exceptional partner" that has been able to provide "an elastic workforce ... build out our new offices as we've grown over the last couple of years." He noted that Northland's motto is "Whatever it takes."
"I'm sure they will agree that we've tested that one to its limits," Cassell said.
Cassell said the value "We, not I" is where his team focuses on what they are doing for the business and how it impact employees. "Everything from getting a temp badge in the morning to considering IT concerns when rolling out new security systems, to adding in redundant door controllers to make sure everyone can get into the office in the morning, our security program is focused on working with the business, rather than making the business work with security," Cassell said.
And "cupcake"? At Facebook it was beer. Cassell joked that at Dropbox, "we have whiskey instead of beer, so I wasn't able to pull the beer keg trick out of my hat again."
Cassell wanted to see how he could use security to help Dropboxers and to use Dropbox to help with security. Among the tricks he has pulled out of his hat at this startup is one concerning IT supplies.
The Dropbox IT department put in vending machines with IT materials like chargers and headphones. "To make people's badges have more value in the office, I integrated the vending machines with the badge system, so Dropboxers can use their badge to be able to gain access to the things they need and IT is able to track back usage to cost centers. It's a win-win," he said.
"Even though security is serious business, we do sprinkle a little magic on the program once in a while," Cassell said.