Unpacking security theater: Insights from Alberto Silveira, Head of Engineering at LawnStarter

[00:00:00] Alberto: if we don't make security a top priority as building a new feature on the application as, automation as, ci i c d, how can we actually out succeed? Like building a new feature, but actually lacking, you know, uh, customer data or like network security or what's the point if we're gonna be on, like, on the news tomorrow with like a new security breach? And then we have like the most shining feature.

[00:00:29] Tim: Welcome to Code to Cloud. I'm your host, Tim Chase, global Field, CISO at Lacework. And here with me today is our esteemed guest, Alberto Silveira. Alberto is Head of Engineering at LawnStarter, a marketplace for outdoor home services. He has more than 20 years of experience in software development, having served in leadership positions at companies like OnDeck. Amplify. And Kaplan, he's also an author in his book Building and Managing High Performance Distributed Teams is out now. Alberto, welcome to the show.

[00:00:59] Alberto: thank you team. It's a pleasure to be here and, uh, really looking forward to our session today.

[00:01:04] Fade out theme music

[00:01:04] Tim: All right, let's start today with a great metaphor you made, about psychological safety, cybersecurity practices. So can you tell me a little bit more about what you refer to as security theater?

[00:01:16] Alberto: this term came, uh, when I was writing the book which I actually refer the, the security theater, but there's this whole thing that organizations do. that gives that sense of, security, but it moves, not to very little on the impact that it can cause. So I call like that. The security theater, the easiest way of actually think about is like when you go to the airports and there's like that whole show of like, uh, trying to make people feel safe. And I think there's like a, I wouldn't say dated or old. I would say traditional security practices that gives that, uh, sensation that you are safe. So, you know, like, um, from traditional it, traditional software, traditional, practices, I bring that concept in my book, but I, I bring that like to my teams is like, is this really actually taking care of, what we are trying to achieve? Or is this just us for checking another box and say that we are safe? So that's what I refer as the security theater. I like that, uh, terminologist because it's a little fun as well, but it's a theater. Like, can we actually talk about, the things that will really make us more secure? and that's when the conversation starts.

[00:02:36] Tim: And that's, that's an interesting way of looking at it. and I was gonna say, check the box is the one that I hear the most because I, I feel like, when I look at like all the different, security vendors that are out there today, like when I look at the security industry, I feel like one of the hardest things for a CISO or a security leader to do is. Makes sense of all of it, right? Because everybody wants to sell something and sometimes, you're trying to decide is, is this actually solving my problem or is this checking a box? Like, I have this problem and I think this one will, will do it for me, but is it actually solving, your solution or is it just, you know, satisfying the board or satisfying the executives? that's a common question in, in concern. So I guess that kind of leads me into, I. You know the question from your perspective, like how can you do more than just checking the box, right? Like that's, I see it as a problem. I talk to people all the time that see it as a problem. but from your perspective, like how do you do more, how do you do more than just checking a box? How do you make sure that you're solving the actual problem?

[00:03:35] Alberto: As leaders or like we need to make like, people, like everyone, like in our teams to understand, uh,about security and, its implications and its consequence. depending on the level of security, depending on the level of mature that you are in your company, depending. In a few factors, like, uh, you, you're gonna actually define the level of security that you are and like where you wanna be. And as everything else when you're building software, there's a cost, there's a risk. and I think that's where people sometimes struggles, a little bit because they, they, they think, oh, we need to fix everything. We need to check out this box. So I guess, to answer your question, I try to, bring awareness to my teams, to my exec team, to my investors, and try to explain. That we may need to invest in different areas, that we need to focus in certain areas. And, uh, that's the way that I've been doing and, uh,that's how I, I, I try to, to address that, uh, team.

[00:04:40] Tim: So kind of to continue on that whole check the box theme, like how would you say that something is truly secure? Like, would you ever feel comfortable saying that something is, secure? I'll put it in, in quotes there,

[00:04:52] Alberto: I think there's like, uh, two parts for that answer. there is indeed, software and technology and practice and procedures, in cybersecurity that, you, you know, guidelines you can follow that will help, your software, your platform to be more secure. So, I think, um, those are, pretty relevant. you cannot be treating security like as an after the fact after I build the software. you know, there was like that movement of like shifting quality to the left in the past, and I like to say like shift security to the left. Like the earlier you, you, you bring security. the more secure, like, you know, as you're building the house, you're thinking about security instead of actually building the house and then actually trying to add the secured measurements. that's what, I recommend people to avoid doing. but there's like mechanisms for you to know to validate,your implementation to know if you are like exposed or not, and create like observability measurements to let you know when you have like a, a new door open and things like that. But, equally important team, that's how I, uh, I, I see it is the awareness of, my engineering team. And it's like having like my secure engineers working side by side with everybody else. So as we are building the platform, as we are writing software every day, we have the security mindset embedded in our D N A. those two angles. they compliment each other.

[00:06:25] Tim: absolutely. And I think, you know, the term that I hear every day is DevSecOps, right? Um, it used to be shifting testing left, and now it's like shifting security left, shifting everything as soon as, kind of to the left of the DevOps teams. Right? And so you have a little bit of a unique position, on this because I think, you know, you come at it from maybe a technology perspective, right? And maybe not a security, practitioner's point of view, strictly speaking. And so, You know, what do we as security practitioners need to know about development and engineering? Like, I, I get on many calls with, with people and they say, look, Tim, like, I need some help and some guidance because, the development team hates us, or the development team won't work with us. Right. The engineering team thinks we pass them too much stuff or, you know, they don't wanna work with us. We have these silos built up, you know, so, so maybe. You know, one way that we as security people can fix that problem is if we understand some more about development in engineering. So what do you think that we should know, about development, teams or engineering teams?

[00:07:28] Alberto: you cannot be seen as an outsider. because then it is gonna happen.it will happen exactly what you said. Like, oh, you are giving me more work to do. Like we already have like, uh, our North Star, we are already actually moving the boat this direction, and now you wanna actually add extra work for me. It's really hard to prioritize. It's really hard to get the work done. it's quite challenging. as a leader, and, and this is like one of my passion is like how to organize teams. where they have like a shared purpose and the purpose is to move the business forward. We just have like different perspectives. Myself as a product manager or like a individual contributor, or like an architect or like a DevOps or a SecOps. We're all on the same literally boat, which is the company. everyone talks about objective key, key results, and like we have an objective, and then the key results, they don't get aligned. So if we don't make security a top priority as building a new feature on the application as, automation as, ci i c d, how can we actually out succeed? Like building a new feature, but actually lacking, you know, uh, customer data or like network security or what's the point if we're gonna be on, like, on the news tomorrow with like a new security breach? And then we have like the most shining feature. So, I, like in my teams, it's how I organize the teams and how I define my North Star and how I get the teams together. To, okay, Alberto, like the team together. I like that kind of stuff. But how do you do that? Well, that can be like a completely podcast about that,

[00:09:15] Tim: Sure.

[00:09:16] Alberto: Security should not be seen as a separate group, as a separate initiative, in my opinion, in my experience, all the concerns when building software, it could be architecture, it could be security, it could be automation, it could be. building new features or taking care of tech debt, you name it. All of them is like one single source of truth for, as you are building your roadmap and as you are actually working on it, and it's everyone responsibility, it's not only for like the security team. Many don't have a security team. Some companies have like one or two or like, but those people with that kind of specialty. They should not be a separate organization with like a separate roadmap in my opinion and experience.

[00:10:06] Alberto: No, that's spot on. I think I heard a couple of things there that I'd like to, key in on, and you tell me, if you think it's the same, it seems like you know, number one, share the same goal. And you mentioned a couple of different types of goals, right? It's, it could be a goal around maybe a technological goal of, Hey, we're gonna have fewer defects, or we're gonna fix this problem. Like, it could be a goal from that perspective, or it could be the overall, a business objective, right? Hey, we. Need to push this new feature out in our application. It's gonna take security, it's gonna take development, it's gonna take all of us to do it. So we need to figure out how to work together to make it happen and not be fighting amongst ourselves. So number one is, is find that goal that you're both, you know, trying to achieve. And that, I think the second thing that I, that I heard you say. Is also like everybody's busy, so don't give 'em more work, right? If, if we as security people are kind of tossing things over, whether that be tools or, maybe results from a scan that we do whatever it is and we give them a lot more work without any thought as to what that's doing, that's not gonna kind of create That mindset or that that, that you want for the, for, for your organization? Did I sum that up? Yeah, I think I set up like, uh, that very well and, and like, if you think about, um, there is the secure team that we have to make sure that whatever product we are building is secure. There's the tech that there's like, the automation stuff that needs to be done. There's like the new features that needs to happen. if you don't create like a common goal for the organization. And then in order to, to achieve that goal, we need to actually be working out this items, these concerns. what happens is it's like, oh, now I'm gonna have to set time on the side. To actually be doing that. And that's really hard. That's where the conflict comes. So, and then you need to avoid that team. And, and, one thing that, really helps and I've seen working really well is, is explain. and educate the team with like, what happens if we don't do, or if we decide to do nothing about security, like you want, like, let's say 1, 2, 3 things that you wanted them to do like this quarter. What happens if you decide to not take that action

[00:12:25] Tim: Yeah.

[00:12:25] Alberto: when you actually answer that question, now you start actually bringing people's attention. Would you be okay if that happens? Because we are exposed to it. Uh, the answer is no. Okay. So how can we get there? Like, the first reaction of like human beings many times is just no, no, no, no, no. But then when you actually have the moment and you get the attention, yeah, let's talk a little bit more. But you need to put that like as on the single source of like, uh, true for like the roadmap and that kind of stuff.

[00:12:55] Tim: Yeah. Yeah. I think that is typically kind of the first reaction is, is no. That's why security kind of has that reputation as, you know, the, the group of of no itself. You know, like we don't, we say no to everything. We don't wanna do anything. So we have that reputation, as well. but just to kind of, Keep going down this thread a little bit more, how do you position security as a necessary and positive function within the organization? you know, sometimes teams, I feel like, they, they're like, we don't need security cuz we do security. We have our unit tests or, the operations folks be like, Hey, we're monitoring. Or, you know, we're inherently secure because we're in the cloud, or something along those lines. So like, how do you, as a, as kind of a leader and executive in your company, you know, how do you think people should position security as, as necessary and positive?

[00:13:44] Alberto: the fact that you're in the cloud, that doesn't mean that you're secure at all. That's just the beginning.

[00:13:50] Tim: That's true. 

[00:13:50] Alberto: I think my job as a cto, as as a technology leader, it's, it's my job to bring awareness, from many different facets. when you're building the, the, I want the company to be successful as anybody else, but I need to bring the awareness, I need to bring, the opportunity for people to get educated on what that means. I talk with the product managers, I talk with, like this team, I talk with the sales person, the marketing person, because anyone in the company is actually responsible for security. So when I first joined, we didn't have like, even like simple things as two factor authentication for like, most important piece of software, like near to none,

[00:14:32] Tim: 0 1. Yeah.

[00:14:34] Alberto: one on one.

[00:14:35] Alberto: And uh, but I don't actually say. One on one in a bad way. Don't get me wrong.

[00:14:40] Tim: Right, right, right,

[00:14:41] Alberto: feel like there's a level of maturity for the company, and, and security. And this is like one important thing. Like security is not the one thing you do and you're done. Security is a journey. it's something that you get mature, you grow over time. and I think having those conversations everyone in the organization regardless where you are. I do like a, what I call like a show and tells, or like presentations,

[00:15:04] Tim: Mm-hmm.

[00:15:06] Alberto: how to bring the awareness because you don't talk security generally speaking until something goes wrong. And then when something goes wrong, that's too late. It is like security is something that you need to be proactively doing. So, and that's what I do. Team like, to answer your question, there's no magic bullet to suddenly you be secure. You have to start in a day, and that day is today, it's yesterday, you know, if it's today you are late and you, you, you have to be, defining what does, what does that mean for your organization. are you comfortable with and what you are not comfortable with? And I had this conversation with my exec team cuz I said like, we're like a startup. We are growing quickly. as we are growing quickly, at some point we're gonna go to a diligence process. At some point we are gonna get enough exposure that people are gonna try to actually exploit what we have out there. Are we okay getting like data exposure? Are we okay to intruders to get to our system? Are we okay? The answer is typically no. So, okay, so then we need to do something about it. and it's been like, at least at, uh, my experience at uh,LawnStarter. that's how I bring the awareness and how that's how I get the budget to invest. That's how I actually get, items prioritized. and we've been making like really good progress with this awareness. So if you're like a CTO and you're not talking about security, and if you're not actually even have the definition clear in your head of what security means in your organization. So I was struggling. Recommend you start having those, conversations and thoughts,in place.

[00:16:51] Tim: Yeah, I, I like that. Talking about what security means in your organization, I also like the fact that you have,you know, places like, town halls or what have you, where you talk about this kind of stuff. Cuz I think, I used to do that as well when I was a ciso. It was. That was some of the best times to do it. We wanna, you know, mfa, is not enabled. Well, let's go ahead and just have a town hall. Let's, let's have a discussion about it. Cuz if you just send an email saying MFA is enabled, you know, by X date. Like they're gonna be like, why? Like, what is the purpose of this? Right? And so I think being open and honest and the whole education part of security, is, is super important.

[00:17:24] Alberto: which honestly, I, I try to constantly be educating myself. There's always something new. There's I'll,a new way or like, uh, and I'm not talking about vulnerability A or B or C, like scanners. I'm not talking about that. But, I do love the idea of bringing, I have like observability for my applications. I like to actually have observability from the security point of view as an example. you know, just, Hey, you have like a new thing here, you know, and then we take actions. You create a process for people to be alerted. Like if there's like a new account and that account is not set up, uh, in, in a certain way, you, you get alerted and, and, and that goes back to the cloud. Like you, at the same time, you want to empower the engineering teams to move rapidly and, and, and, and. Building the software and deploying the software. You wanted to do that, like in a security way from, from the get going. And how do you do that? And, well, there's practice and, but that's how I like to, to approach that team.

[00:18:25] Tim: one thing I do wanna make sure that we, that we touch on, cuz I think it's really interesting is, is your book, so you wrote a book, called, uh, building and Managing High Performance Distributed

[00:18:36] Alberto: I have it here. Yes. This

[00:18:37] Tim: You have. There you go. I like it. you know, I'm, I'm a big fan of distributed teams. I think you can do it. Very well. It's about understanding how to manage 'em. I did it for years when I worked at, Nielsen for, I, I think I worked there eight years. and I was always remote. I worked from home and I managed teams, you know, as large as like 55 I think, or something like that at the time. Right. and you can do it. And so like, tell me a little bit more about that and, and is there a specific. You know, lesson or takeaway. obviously I don't want, I want people to get the book and read the book, but is there something that you wanna kind of a good takeaway or a kind of a lesson you'd like to share? from the book?

[00:19:15] Alberto: like you, team, I, I started building like distributed teams way prior to the pandemic, just to make that super clear. I didn't start a pandemic. This, I've been, you know, uh, well, let's, let's not talk about like, uh, how long ago,

[00:19:30] Tim: We, we don't

[00:19:30] Alberto: have like lot of

[00:19:31] Tim: our ages. No. Yeah, yeah, yeah. We don't need to talk about that.

[00:19:34] Alberto: the main thing about being. working distributed is, it's like you have, you have to start from the foundation, which is you need to have like a very organized, way of operating. You need to have like, very well defined processes, and bring visibility. I recently, uh, published and I've been working on this theory about how you measure the productivity of software teams.

[00:19:57] Tim: Mm-hmm.

[00:19:58] Alberto: To help bring the visibility. I think the current metrics and the industry, they're good, like the Dora metrics and, and and things like that, but they don't tell like the whole story. There's a lot of invisible work that happens in software teams. So I think like the main thing, and this applies even if you're like in the office, but especially like in a distributed environment, it's how to make the invisible work visible. How do you bring the transparency? because, you know, just sitting in a chair doesn't mean that people are working, you know, just micromanaging also doesn't work. You know, I actually heard the stories that during the pandemic, as, as soon as everyone goes to like a remote meetings, people would leave like the zoom open, like during business hours to actually make sure that, uh, you know, everyone is working.

[00:20:50] Tim: Oh my

[00:20:51] Alberto: So, yeah. Have you heard that one?

[00:20:54] Tim: I have not. Mm-hmm.

[00:20:55] Alberto: So, so you realize that those things don't work. So I think like the trust, the empowerment, the process, it's what's gonna make you to have like a successful, uh, building, uh, a distributor team. I talk a lot about in my book about like how you do it or what the different kind of process, how you measure the productivity and all those kind of stuff. But the foundation is, trust. And you believe, you make people to believe and have like that sense of belonging, of achieving a collective goal. Cause as soon as you have people in your team that they don't care about the ultimate goal. What I tell to everyone is like, listen, life is short. We spend, most of our time is actually at work, right? We, it's like at least eight hours a day, five ti five days a week on a normal, like a regular job. If you don't love what you doing, just go do something else and you're gonna be successful. and that is the foundation for, in. High performance team I say a lot of the objects here, but that's like what my book size says is like trying to bring people to reality. So,

[00:22:04] Tim: Yeah, I think that, you know, I think maybe this is me just, you know, hypothesizing, but sometimes, you know, distributed teams can really. if you, if you're not a great manager in the first place and you don't understand some of the core principles of managing, you know, being distributed is just gonna make it harder. Like, I'm, I've always been a big goals and objectives sort of manager, right? Where, you know, my team knows what they need to achieve in the year. and then you've got those check-ins that can happen every month or quarterly or something to make sure that you're, that you're meeting those in addition to like your weekly meetings where you. Talk about what's going on, what they need and all that. But like, it's like, you know, if you know what's expected of you and your team knows what's expected of you, and you, kind of lay all that out, you know, it shouldn't be a surprise that you're still, that you're still performing. Right.

[00:22:49] Alberto: and,

[00:22:49] Alberto: it is not for everyone. Team, that is not for every company, is not for every line of business. I'm not actually suggesting that by any means. I'm talking specifically for software teams.

[00:23:00] Tim: Mm-hmm.

[00:23:00] Alberto: And, and if you, you touch it, like a very good point. If you're like, I'm not a good manager in the office, you will not be a good manager. And, and, and, and vice versa, right? If you're not good manager, you're not good manager. If you are actually not a good IC and you like to actually do things around and get distracted with, you will not be good in the office and you'll not be good in. And that's my point for the people that are accountable and committed, that are passionate about, they are doing that. And then you create that environment. I guarantee with, uh, 110% of confidence because I've done this a couple of times. Different comp, different, it works, it works. I'm, I'm very confident. So, and that's why I wrote that, uh, the book and I've been doing, doing that. And, it's, it's pretty fun. It gives like the time for you to really have like a really good, life out there and have fun at work at the same time.

[00:23:51] Tim: It, it does. No, and, and I'm an introvert by nature, so that's another thing. I feel like if you're an extrovert that has to be around people all the time. Like, you know, maybe, maybe that part, the distributed team where you're working by yourself is not as, uh, much for you. Like I find it easier.

[00:24:06] Alberto: Yeah, just wrap up on that. Uh, people also get confused. Um, oh, distributed is like what we've been doing at the pandemic. I said two separate things. Pandemic was a lock down, and, and then you, you were forced to work from home without any structure. And just doing that overnight, that is not what I call, like building high performance distributed teams where you are organized, where you are prepared, where you have like the mindset, where you have the trust in place. Two separate. So I think it's important to separate those two things. and as we were talking before about security, there's some security. Uh,concerns that you actually have to check. You have to have like a data compliance. You have to be like, uh, you know, you have to check some good boxes, I would say, and, and that when you work from home, or remote or from whatever you are, you have to follow some rules. It cannot just be, Hey, I'm here like from the beach every day shopping mall. Like, no, no, no, no, no. So my point is like, it's possible doing it. No questions about it. It's not for everyone. but if you can actually do it, the teams will produce a lot more than the traditional s That's like the main takeaway that, uh, I would like people to take, to think about

[00:25:22] Alberto: Oh, I like it. Awesome. All right, time for some rapid fire questions. and then we'll wrap up. So brace yourself. how would you describe your leadership style in three words? empowerment. Trust and humanized.

[00:25:39] Tim: Okay. I can see those fitting into the, to the book as well. for sure. what emerging technology or trend in cybersecurity excites you the most? 

[00:25:48] Alberto: I think, uh, all the. Observability, security and observability and actually how that can help me and my teams shifting, that concern to the left,

[00:26:01] Tim: Thank you for not saying chat, G P T. Uh,

[00:26:05] Alberto: uh, you made me

[00:26:06] Tim: agree. I agree. All right, last one. What one tip would you offer listeners to increase their cybersecurity?

[00:26:12] Alberto: talk about it.

[00:26:14] Tim: There you go. I like it. That's a, that's a great way to end. Talk about it. 

[00:26:18] Fade in theme song

[00:26:18] Tim: Uh, that's all for today. Thanks so much for tuning into our conversation. If you like this episode, please subscribe or consider rating the show. And tune in next time for another episode of Code to Cloud.

[00:26:29] Ad read