Our security team is small but mighty and looking to add new team members! I sat down with Director of Security Kathy Wang, who built the team from scratch. See our conversation below and get to know the rest of our security team, and read about their work in the security handbook.
Can you tell us a little about your previous experience and what you do at GitLab?
I’m a career security practitioner and have been focusing on security for nearly 20 years. At GitLab, my team is responsible for securing all GitLab products and services, including the GitLab.com infrastructure.
If I remember correctly, you started the security team from scratch – how has that experience been, and what are you excited about?
It is always exciting to build a security team from initial stages to maturity! I was the de facto CISO at a tech firm two jobs ago, where I built a security team as well, and each time, it is a different experience. GitLab is a very unique company. I have never encountered a company quite as transparent as GitLab, and 100 percent of GitLab’s employees are remote. That presents its own set of security challenges, but these are exciting challenges that my team is well equipped to handle.
In the grand scheme of things, security is a pretty new field, so what are some ways that people can get into security?
Seasoned security professionals are in high demand, and there’s never been a better time to get into security! I’ve mentored a number of people looking to become security practitioners, and one of my first suggestions is to start attending local security meetups and events. Getting to know other security practitioners in your area and listening to their briefings will help you understand what types of problems security practitioners solve. Through networking at these events, you’ll discover who is hiring locally and at what level of expertise.
When I was starting out in my security career, I attended local security events and meetups, and through those events, I met a number of open source developers. It was fun to learn from them and contribute to those projects. In turn, their work inspired me to start a couple of open source projects myself. As a result, I discovered that I’m pretty good at assessing gaps in current security capabilities and figuring out how to bridge those gaps – but not always in an obvious way. To me, that’s one of the most exciting aspects of this role.
What are some transferable skills that you see as good preparation for a role in security?
Security practitioners come from quite a varied set of backgrounds. I’ve learned through working with many people over the years that critical thinking and problem-solving skills are the most transferable. Information security is an arms race, and continually thinking creatively to minimize security risks is tantamount to a successful security career.
Tell us about the current security team – how big is it, and what are they currently working on?
We have a creative and talented security team at GitLab! Our standards are high, and we work hard here because we take securing our customers’ data very seriously. Currently, we are a small team and will scale as the company grows. Our Security Vision, our hiring plan, and what our security team is focused on are outlined in our security handbook.
Is the team able to make use of our new Security Dashboards feature and consult on improving the feature going forward?
I’ve always believed that our security teams should regularly contribute to our products and services. At GitLab, the security team is at the forefront of providing that expertise and experience to developers, because we are in the best position to understand what security-minded customers would find actionable in security features.
For example, I recently built my own set of prototype security dashboards, so that I could explain to engineering and marketing teams what "actionable metrics" mean to security professionals. The security team briefs all of GitLab on a biweekly basis, and those metrics are used to demonstrate progress. You can build all the security dashboards and features that you want, but in the end, what can we do with the data to raise the bar in security? After presenting these metrics, I love that from top-down, everyone agreed to bake these improvements into GitLab’s future product roadmap, so that our customers ultimately benefit as well.
We have a ton of security openings right now – can you share a bit more about the security team's focus and scope moving forward, and what new team members can expect when they join?
Since we are a small security team, we plan to grow the team to scale to the growth of the rest of GitLab, so that remains our focus for the foreseeable future. As an all-remote company, we all work in different locations, and new team members should expect to collaborate across teams and departments – not just within the security team. It’s ironic, but when working entirely remotely, it’s even more important to over-communicate with everyone in order to obtain and deliver results.
Do you have any tips for people applying to security roles at GitLab?
We are very interested in anyone passionate about security. It’s even better if you have contributed to open source projects. We want to know that you will bring with you a resolve to be constructive when working with others. At GitLab, everyone contributes to making our firm secure; as such, our security team continually educates and guides our staff on secure practices in order to mitigate evolving threats.
Anything else to share with folks interested in security and GitLab?
At GitLab, we value all contributions made by our staff in an open and transparent manner. Our security team continues to make positive, measurable impact across the company that can be easily translated to long-term customer value. We enjoy healthy, transparent debates about secure practices, while quickly implementing effective solutions that empower us to make better data-driven decisions, long term.
Cover image by Felix Russell-Saw on Unsplash