Our security team is small but mighty and looking to
add new team members! I sat down with Director
of Security Kathy Wang, who built
the team from scratch. See our conversation below and get to know
the rest of our security team, and read about
their work in the security handbook.
Can you tell us a little about your previous experience and what you do at GitLab?
I’m a career security practitioner and have been focusing on security for
nearly 20 years. At GitLab, my team is responsible for securing all GitLab
products and services, including the GitLab.com infrastructure.
If I remember correctly, you started the security team from scratch – how has that experience been, and what are you excited about?
It is always exciting to build a security team from initial stages to maturity!
I was the de facto CISO at a tech firm two jobs ago, where I built a security
team as well, and each time, it is a different experience. GitLab is a very
unique company. I have never encountered a company quite as transparent as GitLab,
and 100 percent of GitLab’s employees are remote. That presents its own set of
security challenges, but these are exciting challenges that my team is
well equipped to handle.
In the grand scheme of things, security is a pretty new field, so what are some ways that people can get into security?
Seasoned security professionals are in high demand, and there’s never been a
better time to get into security! I’ve mentored a number of people looking to
become security practitioners, and one of my first suggestions is to start
attending local security meetups and events. Getting to know other security
practitioners in your area and listening to their briefings will help you
understand what types of problems security practitioners solve. Through
networking at these events, you’ll discover who is hiring locally and at
what level of expertise.
When I was starting out in my security career, I attended local security events
and meetups, and through those events, I met a number of open source developers.
It was fun to learn from them and contribute to those projects. In turn, their
work inspired me to start a couple of open source projects myself. As a result,
I discovered that I’m pretty good at assessing gaps in current security capabilities
and figuring out how to bridge those gaps – but not always in an obvious way.
To me, that’s one of the most exciting aspects of this role.
What are some transferable skills that you see as good preparation for a role in security?
Security practitioners come from quite a varied set of backgrounds. I’ve learned
through working with many people over the years that critical thinking and
problem-solving skills are the most transferable. Information security is an
arms race, and continually thinking creatively to minimize security risks is
tantamount to a successful security career.
Tell us about the current security team – how big is it, and what are they currently working on?
We have a creative and talented security team at GitLab! Our standards are high,
and we work hard here because we take securing our customers’ data very seriously.
Currently, we are a small team and will scale as the company grows. Our Security Vision,
our hiring plan, and what our security team is focused on are outlined in
our security handbook.
Is the team able to make use of our new Security Dashboards feature and consult on improving the feature going forward?
I’ve always believed that our security teams should regularly contribute to our
products and services. At GitLab, the security team is at the forefront of
providing that expertise and experience to developers, because we are in the
best position to understand what security-minded customers would find actionable
in security features.
For example, I recently built my own set of prototype security dashboards, so
that I could explain to engineering and marketing teams what "actionable metrics"
mean to security professionals. The security team briefs all of GitLab on a
biweekly basis, and those metrics are used to demonstrate progress. You can build
all the security dashboards and features that you want, but in the end, what
can we do with the data to raise the bar in security? After presenting these
metrics, I love that from top-down, everyone agreed to bake these improvements
into GitLab’s future product roadmap, so that our customers ultimately benefit as well.
We have a ton of security openings right now – can you share a bit more about the security team's focus and scope moving forward, and what new team members can expect when they join?
Since we are a small security team, we plan to grow the team to scale to the
growth of the rest of GitLab, so that remains our focus for the foreseeable future.
As an all-remote company, we all work in different locations, and new team members
should expect to collaborate across teams and departments – not just within the
security team. It’s ironic, but when working entirely remotely, it’s even more
important to over-communicate with everyone in order to obtain and deliver results.
Do you have any tips for people applying to security roles at GitLab?
We are very interested in anyone passionate about security. It’s even better if
you have contributed to open source projects. We want to know that you will bring
with you a resolve to be constructive when working with others. At GitLab, everyone
contributes to making our firm secure; as such, our security team continually
educates and guides our staff on secure practices in order to mitigate evolving threats.
Anything else to share with folks interested in security and GitLab?
At GitLab, we value all contributions made by our staff in an open and transparent
manner. Our security team continues to make positive, measurable impact across
the company that can be easily translated to long-term customer value. We enjoy
healthy, transparent debates about secure practices, while quickly implementing
effective solutions that empower us to make better data-driven decisions, long term.
Cover image by Felix Russell-Saw on Unsplash