This is post 2 of a 3 part series profiling several women in GitLab’s security organization. See part one, "How to break into security"and three, "Considering a career in security? Here’s some advice.".
Breaking into technology, and security, can be difficult for anyone. At GitLab 31% of our workforce identifies as women. In our security department we have ten team members who are women out of a total of 48 team members; that’s 21%. Global women in tech numbers are around 21.4% according to CNET and this recent study, “Resetting Tech Culture” indicates that young women who go into tech drop out by the age of 35. How do we change this? GitLab is looking to help there through our outbound hiring model, tracking and working toward key metrics, inclusion training, team member resource groups, Engineering department-based developmental and networking groups (like our Women in Security group), building and fostering an inclusive remote culture and mentorship programs.
Reading a job description can only shed so much light on a role. When considering a company or career path, it helps to understand what the organization, the roles and the responsibilities look like, from the inside. This is part 2 of a 3 part series where 8 women in our Security department share details about their roles and the actual projects they are working on.
We asked:
- What do you do and what are some recent projects you’re working on?
- What’s something new and/or exciting that you’d like to learn or be involved in?
- If someone was interested in a role like yours, what’s the most helpful piece of advice you could offer?
Julia Lake - Director, Security Risk and Compliance
Joined GitLab April 2020 / Connect with Julia on LinkedIn
What do you do and who do you collaborate with in your role? I am responsible for the Security Assurance sub-department, which includes the security compliance, security operational risk and field security functions. Security Assurance is part of the Security department, which is part of the broader Engineering organization at GitLab, and we work cross-functionally across the entire organization. We are extremely focused on information security and partner with system and process owners in order to ensure security controls and best practices are embedded throughout our environment. We also support our customers in their assessment of GitLab’s security practices and provide feedback from the field to drive internal security strategy.
What are some projects you’re working on? As an organization, some recent projects we’ve embarked on include: SOC 2 Type 2 and SOC 3 audit and report reviews, third party GRC application deployment, customer and sales enablement program development, and deployment of an operational risk management function. Personally, I’ve been focused on organizational strategy and roadmapping, policy definition and metric redesign.
What’s something new and/or exciting that you’d like to learn about or be involved in? I’m always interested in learning more about the different functions of security. Lately I’ve been particularly fascinated in learning more around Zero Trust architecture and best practices and am slowly making my way through NIST 800-207.
If someone was interested in a role like yours, what’s the most helpful piece of advice you could offer? Go for it! Security is so incredibly dynamic and you can choose a career path that aligns with your specific interests. Security Assurance is especially interesting to me because we are truly leading the charge on helping organizations grow and mature their security posture, and we have the opportunity to partner with our wonderful customers along the way. My biggest piece of advice for Security Assurance professionals is to challenge yourself against complacency, be adaptive to change and think critically about how new requirements can be applied to meet intent without hindering the business. Also, good documentation is a shield.
Jennifer Blanco - Sr. Risk and Field Security Engineer
Joined GitLab June 2019 / Connect with Jennifer on LinkedIn
What do you do and who do you collaborate with in your role? My focus is on Third Party Risk Management, specifically creating processes to evaluate the security maturity of organizations to ensure they can meet or exceed GitLab’s own standards. This includes traditionally-procured vendors and other third parties that could impact GitLab through activities such as handling our sensitive data or providing a service that is a dependency to our business operations and product offerings. I’ve been iterating on the program to methodically focus on third parties most critical to GitLab while building out the security aspects assessed to identify the risk level to GitLab. Such considerations include: data protections the third party has in place, their organizational security management practices, the technical posture of products, and the ability to support our compliance to customer, industry and regulatory requirements. I partner with teams including Security Compliance, Application Security, Legal, Procurement and IT to gather salient inputs that feed into the program’s evolution.
What are some projects you’re working on? I partnered with my team members working on Security Operational Risk Management (StORM) to create the inherent risk rating scoring for third-party security reviews which effectively narrows the scope for our reviews to the most adverse impact on GitLab. I created a supplemental third-party hardening guide meant to be consumed by business owners and third parties directly, and I’m working on an internal guide on how to share GitLab data externally. I’ll be focusing on expanding third-party reviews to product assessment with the Application Security team and automating these in a more technical fashion. Other contributions I’ve made are identifying contractor requirements for elevated access and reviews for free apps which focus heavily around Terms of Service and Privacy Policy; since nothing is ever truly free.
What’s something new and/or exciting that you’d like to learn or be involved in? My goal is to become a Data Privacy expert to intersect my interests in systems security, regulatory compliance and ultimately contribute to industry and public policy around big data. Having worked on contracts for both the customer and vendor side, I know the importance of understanding the inner workings of generating and processing data to uncover all the critical paths to assess the adequacy of safeguards. But in addition to being a Security professional, I’m a consumer who wishes to protect my information by raising the bar in the industry and creating mechanisms to keep companies accountable. This is important work because industries can’t evolve along with the ingenious new threats without practitioners who really “get it”, from both a technical and risk perspective.
If someone was interested in a role like yours, what’s the most helpful piece of advice you could offer? Third party management differs by industry but one thing is constant: risk management. I recommend learning how to think about risk so that you can sniff it out and create relevant treatment plans. If specifically interested in the technology space, I would start by reviewing top companies’ security statements to understand how the leaders in the industry are protecting their customer assets. I’ve seen a lot of companies phase from keeping information tightly restricted to becoming more transparent so you can learn a lot about an operation from their public-facing materials. Remember to “follow the data” as a detective would follow the money. Data is big business nowadays and it’s just the beginning so learning how to sleuth out data, typically one of the most important assets for companies, will help in guiding your security reviews. On a final note, don’t be discouraged if you didn’t follow an Information or Computer Science track in your academic career. In this information age, there’s no shortage of resources as long as you have the drive to take advantage of it. Be cognizant of how you want to shape your career and take even the tiniest steps towards it; it adds up over time.
Juliet Wanjohi - Security Engineer, Security Automation
Joined GitLab May 2020 / Connect with Juliet on LinkedIn and Twitter
What do you do and who do you collaborate with in your role? I recently joined the Security Automation team as a Security Engineer after an exciting summer internship in GitLab’s Security department. My main responsibilities include the design, build and deployment of security tooling and automation in order to help speed up security-specific efforts. This involves working with my fellow team members as well as various GitLab users and customers. At the moment, I am ramping up my skills and knowledge in languages, tools and technologies that our team uses in their automation efforts.
What are some projects you’re working on? Currently as a team effort, we’re building an anti-spam service that will aid in the identification and prevention of spam-related content across GitLab the product. Through this project, I am getting the chance to take part in technology research and architectural conversations related to building the product and how it will ultimately be consumed by users. Previously, during my internship, I was also able to work on a variety of projects ranging from improving path traversal checks on file names and file paths for GitLab the product to using machine learning techniques for security detection use-cases.
What’s something new and/or exciting that you’d like to learn or be involved in? I am interested in learning more about securing cloud infrastructure and cloud native applications. Considering a lot of applications are moving to the cloud, I feel that this would be a very strong skill set to have moving into the future. An interesting avenue that I would like to pursue further is focusing on protecting Machine Learning as a Service cloud platforms.
If someone was interested in a role like yours, what’s the most helpful piece of advice you could offer? Building yourself a support network of friends, mentors and peers can go a long way in helping you shape your security career. This can be in the form of seeking advice on career goals and/or guidance on resources that can help you grow your knowledge and skill set. Taking each day as an opportunity to learn something new is also super important as one needs to keep up with changing technological trends in security.
Liz Coleman - Sr. Security Assurance Engineer, Compliance
Joined GitLab January 2020 / Connect with Liz on LinkedIn
What do you do and who do you collaborate with in your role? I am currently part of the Security Compliance team and my main responsibilities include managing the SOC 2 program, user access reviews, control testing and any other ad hoc security compliance related activities that come my way. As compliance initiatives span the entire organization, I work with a variety of other teams in order to get my job done.
What are some projects you’re working on? Right now we are in the process of obtaining our SOC 2 Type 2 certification. This has required a continuous effort in order to get our GitLab Control Framework (GCF) control set up and running, tested, and into a state of continuous control monitoring. As the directly responsible individual for the SOC 2 program, I have been living and breathing SOC-related control testing, project management and external audit preparation for the last few months now. It’s quite a bit of work but I know it will be well worth it once GitLab obtains their certification.
What’s something new and/or exciting that you’d like to learn or be involved in? I’ve always been interested in learning more about the growth of cloud native computing and how organizations have had to adapt and change processes or procedures in order to best manage workflows. Right now, I’m currently working on expanding my ISO27001 knowledge as that is next on the horizon for possible GitLab certifications.
If someone was interested in a role like yours, what’s the most helpful piece of advice you could offer? Open your mind and put yourself in a mental space of learning and growing from everyone around you. Working in security compliance requires knowledge and awareness about all aspects of an organization. Having that general understanding of which teams do what and why will help develop your comprehension of compliance requirements by function, team, and holistically for your organization.
Meghan Maneval - Manager, Risk and Field Security
Joined GitLab July 2020 / Connect with Meghan on LinkedIn
What do you do and who do you collaborate with in your role? I am the Manager of Risk and Field Security and work with an amazing team of Risk and Field Security Assurance Engineers here at GitLab. With my position and responsibilities I also work very closely with my fellow Security Managers, members of Sales and Customer Success, and GitLab team members across the organization. My team’s goal is to identify risks that could negatively impact GitLab and our ability to meet our goals.
If you think of your car, we are your safety features and focus on three main areas of security:
- Field Security is like your car insurance. We assure our customers that we can meet their security needs and thus protect our revenue stream.
- Third Party Risk is like your lane assistance. We identify risks from third parties and direct the organization away from danger.
- Security Operational Risk is like your check engine light. We identify risks from within the company and assist in remediating them.
If you’re interested in learning more you can check out this video on how the Risk and Field Security team adds value to GitLab.
What are some projects you’re working on? My team and I recently implemented a SaaS governance, risk, and compliance (GRC) tool to manage our security assurance activities. We are still in the process of fully implementing it, but we have made a lot of progress so far. Within this project we got the opportunity to review all of our processes and really uplevel the maturity of our programs. I recently presented at a user group and discussed the implementation and how GitLab utilizes the tool for Risk Management activities.
What’s something new and/or exciting that you’d like to learn or be involved in? I’m actually really excited about a new program we are building: the Customer Success Partnership Program. This is a multi-functional partnership where each of us will learn from each other about the various ways we can help support our customers. I’m really looking forward to learning more about the sales and support processes in place at GitLab and help iterate on them.
If someone was interested in a role like yours, what’s the most helpful piece of advice you could offer? Align yourself with a strong mentor who understands how the organization works. Most security principles are applicable across most industries and organizations. Encryption is encryption, right? But it is critical that you understand how security fits into the organization, how management views security, and how you can integrate security into other processes. Making strong connections throughout the organization is critical to success in risk management. It makes delivering “bad news” easier and allows you to make more educated recommendations to remediate them.
Mitra Jozenazemian - Senior Security Engineer, Security Incident Response Team
Joined GitLab July 2020 / Connect with Mitra on LinkedIn
What do you do and who do you collaborate with in your role? I work on the GitLab Security Incident and Response (SIRT) team. For any security incident or event that would happen here at Gitlab, we act like firefighters-- researching and responding to incidents, while working with other teams to mitigate the incident ASAP. The rest of the time, we are implementing and improving tools that can help us to detect and respond to the incidents faster and more effectively.
What are some projects you’re working on? Recently, we implemented a new security information and event management (SIEM) solution to further improve visibility and detection and response capabilities. This allows my team to send logs from different applications to the new SIEM and then we work to define different scenarios of suspicious activities. From these potential scenarios, we create alerts for detecting them and runbooks to help us respond to those alerts.
What’s something new and/or exciting that you’d like to learn or be involved in? I would like to be more involved in the red team activities. I’d like to wear their red hat and try to see the organization from an attacker’s eyes and find the gaps and vulnerabilities that might be hidden.
If someone was interested in a role like yours, what’s the most helpful piece of advice you could offer? Technology, and therefore security, is a constantly changing area. So, if someone were interested in being a part of SIRT, they’d need to be familiar with several different types of technologies, frameworks and programming languages. They should remain up-to-date and informed on news and research about recent technologies, and new cyber security attacks and vulnerabilities. Being able to develop the ability to think like both an attacker and defender to improve detections and post-incident recovery process is also a very helpful skill in this area.
Rupal Shah - Security Compliance Engineer
Joined GitLab October 2020 / Connect with Rupal on LinkedIn
What do you do and who do you collaborate with in your role? I’m still pretty new to GitLab, but once I am fully up to speed, I will be the Governance, Risk and Compliance Administrator managing the GRC application, creating training, updating policy documents, evaluating frameworks and assisting with user access reviews, audits, control testing and other ad hoc security compliance related projects that are defined. I will be working with a variety of teams throughout GitLab as Compliance affects everyone.
What are some projects you’re working on? We are onboarding our new GRC tool (ZenGRC) and I am defining a change management runbook for significant/high risks changes. We are bringing our security training in house, so I am creating a new general security awareness training for new hires and annual review by team members. I am also focusing my time on formalizing our information security policy and standards.
What’s something new and/or exciting that you’d like to learn or be involved in? I have always wanted to be involved and learn more about FedRamp and the entire process to get certified. As GitLab is currently in the analysis stages, it is nice to be a part of the process and get a better understanding of the requirements necessary if we decide to get certified.
If someone was interested in a role like yours, what’s the most helpful piece of advice you could offer? Don’t be scared and don’t feel overwhelmed. Take a deep breath and dive in! I come from a non-security/compliance background and all it takes is passion and a good mentor. Ask lots of questions and don’t be afraid to ask any question you have! The more you ask, the more you learn!
Heather Simpson - Senior External Communications Analyst, Security Engineering
Joined GitLab February 2019 / Connect with Heather on LinkedIn and Twitter
What do you do and who do you collaborate with in your role? I’ve got a unique job within our security department in that I work in a marketing communications capacity, something I referenced in the first blog post in this series. I focus on increasing awareness and strengthening community engagement and industry recognition of GitLab Security initiatives, programs and team members’ expertise through campaigns and initiatives that include blogs, contributed articles, social media, online events and more. To do this, I collaborate heavily with our security teams and partner with our content, corporate and social marketing teams. I sit within our Security and Engineering Research team and so a large focus area for me is increasing awareness and engagement in our bug bounty program. Part of this includes working with the hackers that contribute to our program and partnering with the HackerOne communications team to recognize the amazing contributions and talents these security researchers bring to making GitLab more secure.
What are some projects you’re working on? December was a busy month, where most of my time went to writing and editing blogs. “2020 through a bug bounty lens” takes a look back at the past year in terms of bug bounty metrics (reports received, hackers contributing, etc) and bounties paid out 💰. It also celebrates five winners of a contest we held in the fall, where the prize was a custom GitLab mechanical keyboard 🎉-- organizing this contest and that piece of custom swag are all projects I lead. Other new series I’ve developed and am working on are our “Ask a Hacker” blog series that profiles some of the top hackers contributing to our bug bounty program and our live GitLab Security Ask Me Anything (AMA) series which kicked off with an AMA with hacker Riccardo Padovani and will follow soon with an AMA with GitLab’s own Red Team on Jan 26, 2020. You can always see what I’m working on through my GitLab profile and also by checking out our Security blogs. I started our Security blogging program when I joined GitLab in February 2019 and, together with my security team mates, we’ve published 52 blogs to date with more great content in the works! Speaking of, if there’s something you’d like to read about, whether it’s: what makes our approach to red teaming unique or how do our security researchers decide what, exactly, they are going to research? Message me, I’d love to hear your ideas!
What’s something new and/or exciting that you’d like to learn or be involved in? I think I’d like to more deeply develop my skills in the areas of search engine optimization and marketing data and analytics; this would strengthen efforts in my current role and flesh out my existing digital marketing experience and expertise.
If someone was interested in a role like yours, what’s the most helpful piece of advice you could offer? Be comfortable with being uncomfortable. Many women in tech are used to being one of few women “in the room”. However, as someone working in a marketing capacity, sitting inside an engineering department, I find I’m usually (also) the only non-engineer on most calls and teams. And that’s just fine! But I’ve had to learn to be comfortable with owning and asserting my area of expertise, with asking questions for clarification when I don't understand something and with throwing first iteration content out there acknowledging that I need an SME’s help to ensure accuracy. And you know what? I’ve learned two things: I understand way more about technical concepts than I give myself credit for most times 💪 and, my asking questions and seeking clarification helps to create better and more readily consumable content for our audiences -- a win for everyone! 🙌
Sound interesting? We're hiring!
Check out the career opportunities page. Don't meet 100% of the qualifications for one of these roles? Still share your information with us! We're hiring within our Security department (and beyond) and looking for unique backgrounds and expertise. You can also learn more about GitLab’s culture and values in order to get an understanding of what it might be like to work here!
Cover image by #WOCinTech Chat.