Transparency is a core value here at GitLab and we strive to be "open about as many things as possible", but as any security practitioner knows, this can, at times, feel as though it conflicts with the work we do within security. That feeling of conflict is one of the main drivers behind the creation of a Security Culture Committee here at GitLab. The other is to ensure the Security department, and all of GitLab, lives up to our company values, especially as we continue to scale. The mission and goals of the Security Culture Committee were developed by the committee members themselves, with an eye on our GitLab values and also to ensure representation of our fellow team members.
How does the committee work?
Our first group of team members, five of us, were peer nominated (thanks, team 😉) back in August of 2020 and include: Dominic Couture, Mark Loveless, Joern Schneeweisz, Heather Simpson, and Steve Truong. We meet monthly via Zoom (meetings are recorded and viewable internally for GitLab team members) to discuss candidate initiatives or process improvements where GitLab values could be better represented. Between meetings, we work async through GitLab issues and in a dedicated, public-to-GitLab Slack channel (#security-culture).
Fellow team members can bring suggestions for initiatives we should tackle via #security-culture channel, an issue or a Slack DM if that's more comfortable. Candidate initiatives are anything where collaboration, results, efficiency, diversity, inclusion & belonging, iteration and/or transparency (all GitLab values), could be strengthened and improved.
Where has the committee focused our efforts so far?
One of the first things we tried to do was determine how we would define "success". We weren't sure, so reached out to the Security department via an anonymous feedback form asking the following questions:
- Do you think the Security Culture Committee is strengthening the GitLab values within the Security department?
- Do you think the Security Culture Committee should continue its efforts for at least another quarter?
- Do you have anything to share what the committee could do in the future? Any ideas for opportunities are welcome.
- Anything else you'd like to mention to the committee?
For the first two questions, team members had to rate their agreement with the statements on a scale of one (strongly disagree) to five (strongly agree) and 91% of answers were four or above. The other two questions generated interesting ideas to improve transparency in the department and better ways to communicate important news and initiatives across GitLab through Slack updates and entries in our Engineering department's week-in-review newsletter. There's definitely opportunity to improve and strengthen communication within GitLab around Security work and initiatives, and the value these efforts bring to the rest of the organization
Public profiles for transparency and collaboration
Another early initiative for our group was to encourage more GitLab team members to adopt public profiles to increase transparency across the company. The use of open, public profiles enables company-wide visibility into projects, plans, statuses, and updates. Public profiles ensure efficiency and fosters greater collaboration when there is visibility into the ongoing efforts of GitLab teams and team members. Public profiles also allow any visitor to see the work team members are doing in public projects. See Heather's profile: https://gitlab.com/heather as an example.
Public profiles foster collaboration through greater visibility into the work GitLab team members are doing.
To encourage public profile use, we held a Slack campaign where we communicated the value of public profiles and shared our progress toward the goal of making all GitLab profiles public by default.
An example of our internal Slack campaign to encourage GitLab team members to switch their profiles from private to public.
We also added language to the values page of the GitLab Handbook encouraging the use of public profiles:
In line with our value of transparency and being public by default, all GitLab team member profiles should be public. Public profiles also enable broader collaboration and efficiencies between teams. To do so, please make sure that the checkbox under the Private profile option is unchecked in your profile settings. If you do not feel comfortable with your full name or location on your profile, please change it to what feels appropriate to you as these are displayed even on private profiles.
And we added clarification to our onboarding template around why we use public profiles to ensure new team members understand how they contribute to GitLab's value of transparency and being public by default.
Our Security Culture Committee will continue to revisit this topic and educate team members on the value of public profiles, but we're proud of our team members commitment to transparency and the results we've achieved, together, to-date:
As of May 5, 2021: 🎉
- All of GitLab: 2.18% private profiles (28 out of 1307)
- Security department: 2.22% private profiles (1 out of 48)
Increase transparency in department leadership meetings
Beyond ensuring our GitLab profiles are public, the Security Culture Committee, in partnership with Security department leadership, has also advocated for several department and sub-department meeting notes and recordings to be made available internally. By making notes and recordings available, all team members can stay informed about what's going on at the Security leadership level and follow meeting notes and recordings asynchronously. Besides providing more transparency, this also supports our collaboration and results values, as information is made available for all to read and contribute to.
Strengthen the employee experience
On a bi-annual cadence, GitLab conducts an organization-wide Team Member Engagement Survey to give team members an opportunity to provide feedback related to their experience within GitLab across multiple elements, including culture. The results from this survey are aggregated by department and shared with department heads.
GitLab VP of Security Johnathan Hunt, engaged the culture committee to dive deeper into the Security department specific results from the Team Member Engagement Survey and help identify areas for improvement. After reviewing results, the committee outlined four focus areas where we could strengthen employee experience across the Security department based on survey results:
- I believe there are good career opportunities at GitLab
- I have access to the L&D I need to do my job well
- GitLab is in a position to really succeed over the next three years
- I have confidence in senior leaders and execs at GitLab
The culture committee established various channels for Security team members to share their feedback:
- Anonymous response to a Security department specific survey (delivered via Google forms)
- Survey response provided to their manager in a 1:1 session where feedback was then summarized, anonymized, and provided to the committee
- 1:1 feedback directly to a member of the culture committee over a coffee chat
About 62% of the Security department provided feedback, not including aggregated feedback that was provided to managers in 1:1 conversations. As part of the survey, we asked Security team members to:
- Prioritize and rank the four focus areas mentioned above
- Provide recommendations for improvement within each focus area
- Supply any additional feedback and recommendations they wanted to share
Once all feedback was gathered, the culture committee worked to consolidate and anonymize the data to ensure that specific team members could not be identified based on language used in their feedback. The next steps included sharing the qualitative survey data and summarized feedback with the entire team, and making recommendations for action, based on survey data, to senior leadership. Security leadership took the recommendations from the top three focus areas and formalized an OKR for Q1.
So, what are the results so far?
Priority 1 focus area: I believe there are good career opportunities at GitLab
- Implemented an individual development plan so team members can continuously discuss career path and growth opportunities with their manager
- Leadership exploration of additional career opportunities by mapping out additional role levels within the Security department
Priority 2: I have confidence in senior leaders and execs at GitLab
- Collaboration
- Established a Security Department Team Day to encourage collaboration and networking across the security organization
- Added a Security OKR handbook page to encourage cross-functional OKRs
- Diversity, Inclusion, and Belonging (DIB)
- Allyship training for Security department senior leadership team
- Planning for maturation of DIB specific metrics for the Security department
- Transparency
- Updates to the Security leadership job family handbook page to further define responsibilities by role
- Include Security department activities within the Engineering week-in-review
Priority 3: I have access to the L&D I need to do my job well
- Dedicated handbook page to centralize all Learning and Development opportunities for Security team members
- Process to enable team members to prioritize and dedicate eight working hours per month to L&D
What's next
Each set of culture committee members are nominated to serve a six-month term. We, the first set of committee members, have established some basic processes and hit the ground running on a few initiatives that we hope has laid some groundwork for future committee members and impacts how we live our values within the Security department and throughout GitLab. We've started onboarding the next set of peer-nominated Security Committee members, which includes Liz Coleman, Devin Harris, Andrew Kelly, Philippe Lafoucrière, Marley Riser, and Juliet Wanjohi.
So, what should be prioritized and tackled first by this new committee? We know they will each come in with their own unique and valuable perspective and ideas on how to ensure our GitLab values are strengthened as we scale and represented in the work on the Security team and beyond. We look forward to continuing to contributing to this work on behalf of all of our team members and will keep you posted!
Have some feedback on the initiatives we've worked on as part of our Security Culture Committee? Or suggestions based on what's worked within your organization? Let us know in the comments!