Transparency is a core value here at GitLab and we strive to be "open about as many things as possible", but as any security practitioner knows, this can, at times, feel as though it conflicts with the work we do within security. That feeling of conflict is one of the main drivers behind the creation of a Security Culture Committee here at GitLab. The other is to ensure the Security department, and all of GitLab, lives up to our company values, especially as we continue to scale. The mission and goals of the Security Culture Committee were developed by the committee members themselves, with an eye on our GitLab values and also to ensure representation of our fellow team members.

How does the committee work?

Our first group of team members, five of us, were peer nominated (thanks, team 😉) back in August of 2020 and include: Dominic Couture, Mark Loveless, Joern Schneeweisz, Heather Simpson, and Steve Truong. We meet monthly via Zoom (meetings are recorded and viewable internally for GitLab team members) to discuss candidate initiatives or process improvements where GitLab values could be better represented. Between meetings, we work async through GitLab issues and in a dedicated, public-to-GitLab Slack channel (#security-culture).

Fellow team members can bring suggestions for initiatives we should tackle via #security-culture channel, an issue or a Slack DM if that's more comfortable. Candidate initiatives are anything where collaboration, results, efficiency, diversity, inclusion & belonging, iteration and/or transparency (all GitLab values), could be strengthened and improved.

Where has the committee focused our efforts so far?

One of the first things we tried to do was determine how we would define "success". We weren't sure, so reached out to the Security department via an anonymous feedback form asking the following questions:

For the first two questions, team members had to rate their agreement with the statements on a scale of one (strongly disagree) to five (strongly agree) and 91% of answers were four or above. The other two questions generated interesting ideas to improve transparency in the department and better ways to communicate important news and initiatives across GitLab through Slack updates and entries in our Engineering department's week-in-review newsletter. There's definitely opportunity to improve and strengthen communication within GitLab around Security work and initiatives, and the value these efforts bring to the rest of the organization

Public profiles for transparency and collaboration

Another early initiative for our group was to encourage more GitLab team members to adopt public profiles to increase transparency across the company. The use of open, public profiles enables company-wide visibility into projects, plans, statuses, and updates. Public profiles ensure efficiency and fosters greater collaboration when there is visibility into the ongoing efforts of GitLab teams and team members. Public profiles also allow any visitor to see the work team members are doing in public projects. See Heather's profile: https://gitlab.com/heather as an example.

Screenshot of Heather Simpson's public GitLab profile Public profiles foster collaboration through greater visibility into the work GitLab team members are doing.

To encourage public profile use, we held a Slack campaign where we communicated the value of public profiles and shared our progress toward the goal of making all GitLab profiles public by default.

Public GitLab profiles Slack campaign An example of our internal Slack campaign to encourage GitLab team members to switch their profiles from private to public.

We also added language to the values page of the GitLab Handbook encouraging the use of public profiles:

In line with our value of transparency and being public by default, all GitLab team member profiles should be public. Public profiles also enable broader collaboration and efficiencies between teams. To do so, please make sure that the checkbox under the Private profile option is unchecked in your profile settings. If you do not feel comfortable with your full name or location on your profile, please change it to what feels appropriate to you as these are displayed even on private profiles.

And we added clarification to our onboarding template around why we use public profiles to ensure new team members understand how they contribute to GitLab's value of transparency and being public by default.

Our Security Culture Committee will continue to revisit this topic and educate team members on the value of public profiles, but we're proud of our team members commitment to transparency and the results we've achieved, together, to-date:

As of May 5, 2021: 🎉

Increase transparency in department leadership meetings

Beyond ensuring our GitLab profiles are public, the Security Culture Committee, in partnership with Security department leadership, has also advocated for several department and sub-department meeting notes and recordings to be made available internally. By making notes and recordings available, all team members can stay informed about what's going on at the Security leadership level and follow meeting notes and recordings asynchronously. Besides providing more transparency, this also supports our collaboration and results values, as information is made available for all to read and contribute to.

Strengthen the employee experience

On a bi-annual cadence, GitLab conducts an organization-wide Team Member Engagement Survey to give team members an opportunity to provide feedback related to their experience within GitLab across multiple elements, including culture. The results from this survey are aggregated by department and shared with department heads.

GitLab VP of Security Johnathan Hunt, engaged the culture committee to dive deeper into the Security department specific results from the Team Member Engagement Survey and help identify areas for improvement. After reviewing results, the committee outlined four focus areas where we could strengthen employee experience across the Security department based on survey results:

The culture committee established various channels for Security team members to share their feedback:

About 62% of the Security department provided feedback, not including aggregated feedback that was provided to managers in 1:1 conversations. As part of the survey, we asked Security team members to:

Once all feedback was gathered, the culture committee worked to consolidate and anonymize the data to ensure that specific team members could not be identified based on language used in their feedback. The next steps included sharing the qualitative survey data and summarized feedback with the entire team, and making recommendations for action, based on survey data, to senior leadership. Security leadership took the recommendations from the top three focus areas and formalized an OKR for Q1.

So, what are the results so far?

Priority 1 focus area: I believe there are good career opportunities at GitLab
Priority 2: I have confidence in senior leaders and execs at GitLab
Priority 3: I have access to the L&D I need to do my job well

What's next

Each set of culture committee members are nominated to serve a six-month term. We, the first set of committee members, have established some basic processes and hit the ground running on a few initiatives that we hope has laid some groundwork for future committee members and impacts how we live our values within the Security department and throughout GitLab. We've started onboarding the next set of peer-nominated Security Committee members, which includes Liz Coleman, Devin Harris, Andrew Kelly, Philippe Lafoucrière, Marley Riser, and Juliet Wanjohi.

So, what should be prioritized and tackled first by this new committee? We know they will each come in with their own unique and valuable perspective and ideas on how to ensure our GitLab values are strengthened as we scale and represented in the work on the Security team and beyond. We look forward to continuing to contributing to this work on behalf of all of our team members and will keep you posted!

Have some feedback on the initiatives we've worked on as part of our Security Culture Committee? Or suggestions based on what's worked within your organization? Let us know in the comments!

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Gitlab x icon svg