Zoom CISO’s Lessons in Scaling With Simplicity
I joined Zoom in July 2020 — a time when everything about the company had fundamentally changed. The expectations for service delivery were higher than ever, growth reached an unprecedented scale and the role of security had never been more important.
While I stepped in during this momentous time, I was determined to bring simplicity to the organization. Let me explain why and how I did it.
Looking Back
Life as we know it changed last year, and our company was one of the many that followed suit.
People around the globe joined our platform practically overnight, as millions of users adopted our solutions amid the COVID-19 pandemic. As our customer base broadened, so did the use cases for our platform, with enterprises, educational institutions, health care organizations and more adapting and modernizing their services via our technology.
But with new use cases came new security requirements, and we had to find new ways to keep pace. Our security strategy had to remain nimble, with teams working quickly to churn out easy-to-deploy yet effective updates and features to protect a growing customer base with ever-evolving needs.
That’s when I came into the picture.
Simplicity and Structure
Joining a company with such rapid demands for scale posed a unique challenge. We were innovating at the pace of a startup because we had to; because our complex challenges existed on a global scale.
So I decided to keep things simple. That didn’t mean slowing down or reducing effort but, rather, stripping out the unnecessary to create a sustainable approach to security. Simple is often harder to achieve than complex — it meant we had to identify a structure that could future-proof our operations while still keeping teams agile, productive and effective in the face of constant change.
To me, a simple security strategy is standardization augmented by innovation. Here’s what that looked like for us:
- Consistency with industry best practices: We aim to follow the NIST public cybersecurity framework, which is based on existing standards, guidelines and practices. It provides guidance and customizable activities on how both internal and external stakeholders of organizations can manage and reduce cybersecurity risk. Adhering to NIST, as well as other regulatory and compliance requirements, can help organizations make more confident decisions and deliver improved solutions to customers from the start.
- Standardized design processes: While engineering should always design with security in mind, disjointed processes can sometimes lead to oversight, which can cause design errors or even bugs. By standardizing your internal processes, you help reduce bottlenecks and miscommunication, enabling your teams to work quickly and effectively on projects and creating more time and space to test for security issues.
- A real-time feedback loop: When you’re innovating for evolving use cases, it’s vital to listen to customer feedback, especially when it comes to security features. Discover the key pain points and/or requirements for users in different industries and make that feedback your starting point for your next security decision.
- Persistent employee education: Researchers from Stanford University and Tessian found that approximately 88% of all data breaches are caused by an employee mistake. Employees are the backbone of any security strategy — without proper training, your organization’s scale won’t be sustainable. Create an annual security training program complemented by regular security awareness communications and ongoing employee education. Training should also expand to a company’s developer teams, which can undergo continuous learning via secure code training.
Trust as a North Star
While these strategies worked for us, there’s no one-size-fits-all approach to security during a time of massive growth. As a security leader, you cannot control how rapidly your organization changes, but it’s your responsibility to instill a sense of trust in your product.
For me, simplicity was the way to build a sense of trust that lasts. Streamlining our internal processes helped us strengthen our customers’ experience and work to build a security strategy optimized for scale. No matter which direction your company heads next, trust should always be treated as your north star, guiding you along the way.