Last updated at Mon, 04 Dec 2017 19:40:44 GMT

If you asked a security professional what they do on a day-to-day basis, I suspect you would receive a variety of answers. While there would likely be overlap between high-level strategy, department goals, and common tasks, other activities may vary wildly. After all, every organization is unique, even down to its workforce, procedures, and IT environment.

To explore these concepts, and see what a day in the life of a security team looks like across organizations, we spoke with two highly respected security pros to get an inside look at their team and roles in the world of security:

Doug DePerry

Director of Product Security

John Swanson

Incident Response Analyst

Doug and John have different sets of goals and responsibilities, but both can shed light on these often-misunderstood roles while helping us think more holistically about how security fits into a business’s overall strategy. Here’s our Q&A with Doug and John, explaining what they do day-to-day, and the goals and challenges they face as security pros in today’s business climate.

Q: What are the goals you work towards on a daily basis?

Doug's Answer

I do a little bit of everything, which is actually super interesting. One of my big goals right now is working on increasing security visibility across our organization. This involves monitoring and alerting on certain activity, and gaining more low-level insight on all of Datadog’s assets.

I’m simultaneously working on maintaining a secure environment for developers, engineers, and our customers by ensuring the product itself is secure, both inside and out. Something as simple as a bad configuration, for example, can be really easy to overlook, but could lead to very devastating consequences.

My third goal right now is recruiting. We are hiring a lot and have a lot to do, so we’re trying to simultaneously make the most of our team now and hire so we can do even more.

John's Answer

My top goal is to support and handle the execution of security investigations or incidents. I coordinate technical and non-technical resources to resolve security issues while minimizing the risk GitHub or its users are exposed to.

Beyond that, I analyze or produce threat intelligence to support investigations and detection mechanisms, and assist in the development of detection and prevention methods and the systems that support them. If I’m effectively handling incidents, producing or adapting useful threat intelligence, and implementing effective detection, I’m getting the job done. Anything after that is a bonus.

Q: What are the most common tasks you do on an average day?

Doug's Answer

Our infrastructure is run on AWS, so a lot of what I do is learning about new security services they offer and how to work within their ecosystem. AWS offers many ways to build secure products, but there are certain constraints we run up against that must be addressed.

My team and I also do code reviews with our development and engineering teams. We review configurations and policies as often as possible, especially when we’re launching something new. This also involves reviewing and designing secure architectures. Our goal is to prevent problems before they start, so we try to bake security in as early as possible when we build something new. That’s the most efficient way to do it; doing so later on becomes very expensive.

I also try to leverage automation as much as possible along the way, especially in the review process. Manual reviews are very time consuming, and automation can set you free from that. Our organization needs to be as nimble as possible; engineers need to move fast, but we also can’t compromise security, so the only way to address these diametrically opposed tasks is by automating many security protections.

Of course, our team is very interrupt-driven, so if something happens, we have to divert our attention to those tasks.

John's Answer

My tasks vary wildly because GitHub is sort of a microcosm of the entire internet. That said, a common task for me includes generating new detection and prevention mechanisms for malicious activity. This involves creating high signal and low noise alerts, and tweaking them over time as threats evolve.

I also spend a lot of time compiling or generating threat intelligence in support of investigations, like tracking threat actors known to abuse GitHub. I also work with our awesome support staff on issues like malware and account compromises. I often handle some security awareness functions as well, and spend some time evaluating or implementing new tools.

I try to start and finish my day digging into relevant technical and non-technical news and reports for critical situational awareness to stay on top of threats.

Obviously, handling an incident makes all this go out the window, but generally speaking, that’s a day in the life for my team and I.

Q: Who else in your company do you work with closely?

Doug's Answer

I work really closely with our site reliability engineers. They keep the company running, so it’s my goal is to help them implement security without interrupting any services or availability.

I also work closely with our development team. They come to me when they’re developing a new application or tool to ensure security is part of the development process from the very beginning. I help them make decisions with security in mind that will accomplish their goals. I never want my team to be a blocker and never want to say “no”, so it’s my job to find a way that works for both of us.  

On a broader spectrum, it’s my job to make the security team visible to everyone in the organization. Everyone should know where to find us, how to reach us, and how we can help them approach and handle issues. I want to work with everyone.

John's Answer

I work closely with our Security operations engineers, AppSec team, the GRC (governance, risk management, and compliance) team, and also IT for technical security problems.

I also spend a lot of time working with our support, platform health, and legal/privacy teams when dealing with platform abuse issues. PR is also a common partner when dealing with public-facing security issues or media inquires.

Q: What are some common security challenges you come across on a regular basis?

Doug's Answer

There’s not nearly enough time in the day! It’s the nature of security; even if I had three or four times the headcount on my team, there would still not be enough hours in the day. We have a lot of great support throughout the organization, but we’re moving fast and there is a lot to get done.

Another challenge is scope creep. I’m always turning over new rocks, and learning about new issues that must be addressed. I can have an entire plan laid out, but after I get a few steps in, I often realize ten more steps need to be added that could not have been foreseen until the project is underway. On top of that, there’s new code produced every day, new configurations to review, and our team is growing, so getting things to 100 percent completion can be a challenge.

And as I mentioned earlier, the constraints of AWS are also a challenge I have to work with. While AWS makes it pretty straightforward to do all the right things from a security perspective, as networks grow and become more complex, and more users and developers come on board, I find that I run up against platform limitations such as Lambda function resource limits. Using AWS is still far easier than building our own data center, but I do need to find workarounds to overcome certain obstacles.

John's Answer

GitHub is a very fast-paced and remote-friendly organization with a ton going on. Our security team is distributed, which was a big adjustment for me at first. But we have a great culture and tools in place so that even when a red hot issue comes up, there are processes in place to ensure the issue is resolved smoothly, no matter where our team is located. We take pride in what we’re capable of doing, but are always looking for advantages to speed up that process.  

Since GitHub is a relatively large platform, we have a lot of telemetry to work with, some of it in different formats and warehouses. This means it’s often a challenge to query, move, and apply relevant data in an appropriate and effective format understood by all of our tools. Thankfully, we have some awesome tools and really sharp people that excel with adapting existing tools or building new ones to work with our telemetry sources.

Getting to Know Your Security Team

Whether you’re a security professional with an interest in how other teams function, or you’re someone outside of security looking to better understand your security team, we hope this first-hand look at the day in the life of several security folks has helped.

Thank you to Doug and John for their time chatting with us about their jobs. As incredibly talented security professionals, we admire their work and leadership in the security industry, and appreciate them sharing their time and insight with us.

For additional wisdom from security pros focusing on cybersecurity defense, check out our Defender Spotlight series.