LinkedIn documented its methodology in how it addresses any issues, and by drawing a clear picture of what a threat model looks like, through to design reviews and penetration testing, others in the company felt more comfortable approaching security because they knew what they were getting.
It was no longer as if security was "practising the black arts or in their lair somewhere and then producing findings," Scott said. "We have it very clear about the potential things we look for".
Make sure your deliverables are easy to consume
This means within your team and in the wider organisation.
LinkedIn built its own catalogue of potential bug definitions so that it could quickly define the problem for each. "We've built something called a bug classification table. Instead of trying to figure out a mystical formula about where a bug is critical or high, we have the concept of a bug class," Scott said.
This kind of standardisation means the team is spending less time arguing and more time fixing.
In terms of communicating to other departments, Scott says it's important to understand that you're not judged on how you keep the bad guys out or how much data is protected.
"It's about how you're judged by the rest of the company, and that is based on communication and coordination," he said. "Many teams need to be involved. In order to get updates to a centralised point you have to realise communications will flow in every direction."
Be mindful of management and provide the right visibility
"The main watchword is that management should never care about an incident second hand," Scott said. "We will have a dedicated person who provides official updates, who has a summary of the issue, the potential impacts, and the mediation."
Every time there's an incident marked as a critical bug, security produces an email and sends it along to management. This includes a headline - that's the executive summary - the concept of the issue, how it was discovered, which actions the team has taken, and a link the ticket itself.
Crucially, the team also provides a few reassuring footnotes. There's a thank you to the teams, and there's a small boiler plate note. "[It says] we're not ratting you out, and we're not telling tales," Scott said. "We're simply giving people the right visibility."
Source: Computerworld UK
Sign up for CIO Asia eNewsletters.