Paving Paths for Sustainable SecurityAnna Westelius of Netflix on High-Leverage, High-Impact Security Investments
Organizations often face challenges when they aim to build sustainable security programs at scale. Anna Westelius, director of security engineering with Netflix, discussed the company's big infrastructure projects that give it more leverage over time than investing in manual processes.
"Our threat model is different than a bank," Westelius said. "We've had a lot of time and effort to spend on high-leverage technology investments instead of doing some traditional security."
Westelius also emphasized building strong relationships with developers by "setting shared goals" and "meeting them where they are in their technologies and their understanding of those workflows."
In this video interview with Information Security Media Group at RSA Conference 2023, Westelius also discusses:
- Challenges organizations face when scaling security;
- Netflix's nontraditional security testing;
- How to create shared accountability between security leaders and developers.
Westelius is a security leader and former security researcher, analyst and hacking enthusiast. At Netflix, she leads teams that address top security risks while maintaining overall business agility, velocity and scale.
Tom Field: Hi there, I'm Tom Field. I'm senior vice president of editorial with Information Security Media Group. It is my privilege to be talking today with Anna Westelius. She's the director of security engineering with Netflix. Anna, thanks so much for taking time to speak with me.
Anna Westelius: Thank you for having me.
Field: So let's start here. You are new to ISMG studio.
Field: Talk a bit about your career and how you arrived in this role today.
Westelius: I am from a bit of an untraditional background, I am self-taught in cybersecurity. When I grew up, we didn't have cybersecurity programs and universities or anything. So I taught myself. I ended up running a couple of companies myself, mostly to make money. You have to get by, get more computer parts. And then I started working in larger security firms. I ended up essentially running an MSSP out of Stockholm for a long time. We split that up as a subsidiary and that ended up being acquired by a company here in California. So I've been here for about eight years, doing variety of security research and engineering leadership roles in a variety of companies, both on the security vendor side and also in big corporations. And now I am fortunate enough to lead the security engineering team at Netflix.
Field: How long have you been there?
Westelius: Two years.
Field: Excellent. Now you were speaking at RSA Conference, and the topic was "Construction Time Again: A Lesson in Paving Paths for Security." What's the premise of this presentation?
Westelius: So it's about figuring out how to build sustainable security programs for scale. A lot of times when we're in especially application security, we do a lot of manual reviews and assessments. We spend a lot of time like repeating manual work. What we've done at Netflix is instead letting the fire burn a little bit, and go and make significant high-leverage investments in big infrastructure investments. That gives us more leverage over time, instead of doing those manual reviews. So this is a template for others to take and figure out which high-leverage high-impact security product investments they can do to make their security programs scale.
Field: Now Netflix, you're pretty famous for some what we say non-traditional security testing? Is that fair to say?
Westelius: Yeah, that's fair.
Field: How would you describe that? You sort of blow things up.
Westelius: We do, a little bit. We do a lot of security chaos engineering and stuff like that. So it's been a big part of our strategy. And we've had, I guess, the fortune of being an entertainment company. So our threat model is different than say a bank, for example.
Westelius: And so with that, we've had a lot of time and effort to spend on these high-leverage technology investments instead of doing some traditional security.
Field: Talk to me about the challenges organizations face when they do want to scale up their programs.
Westelius: I think for us, in particular, one of the challenges is the diversity of our portfolio now. We used to be a software company, and we're now a Hollywood studio. We're a gaming company.
Field: It used to be a DVD company.
Westelius: Yeah, exactly. And so now we're doing a lot of different things. And people in those areas, I think, understand security very differently. So a lot of our efforts is translation. But then also scale as the company grows. We have more than 7,000 internally developed applications that support our ecosystem. And managing security for that is quite extensive.
Field: When you talk about paving roads for security. What are you paving? Are they cow paths?
Westelius: Not really. But I would say that paving roads is more conceptually, making developers' lives as easy as possible, instead of telling them what to do. So in certain areas, you might have somebody wanting to do something fairly esoteric, like they want to do something in a language that we're not supporting. And that's fine. But doing the most easiest thing that well-supported thing is the most secure thing. And so with that, we can be almost entirely hands off as a security engineering team, which is great. And lets us focus on the more difficult things.
Field: Now, there's a natural tension between security and developers that many organizations deal with. And this has become a Mars and Venus issue. How have you bridged that?
Westelius: It does. And we were very intentional about essentially being the security team that doesn't say no. And that's put us in trouble a couple of times, I think. But it put our relationship with our developers at a high level. And so they seek us out for guidance, which I think is amazing. And we owe that to all the people on the ground who have been working on building those relationships over time. But we avoid that tension as much as we can.
Field: So talk to me about how you can create shared accountability and the relationships that will support that.
Westelius: It's about setting shared goals. We meet with all of our cross-functional partners very recurringly. We set goals together, and we build toward that collectively. And so if they have a big infrastructure initiative that we would like to invest in, for example, like we build security controls where they are, as opposed to finding our own novel way that they then have to discover and learn.
Field: Is this something you can pick up and move with other departments as well? Or is this unique to security and development?
Westelius: No. So we work with the entirety of the business and people, of course, and to my point earlier, like Hollywood have a very different relationship with security. And so with that, I think we're trying to meet them where they are in their technologies and their understanding of those workflows. So we are doing a lot of work in Google's G Suite, for example, because that's where we have our documentation, and that's where a lot of Hollywood people work. So we make sure that we build security controls that they don't have to understand but that meets them where they are.
Field: So you find opportunities, you build the relationships, you're able to ultimately reduce security risks. So ...
Westelius: Yeah, we build the right things. And then we measure the right things. I think metrics is important. In a lot of cases for security controls, people think about coverage, more so than they think about actual utilization of those controls. So it's important to understand how you've reduced security controls with the capabilities that you're putting in place.
Field: Can you give me some specificity. Give me some examples of what you've done, and how you've been able to build these bridges?
Westelius: For example, if you're looking at things like access control, it's one of our most impactful controls for security. Access control, vulnerability management, incident response, when you implement, making sure that people are putting the right policies in place, as opposed to just putting anything in place. Because a lot of the times if you investigate those policies, they might not necessarily be correct.
Field: For you, what are the security risks of greatest importance today?
Westelius: That is a hard question. And I don't know if I could answer that.
Field: Because you got content certainly, people want to pirate. You've got a service that some would like to disrupt.
Westelius: Yes. And I think it depends so much on what organization you're running, like everybody's threat model is so different. Again, we're an entertainment company, not a bank. And so our investment is going to look very different than say, PayPal or Wells Fargo.
Field: Absolutely. How has this shaped your career?
Westelius: I think I had to learn a lot of new things. And so you pivot between different technologies because that is what is the thing right now, and you have to learn very quickly where the real risks are. And I think, as the security industry, we're still not very good at handling the same type of core issues that we've been dealing with for years and years. Look, at every breach we've had in the several past months, it's all credentials in a variety of ways, and the MFAs, extortion, things like that. And so I think it's balancing the shininess of new technology with fixing these core issues at scale.
Field: So as someone that is you say came up through a non-traditional path in security, you see the opportunities around you now, and there's great opportunity for people coming in. What would your advice be to a younger Anna today, while establishing a career?
Westelius: Go for the things that motivate you. I think as security professionals, we oftentimes find ourselves in this uphill battle. You're pushing the rock uphill, and you can't fix everything. So you need to be motivated and excited by the work that you're doing to counterbalance not the sadness, but the impact of that continuous effort.
Field: What motivates you?
Westelius: Supporting people, I think the more senior I've gotten in my career, it's become more about making the people do the work - people who are way smarter than I am. To be successful at that and see them be able to have that impact is what motivates me.
Field: When you give this discussion, "Paving Paths for Security," what are the types of questions you get from people? What's the feedback you get?
Westelius: A lot of people just want to know how to implement the tools that we have. We have a fantastic developer productivity organization that's build a lot of the foundations that we're securing on top of and so making that available, we have a strong OSS culture at Netflix. And so we've open sourced a lot of our tooling. And so a lot of people are just like, how can I plug and play the thing you're doing? Which oftentimes doesn't work because their environment is different. They use a different tech stack or whatever. But oftentimes, that's the first question, how do I do this?
Field: Well, I appreciate you taking time to share insight with us today Anna, thanks so much.
Westelius: Thank you. Again, I've been talking with Anna Westelius. She is the director of security engineering with Netflix. And for Information Security Media Group, I'm Tom Field. Thank you for giving us your time and attention today.