Skip to main content

Hard Lessons Learned



Candid advice from Atlassian’s Security Chief

CyRise Elevate was joined by guest advisor and cybersecurity leader Dan Grzelak, Security Chief of Staff at Atlassian.

Grzelak made his mark as a Security Intelligence Manager, then Head of Security at Atlassian, helping to build it into an Australian success story. A startup founder in his own right, he is an advisor to a number of Australian startups, and a developer of open source security tools and research.

Dan candidly shared his most memorable ‘hard lessons learned’ from a career at one of Australia’s most impactful and iconic technology cybersecurity companies.

 

Think Bigger

For a long time, Grzelak thought he was achieving big things as Atlassian’s Head of Security. He’d successfully built a team, had a solid track record, and seemed to be meeting the expectations of customers.

Then, Atlassian recruited a new CISO, with a bigger vision for the security team.

“Adrian [Ludwig] had an unconstrained mindset. He pushed for the security team to double, and then double again. I realized I had been constraining my own vision for what we could achieve. Those artificial limitations weren’t helping the company or our customers, and the realization changed my whole perspective”.

Don’t try to just ‘meet’ expectations – a ‘value add’ CISO is thinking bigger.

Don’t just rebuild. See the opportunity.

As security leaders, we can’t always prevent adversity, but we can certainly choose how to respond. In January 2010, Google admitted they had been the victim of a cyber-attack; one which had given attackers sweeping access to users’ private Gmail accounts, amongst other sensitive data. Attackers had also stolen Google’s intellectual property, and a review of the incident revealed embarrassingly weak security in many of Google’s systems.

Daniel pointed out that instead of wallowing in their mistakes, Google used the failure as an opportunity to build one of the most secure platforms in the world; pioneering the Advanced Protection Program and launching a multi-million dollar bug bounty program within just a few months of the attack. Their security program remains a model many organizations aspire to today.

It’s important to move swiftly after a security incident, and enact reforms before the incident is forgotten!

Don’t #@!% the customer

Atlassian’s company values are refreshingly transparent and candid, and include ‘Open company, no bullshit’, ‘Be the change you seek’, and our personal favourite: ‘Don’t #@!% the customer’.

Daniel shared that ‘Don’t #@!% the customer’ has become a guide by which to quickly assess identify risks:

“Just ask yourself; “Will this #@!% the customer?’ before you proceed with an action, and you’ll drastically reduce the chance of releasing an insecure feature”.

This helps reduce the demands on Daniel’s security teams; as every staff member at Atlassian is mindful of creating secure products that won’t ‘#@!% the customer’ – ensuring cybersecurity is built into the design process, rather than an afterthought.

Don’t overthink it

There’s an overwhelming number of new tools and systems available on the market, and you don’t always have time to agonize over which one is the ‘perfect’ fit. It can be tempting to hold off making a decision rather than take a risk, and Grzelak found the selection process for new tools was sometimes overlong. By the time a decision had been made to adopt a new product, the company’s needs had begun to change.

To keep up with the rapid pace of change, focus on staying flexible and adapting. When choosing a new tool, remember that products will come to the natural end of their life, and new tools will become available – so make your selection with the intent to iterate as needed. One choice isn’t going to make or break your security, but indecision can leave you unprotected.

The TL;DR –

Dan’s underlying message is that a great security leader thinks beyond their job description, and takes on the role of imagining what could be. Whether you’re in a time of ‘business as usual’, or are facing adversity, a security leader – like any great leader – is focused on pushing the business further.

 

CyRise Elevate is our membership and development program for ambitious cybersecurity leaders. We’re currently recruiting members for our new CyRise Elevate tribes for GRC and technical security leaders and have limited spots available in our CyRise Elevate tribes for senior security leaders in scale-up organisations.

If you know an ambitious security leader you think might be a good fit, we’d love to meet them. For our new tribes, the perfect candidate is someone who has strategic responsibilities and (probably) reports to the CISO or the Head of Information Security. Is that you or someone you know? Send us an email at [email protected] and we can send you some more information.