AN ‘IMPACT JUNKY’S’ APPROACH TO FINDING THE RIGHT OPPORTUNITY
“One thing that I have learned about myself is that I am somewhat of an impact junky,” explains Geoff Belknap, CSO of Slack. “It is very important to me that the decisions I make matter to the business and customers. I want to make a positive impact.” The desire to be involved in change is what lead Belknap to take the CSO position at Slack, the fast-growth collaborative communication start-up known for changing the way businesses work.
“First, I was excited by the opportunity at Slack because the founders were behind Flickr, a tool that had a big impact on my own life. I became more intrigued during the interviews for the CSO position when I learned exactly how many enterprises and businesses are changing the way they work with Slack.” Belknap points out that “many of the Fortune 500, and nearly every media company is using Slack today.”
Belknap realized Slack was making a difference, and his desire increased to understand the type of impact he could make as CSO. The answer: a big one. Belknap comments, “Slack has a very serious security program and it is very important to the business and users. The truth is you are not free to do your best work and innovate if you are not sure your platform is secure. That is the promise Slack is making to our customers - a secure platform to make change happen.”
Slack’s commitment to security is ingrained in the product and culture, which makes Belknap’s job easier in terms of getting executive-level buy-in for policies, programs and budgets. He says, “When I first met with Slack executives about the security program I said we really need to lean forward. I told them I needed to build a team of 100 security experts. I was joking; but they were committed. They said, ‘If that is what you need, we will give it to you.’ I do not need a team of 100, but knowing that I have that level of commitment from the executive team is very satisfying.”
During the on-boarding process Belknap met with Slack’s Board of Directors, another sign of the organization’s steadfast commitment to security. He explains, “In those meetings it became clear to me I was going to influence the strategy and tactics of the business from a security perspective. One of the hardest things for any CSO to do is to convince their peers or the Board of the importance of security. That was a non-issue for me. I already had their understanding.”
COMMITMENT TO SECURITY STARTS AT THE BOARD LEVEL
As CSO of Slack for nearly two years, Belknap’s relationship with the Board continues to mature and they remain focused on security as a critical component. He says, “I talk to the Board on a quarterly basis. We talk about the types of threats facing us as a business and what we do with the information we have on specific threats. We cover changes to our long-term security strategy. I think that the Board most appreciates our question and answer sessions. They share their concerns and problems that they are hearing about at their own organizations as well.”
Belknap also meets regularly with the audit committee and performs an annual risk assessment. He explains, “On a monthly basis, I meet with the executive risk committee. We look at steps that we are taking to mitigate risks and review the accepted risks of the organization.” The audit committee includes other senior leaders at Slack, including the CTO, CFO, and the risk and compliance director from Belknap’s own team.
BUILDING CUSTOMER TRUST THROUGH TRANSPARENCY
Belknap says the company’s risk program is focused on building long-term customer trust, something mission-critical for Slack. He explains, “It is hard to build trust and easy to lose trust. It is nearly impossible to regain trust you have lost. Our security program is focused on delivering a solution that our clients can trust. As a result we focus on the things our clients ask us to do to prove our trustworthiness.” That list includes security engineering, operations, risk management, and application and platform security.
Part of building long-term trust is delivering absolute transparency to customers. This is something Slack tries to do at the corporate-level, and Belknap’s security team aims for total transparency as well. He admits it is hard. He asks, “How many people are happy to expose all their flaws? I’d argue no one. But, that is also what you really need from the people with whom you do business. It is not easy to be as transparent as Slack is, and we get a lot of criticism that stems from our sharing of flaws. But what we are providing is real transparency, and that is important to our customers.” For Belknap, transparency means making sure clients understand any vulnerabilities, and know Slack has addressed them, or put a plan in place to do so.
“I’m not focused on addressing any one specific security problem. My priority is to make sure Slack can continue to grow and enable our customers to innovate,” states Belknap
The Future of Information Security Is Advocacy and Education
“Information security is easy to understand in broad brush strokes, but to fully understand the situation there is a lot of science involved. We need to educate both consumers and lawmakers so that they can better understand the technical nuances driving the digital economy. That will help them understand the requirements needed for security. As an industry, we need to do more education. We need the equivalent of ‘seatbelts save lives’, or the anti-smoking campaigns. Consumers need to understand that they can make smart choices when it comes to security, and that those smart choices can impact the broader community in positive ways.”