- Cloud Control
- Posts
- Erik Hajnal of Tradeshift on Infusing Fun into Cybersecurity While Keeping Business Front and Center
Erik Hajnal of Tradeshift on Infusing Fun into Cybersecurity While Keeping Business Front and Center
Erik Hajnal of Tradeshift on Infusing Fun into Cybersecurity While Keeping Business Front and Center
Hey Cloud Control Readers,
I'm Ian, and today, I'm excited to bring you insights from Erik Hajnal, the CISO at Tradeshift, who's reshaping how we think about cybersecurity. Erik believes in making security engaging and approachable, blending it seamlessly with business operations.
In our discussion, Erik explains how integrating humor and straightforward communication transforms the traditional view of cybersecurity within a company. His approach not only makes learning about security more enjoyable but also integrates it deeply with corporate strategies, ensuring everyone feels part of the security process.
From creating memorable training sessions to aligning security initiatives with broader business objectives, Erik shares practical advice that bridges the gap between technical necessity and business innovation. This is about enhancing a culture where security supports creativity and corporate growth.
So, let's dive in and explore how Erik's strategies can inspire changes in your security landscape 👇
P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.
Erik Hajnal, CISO at Tradeshift
Question 1 đź’
Erik, it’s great to have you on Cloud Control. When we were talking privately you mentioned that you’ve had your fair share of cybersecurity hiccups. Can you tell us how your early experiences have shaped smarter security strategies at Tradeshift? What lessons can other CISOs take from your experience?
I see many organizations struggling with getting security taken seriously - either because people don’t really care, or because of a no fun allowed environment, full of rules and regulations. I’ve learnt that in order to get taken more seriously, you sometimes need to take it less seriously.
Answer 1 🎯
Happy to be here! Indeed, early on as an engineer I've made my fair share of blunders over the years, and while I always felt the responsibility, I also always felt a bit excited that I got to learn something new. I often wondered about balancing the seriousness of security with how exciting and cool it can be at the same time.
I see many organizations struggling with getting security taken seriously - either because people don’t really care, or because of a no fun allowed environment, full of rules and regulations. I’ve learnt that in order to get taken more seriously, you sometimes need to take it less seriously. In fact, fun is one of the key values of the security team at Tradeshift! Context is everything though: what works great for your engineers might need a bit of tweaking before taking it to the board of directors!
Question 2 đź’
Having a background in both computer science and business must give you a unique perspective to the CISO role. How do you use your background to your advantage to align Tradeshift's cybersecurity measures with its broader business objectives? Can you give examples of how this has played out in decision-making or strategy formulation at Tradeshift or other companies?
Answer 2 🎯
Most security teams I’ve seen have endless backlogs: there are always so many different things to do, new technologies keep popping up, nothing is ever perfect, so we have risks we’re trying to navigate. One very common issue I see with managing risks is the translation of siloed risks into business risks: a remote code execution (RCE) flaw is as bad as it gets as far as vulnerabilities go, and yet it could be at the bottom of our risk register if it only affects a single test server that’s not connected to the internet.
Without a solid understanding of the business, one simply cannot assess these risks well, so at Tradeshift we always try to take a step back and look at the bigger picture. After all, a critical RCE may be actually less important than a medium-severity vulnerability that actually affects all our users.
Over the past few years, cloud security posture management (CSPM) tools have become common, which can help us by putting these CVEs in the context of our infrastructure. However, we need to keep in mind that these tools don’t actually understand the business - that remains the security team’s job, and CISOs and managers of security organizations are directly responsible for connecting the dots for their teams.
Question 3 đź’
You were instrumental in setting up the application security team at Tradeshift when there was a clear need. What were some of the initial hurdles you encountered while building this team from scratch? How did you go about tackling them?
The biggest challenge was making sure that people see the security team as their allies, as opposed to people who always just say “no” to everything.
Answer 3 🎯
The technical aspects of security are often about telling people what to do or how to do things: validate those inputs, use parameterized queries, use HTML encoding, keep your dependencies up-to-date, etc.: heaps of rules that can slow everyone down. The biggest challenge was making sure that people see the security team as their allies, as opposed to people who always just say “no” to everything.
To solve this, I wanted people to see us as people first, who just happen to know about security. Having worked as a software engineer for years, I tried to remember what resonated with me: fun. I like fun. Most people I know like fun. So I thought: what if we approach security with a fun-first mindset? We changed our training decks and policies to have little jokes, interesting anecdotes, tiny challenges, spot-the-mistake exercises, and lots and lots of interactivity in general.
I was a bit worried at first: is it really okay to take something as serious as security, and make it fun? Being feedback-oriented, we’d always do anonymous surveys after training sessions, and the feedback was overwhelmingly positive: people suddenly loved learning about security, and they kept asking for more sessions, praising the change in tone. Granted, there were always a few people who would prefer a more serious tone, but one size doesn’t really fit all, and I’d much rather get very high scores with a few lower ones mixed in, than everybody giving it a “meh, it’s fine I guess?” average rating.
Question 4 đź’
Transitioning from a software engineer to a focus on application security certainly gives you a well-rounded view of the tech landscape. How has this varied technical background helped you in shaping effective security strategies? Could you share how understanding different tech stacks influences your approach to cybersecurity across the organizations you’ve worked with?
Answer 4 🎯
I love the concept of DevSecOps because like many security terms it’s overloaded, buzzy, loved, hated, and misunderstood, for me, DevSecOps isn't just about bridging the gaps between development, security, and operations teams, it's about extending this collaborative spirit to encompass all departments involved in the product life cycle. This includes involving non-technical teams such as marketing, customer support, and design, which are often overlooked in traditional security discussions. It’s crucial to recognize that our "customers' ' aren't just the end-users but also the internal stakeholders who interact with our systems daily, it’s essential that we are considering their needs and experiences, we can implement security measures that support rather than disrupt daily business activities. This approach not only enhances security but also builds a culture where every employee feels responsible for and knowledgeable about the role they play in robust security. At its heart, DevSecOps is about inclusivity. It’s about breaking down the barriers that traditionally separate technical and non-technical teams within an organization. By involving everyone from product managers to sales teams in the security process, we create more resilient and thoughtful security strategies. This inclusivity ensures that security solutions are not only technically sound but also enhance user experience and align with business objectives.
Question 5 đź’
You’ve been a strong advocate for moving away from the traditional 'police officer' role of security teams. What are some effective strategies you've implemented to make security teams more approachable and viewed as partners rather than roadblocks? How have these strategies improved collaboration and compliance within the teams you've led?
Answer 5 🎯
The biggest one is the fun part, which I already touched upon, so I’ll go with another one: speaking the same language.
I often get asked: Why? Why do we need to do this? Why this way? I think the worst answer we can give as security professionals is “because of compliance”. I heard this phrase many times as a software engineer and it made me shrug every time. I believe it is crucial to be able to explain to people in engineering, support, marketing, design, etc., why we do things the way we do them, using their language, relating it to their day-to-day tasks. In most cases people go from “that’s a stupid policy” to “oh, that makes sense”. And sometimes the policy is stupid, and we end up improving them thanks to the feedback!
To help with this, Tradeshift’s application and infrastructure security teams don’t have any analysts, everyone’s an engineer, working with code on a daily basis. If we discover a vulnerability within our platform, we’ll typically assign it to the owning team, but every now and then we’ll dive in and fix it ourselves - which keeps us on our toes, but also shows engineers that we really are on the same team.
Read the Full Q&A on Gomboc.ai
What’s New at Gomboc
Join Us at New York Tech Week for a Roundtable Discussion on Harnessing AI for Growth-Stage Organizations
New York City’s Tech Week is coming up and we’ll be there with an exclusive roundtable on how growth-stage organizations can harness AI to enhance their security posture.
We're bringing together top cybersecurity experts for an evening of open discussions and actionable insights. Here’s all that you need to know 👇
đź“… Date: June 4th
🕡 Time: 6:30 PM
đź“Ť Location: Secret (revealed upon registration)
Spots are filling up fast, secure your spot now & discover how AI can level up your cloud security strategy.
Latest AWS and Azure Updates You Don’t Want to Miss
AWS Systems Manager Parameter Store now supports cross-account sharing
Generate AWS CloudFormation templates and AWS CDK apps for existing AWS resources in minutes
AWS free tier now includes 750 hours of free public IPv4 addresses, as charges for public IPv4 begin
General availability: Extensible key management using Azure Key Vault for SQL Server on Linux
Top Articles and Resources of the Week
Articles
Resources
Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.‍
The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.‍
Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.
7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.
Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.