After two seasons and a ton of fun, Security Sandbox published its final episode today—and it’s a great one.
This month, host Amanda Fennell—joined by two veterans of Relativity’s security team, Calder7—takes things back to the beginning. The trio shares an honest conversation on how the security program at Relativity was built, what went right, the mistakes made along the way, and, maybe most importantly, the lessons learned. Tune in to hear the whole story below.
And rest assured that the future of Calder7 is an exciting one, so stay tuned for more from this team in the coming months.
Amanda Fennell: You two have no idea what I'm about to ask you. You both just showed up, just like you did, probably, for the first day that we worked together. So that's where we're going to start. What was Day 1 like for us, Matt? When you and I started working together, it was not smooth sailing.
Matt Spurr: So Day 1, I guess, was technically when I interviewed you.
I don't know if we should cover interviews or not, although you could probably learn a few things from how to control an interview from Amanda. Probably our actual Day 1 was I got a phone call from you a couple of weeks before you started, basically laying out a plan: “we're going to do all of these things from threat intelligence to building a cyber program to ramping up compliance and building—and put a brand around it.” And coming from a world where I think I was sleeping under my desk for the past couple of weeks trying to get a SOC 2 program built, I was a little scared. And then I...
Amanda: And you were taking a vacation, like right then.
Matt: Oh, yeah. I was on, like, a month of PTO in Denver. And I kept getting calls from you, so I think I knew what was in store from right then.
Amanda: Oh, it's hubris, right? I was so sure I had so many great ideas and that we should just hit the ground running.
Amanda: When we really rolled up sleeves and started to do the work, what was your number one goal? What, for you, was something we really had to nail? Darien, it was “don't get breached,” right?
Darian Lewis: No, it was actually moving left. I was really concerned that when we first started, there wasn't much in the way of predictive analysis of what's out there or where it's coming from. It was much more reactive and that was very concerning to me from the onset. And so we tried to bring, you know, kind of an intelligence basis to what we were doing to try and get left of center as far as possible. And I think we still fight that battle every day—and we will until the end of time. But yeah, that was kind of my big push was to go as far left as possible.
Amanda: And looking at it now, what were the biggest mistakes we made?
Darian: I think the biggest mistake we made was our choice of sim. We didn't fully understand what our volumes were like. And I don't think we could have gotten any better at the guessing than we did. But at the end of the day, you know, it was a good-enough solution at the time, and it worked for a time. And then, after a couple of years, it became cost prohibitive. In retrospect, if I'd been able to forecast the amounts of log data properly, I think we would probably have made a different choice from the onset.
Matt: Sometimes I don't think we, culturally, gave enough credit to the idea of how we could ensure security efforts would support the best business we could build at Relativity. A specific example would be how, as we scaled out our software development lifecycle, we were talking about how to make sure everything we release is as secure as possible and roll it out super quickly so we can deliver all this great value. So we made a decision to roll with a very manual process, but in reality, if we stop and think, we’d recognize that it was never going to scale like that. So giving more thought to long-term scalability was something that I think we didn't give enough credit to early on.
Amanda: Andy Bernard once said, “I wish there was a way to know you're in the good old days before you've actually left them.” Was there a moment that hit you like, “this is awesome, and I'm really excited about what we're doing here” during your tenure?
Amanda: My moment was probably on one of our trips to Poland. But right now, I look back and I remember just being so happy to be surrounded by so many other people who I knew were so smart, who I knew I was going to learn something from. It's been this great experience, and I look back and I know we’ve built something great here. We created something that is award-winning with this great team who had fun while they were doing it.
Matt: I probably have two answers for this. One, I'm going to be a little selfish and say it probably predates you, Amanda. It was during the program to launch our ISO compliance. And we had a group of people, some of whom you mentioned, some are still on the team today. Conrad and Hector and Prachi and Jessica. And that group—I remember I was a semi-manager, but mostly an architect, and it came down to the point of a three-week crunch time. And I think we still had 15 controls to design and document and get going. And I asked the team: “Hey, you all have lives. You all have commitments. But I think it'd mean a lot to me and this business if we could come together and get this done.”
Conrad started on this team on his own Day 1. He'd never programed. He was brand-new to the industry. And I told him we needed 45 signatures written over the next two weeks, and I was going to sit there with him and get all the logs and all the programs to write it.
And a small team of us just worked and hung out all day, all night to get this done. It was really, really cool—nobody complained, and we had a lot of fun doing it. That was really, really special. And then that culture came in. I think you amplified it, Amanda. You demonstrated a lot, I think, how to lead a people-first culture in a way that I hadn't seen before. And probably that Poland trip was there, but I think my other moment was the first time we took a team picture in front of the Calder statue.
Seeing how big the team got, how we'd scaled, how I looked at every single person on the team and knew how greatly skilled they were—like, I wanted to be in it with every one of these people and that was really cool.
Darian: You know, this question is interesting because I had a moment in mind, and then I realized that I keep having that same moment over and over again. You'll understand when I tell you. So the first time that I had that realization was with that little incident of a pen tester leaving some crap around. And it didn't trigger until a year later.
Amanda: Can we not use the word incident? (laughter)
Darian: Oh, I'm so sorry.
Amanda: The “adverse event,” but yeah.
Darian: Right. Yes. We had an adverse event that (laughter) triggered a year after a pen tester had left. They just didn't clean up after themselves. And it required six, seven different departments to come together and sit in a room. And that was the first time that I realized that security wasn't viewed by other departments as kind of a joke or a pain in the butt to be avoided, but actually as a team who could help them. And I got to look at those faces and answer questions and ask some of my own and go through and figure out where the information was coming from and how we got to it. And it just felt like I was part of a cohesive team in the room, right?
So I'm part of this company. And we're not in this little box off to the side, but we're actually part of it. And so when I'm participating now in cross-department exercises, I still get that feeling. And it's really nice every time it happens, that you look across from somebody and they actually want to hear what you have to say, and they respect your opinion. And you respect theirs. And it's—I don't know. It's kind of why I do what I do.
Amanda: Before we go, I'm going to say a final thanks to you two for joining this episode; to Relativity for giving me space to host a podcast; our producers, Nicholas and Kael, who have been awesome; our guests, and everyone we've had involved in making the last two years of episodes.
Amanda: And let’s end on a quote from Coach Mike Krzyzewski: “People want to be on a team. They want to be a part of something bigger than themselves. And they want to be in a situation where they feel that what they're doing is something for the greater good.” I think that that's what this has been. I feel like all of us felt like we were doing something that was bigger than us. We were responding to the request from Andrew Sieja, who said, “build me a fortress.” And we did it.