Ever wonder what it’s like to be responsible for security at Dropbox?
Patrick Heim doesn’t have to wonder. He’s the head of Trust & Security at Dropbox. With a diverse background, he’s got a lot of experience and insight to share.
We covered a lot of topics in a broad-reaching and exciting conversation. Here’s what he had to share about handling pressure, taking a data-driven approach to security, and why he’s excited about the future.
Security leaders are under a lot of pressure. It creates a struggle to maintain focus on what matters. How do you prioritize?
It’s true that there are many different topics and areas of focus under the security umbrella that compete for priority. At Dropbox, we take a practical risk-centric focus when deciding which security investments to prioritize. We have good data about what causes security losses for our users and use this data as a way of focusing our investments on “things that matter.”
There are also security features that are driven by compliance and integration needs. We prioritize these by looking across our entire based of customers and prioritize towards the biggest benefit for the many. This means that we are purposely not architecting compliance packages for various industries.
How does a data-driven approach work when everyone wants something from you? For example, how do you handle customer requests for new features? And how can other security leaders learn from your experience?
Customer requests are great pieces of feedback that give us a pulse on what’s going on within industries, regions, individual companies and what is affecting a larger pools of users. And the balance of these requests is just that - you have to find the sweet spot between addressing one-off requests and building features that have a broad impact.
We are carefully and deliberately evolving our controls and features. A critical consideration is how to do this in a manner that keeps an intense focus on simplicity and usability to preserve the outstanding Dropbox user experience.
Technology history is littered with companies that developed amazingly capable products but where the user experience was poor and therefore adoption suffered. Adoption is a critical - but often overlooked - component of keeping your data secure. Individuals are empowered with a huge number of technology choices. If IT doesn’t enable them with usable tools they love, they will simply hack around IT.
Since you brought it up - what are some of the larger risks across the user base you are focused on addressing? Are those areas that security leaders migrating to the cloud should focus on? Maybe something they should explore with their providers and partners?
Password reuse is a huge risk. Our investment in three different forms of 2-factor authentication (2FA) is an example of being proactive with this risk. The overwhelming majority of security breaches are a result of account takeovers where an individual has re-used the same password across multiple sites. When the “weakest link” site is hacked, the passwords are tested for access to Dropbox and other popular sites. We can’t control how our users re-use their password, but we can make it easy for them to turn on 2FA.
We’re working to educate businesses and users about the importance of passwords, and how to use passwords correctly so that their information is less likely to be hacked. Our data shows that organizations that have integrated Dropbox into web single-sign on (SAML) or individuals that have enabled 2FA on their Dropbox accounts have virtually eliminated all risk associated with account takeovers.
You’re in a position of scale. How can others benefit from your experience and insights?
We’re not in the business of security for security’s sake, but are instead committed to improving the state of security as whole for the entire industry.
To achieve this goal, we participate in selective threat sharing with other leading technology companies, which allows the opportunity to discuss and mitigate timely threats in real-time. This trusted security threat sharing system allows participating companies the capability to protect our users, while not sharing private, personally identifiable information.
We also participate in industry events on a regular basis and share some of the findings of our research.
We’re at an exciting time in security. It’s captured the attention of investors and driving a lot of startups. Start-ups seem like a double-edged sword. How do you figure it out?
I am excited, I have never seen so many companies innovating and investing in security. The truth is that many start-ups offer similar products, which can make it challenging to separate the wheat from the chaff. This is complicated by grandiose marketing claims as well as dropping a long list of buzzwords.
I recommend leaders determine the best options by knowledge-sharing with one another. Peer references are a great way of cutting through the noise and getting to the short-list.
At Dropbox, we’re also in a privileged position because we have some of the best engineering talent available. Whereas many organizations are in a situation that they have to go through product selection and integration, many of our investments come down to building our own products. The scale that we operate at and the uniqueness of our infrastructure often makes it difficult to even consider external security vendors.