Ever wonder what it\u2019s like to be responsible for security at Dropbox?Patrick Heim doesn\u2019t have to wonder. He\u2019s the head of Trust & Security at Dropbox. With a diverse background, he\u2019s got a lot of experience and insight to share.We covered a lot of topics in a broad-reaching and exciting conversation. Here\u2019s what he had to share about handling pressure, taking a data-driven approach to security, and why he\u2019s excited about the future.Security leaders are under a lot of pressure. It creates a struggle to maintain focus on what matters. How do you prioritize?\u00a0It\u2019s true that there are\u00a0many\u00a0different topics and areas of focus under the security umbrella\u00a0that compete for priority.\u00a0 At Dropbox, we take a practical risk-centric focus when deciding which security investments to prioritize.\u00a0 We have good data about what causes security losses for our users and use this data as a way of focusing our investments on \u201cthings that matter.\u201d \u00a0There are also security features that are driven by compliance and integration needs.\u00a0 We prioritize these by looking across our entire based of customers and prioritize towards the biggest benefit for the many.\u00a0 This means that we are purposely not architecting compliance packages for various industries. \u00a0How does a data-driven approach work when everyone wants something from you? For example, how do you handle customer requests for new features? And how can other security leaders learn from your experience?Customer requests are great pieces of feedback that give us a pulse on what\u2019s going on within\u00a0industries, regions,\u00a0individual companies and what is affecting a larger pools of users. And the balance of these requests is just that - you have to find the sweet spot between addressing one-off requests and building features that have a broad impact.\u00a0We are carefully and deliberately evolving our controls and features.\u00a0 A critical consideration is how to do this in a manner that keeps an intense focus on simplicity and usability to preserve the outstanding Dropbox user experience.Technology history is littered with companies that developed amazingly capable products but where the user experience was poor and therefore adoption suffered.\u00a0\u00a0Adoption is a critical - but often overlooked - component of keeping your data secure.\u00a0 Individuals are empowered with a huge number of technology choices.\u00a0 If IT doesn\u2019t enable them with usable tools they love, they will simply hack around IT.Since you brought it up - what are some of the larger risks across the user base you are focused on addressing? Are those areas that security leaders migrating to the cloud should focus on? Maybe something they should explore with their providers and partners?Password reuse\u00a0is\u00a0a huge risk.\u00a0Our investment in three different forms of 2-factor authentication (2FA) is an example of being proactive with this risk.\u00a0 The overwhelming majority of security breaches are a result of account takeovers where an individual has re-used the same password across multiple sites.\u00a0 When the \u201cweakest link\u201d site is hacked, the passwords are tested for access to Dropbox and other popular sites.\u00a0 We can\u2019t control how our users re-use their password, but we can make it easy for them to turn on 2FA.We\u2019re working to educate businesses\u00a0and users\u00a0about the importance of passwords, and how to use passwords correctly so that their information is less likely to be hacked.\u00a0\u00a0Our data shows that organizations that have integrated Dropbox into web single-sign on (SAML)\u00a0or individuals that have enabled 2FA on their Dropbox accounts have virtually eliminated all risk associated with account takeovers.You\u2019re in a position of scale. How can others benefit from your experience and insights?We\u2019re not in the business of security for security\u2019s sake, but are instead committed to improving the state of security as whole for the entire industry.\u00a0To achieve this goal, we participate in\u00a0selective\u00a0threat sharing with other leading technology companies, which allows the opportunity to discuss and mitigate timely threats in real-time. This trusted security threat sharing system allows participating companies the capability to protect our users, while not sharing private, personally identifiable information.\u00a0We\u00a0also participate in industry events on a regular basis\u00a0and share some of the findings of our research.\u00a0We\u2019re at an exciting time in security. It\u2019s captured the attention of investors and driving a lot of startups. Start-ups seem like a double-edged sword. How do you figure it out?\u00a0I am excited, I have never seen so many companies innovating and investing in security. The truth is that many start-ups offer similar products, which can make it challenging to separate the wheat from the chaff. This is complicated by grandiose marketing claims as well as dropping a long list of buzzwords.I recommend leaders determine the best options by knowledge-sharing with one another.\u00a0Peer references are a great way of cutting through the noise and getting to the short-list. \u00a0At Dropbox, we\u2019re also in a privileged position because we have some of the best engineering talent available.\u00a0 Whereas many organizations are in a\u00a0situation that they have to go through product selection and integration, many of our investments come down to building our own products.\u00a0 The scale that we operate at and the uniqueness of our infrastructure often makes it difficult to even consider external security vendors.