Building & leading a combined engineering & security org
with Mike Hanley
April 16, 2024ABOUT MIKE HANLEY
Mike Hanley is the Chief Security Officer and SVP of Engineering at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo’s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco’s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community.
When he’s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and eight kids.
"The idea that the security team is walled off or separate or not really connected, not just to engineering but the entirety of the business, you really can't have that. If you think about the pace of modern development, things are moving so quickly. It's so driven by software. The idea that you're like, ‘Hey, I got to walk down the hall and check in with somebody from security who has no idea what's going on in my roadmap, who has no idea what my day to day experience is living in engineering...’ That just doesn't work!”
We now have 10 local communities of engineering leaders hosting in-person meetups all over the world!
Local communities are led by eng leaders just like you, who wanted to create a place to connect, share insights & tackle critical challenges in the job.
New York City, Boston, Chicago, Seattle, Los Angeles, San Diego, San Francisco, London, Amsterdam, and Toronto in-person events are happening now!
We’re launching local events all the time - get involved at elc.community!
SHOW NOTES:
- GitHub’s convergence of the eng & security orgs (2:33)
- Benefits of combining engineering & security org mandates (4:46)
- How the security team is involved with the internal product dev lifecycle (8:05)
- The downsides of engaging your security team as an afterthought (10:46)
- What an early-stage yes/and product conversation looks like (12:48)
- Examples of educating your eng team on security best practices (17:17)
- Expanding two-factor authentication externally (19:29)
- Stewarding security as a responsibility & value (21:59)
- Security & safety implications for orgs using / building AI tools (23:44)
- Why the rise of AI is a great time for eng / security collaboration (27:09)
- How to leverage security best practices using AI tools (29:53)
- Mike’s view that AI will create more opportunities & improve structural tech (32:14)
- Frameworks for getting to “yes” when it comes to adopting AI tooling (35:15)
- AI-powered tools GitHub is using to change workflows outside of eng & security (39:06)
- Considerations pivoting toward combining eng & security functions (40:35)
- Rapid fire questions (42:25)
LINKS AND RESOURCES
- Why Johnny Can’t Encrypt - Alma Whitten And J. D. Tygar’s argument that effective security requires a different usability standard that is not achievable through the user interface techniques commonly found in consumer software.
- The Space Trilogy - C.S. Lewis believed that popular science was the new mythology of his age, and in The Space Trilogy he ransacks the uncharted territory of space and makes that mythology the medium of his spiritual imagination.
- The Works of Peter Drucker
This episode wouldn’t have been possible without the help of our incredible production team:
Patrick Gallagher - Producer & Co-Host
Jerry Li - Co-Host
Noah Olberding - Associate Producer, Audio & Video Editor https://www.linkedin.com/in/noah-olberding/
Dan Overheim - Audio Engineer, Dan’s also an avid 3D printer - https://www.bnd3d.com/
Ellie Coggins Angus - Copywriter, Check out her other work at https://elliecoggins.com/about/