Rising SaaS star Slack “lucky” to have been breached early on, CSO says

Breach was a “pivotal moment” that opened new security dialogues with senior executives, employees

A widely publicised security breach two years ago was “probably the most valuable thing that could have happened” to rapidly growing business collaboration vendor Slack, the company’s chief security officer has said as the company steadily pushes towards its highly anticipated IPO.

That hack – in which a Slack database containing user profile information [[xref: |was accessed by outsiders]] over four days in February 2015 – kicked off a security renaissance of sorts, CSO Geoff Belknap told CSO Australia. “This was one of the key pivotal moments for Slack that helped us really internalise how important security was for us as an organisation,” he said. “When you realise that this stuff is real, and it’s not just security vendors making this stuff up – it focuses you.”

Slack’s open disclosure of the compromise, and its response – implementation of a 2-factor authentication (2FA) environment to complement tighter security controls overall – has been credited by outside analysts as “a good way to soften the blow”.

For Belknap – who was not with the company when the breach happened but started his role in January 2016, in the wake of the compromise – the event not only focused the company on its security, but focused its leadership on ensuring that security was prioritised and properly funded across the business.

“The reality is that all companies should be so lucky as to experience a very broad breach at the early stage of their growth,” he explained. “It reinforces why security is important: all of the founders, and people who had built the company to that moment, realised that in one cathartic moment it could all have been gone.”

That realisation had paved the way for a relatively easy security sell for Belknap, who has found the board quite receptive to his pitches for expanding the company’s security team – which has grown to include 20 people across four “fully fledged” security teams focused on areas such as security response, risk and compliance, and product security.

These areas are all crucial parts of the Slack offering, which is designed to become a common and widely-used platform for company collaborative efforts. This has made Slack the preferred channel for regular communications – and a veritable treasure chest of work product, intellectual property and regulatory process.

Protecting this information on behalf of Slack’s users is a crucial focus for Belknap and his team. A range of internal security controls – including federated single sign-on, reprovisioning, data retention according to legal data requirements, and high-granularity logging – has been introduced “to make sure we are extending that risk and compliance capability,” he explained.

Belknap was recently in Australia to join cloud providers Box, Netskope, and Okta for an event about building secure digital workplaces. And, as the company gears up for a potential IPO this year – Forbes ranked it as one of America’s 50 most promising companies and US News flagged its “torrid growth rate” as making it one of the year’s most anticipated IPOs – he says its stronger culture of security still recognises the lessons learned from that breach of two years ago.

“It’s fantastic to have that as part of your legend, and to be something that you can draw on so that people can really ground a risk decision,” he said.

As well as stimulating stronger support for cybersecurity from the top, Belknap said that the company’s security culture has also helped engender the strong support of employees – which has proven critical in building a pervasive security culture across the company.

Engage employees and involve them in aiming for security outcomes and they will evolve from being a roadblock to becoming the biggest advocates of your security philosophy, he explained – and this includes helping each employee understand that it is better to report potential security problems, even if that employee is the person that caused them.

“It’s easy for the security department to be this scary, spooky thing and it’s natural for it to be sort of opaque,” Belknap explained. “But the reality is that you can have conversations about security and why it’s there, and why they need your help.”

“You can’t rule by ear and fiat; you have to help employees understand that they are part of the solution, and that problems are not secrets. The immediate response [to reports of mistakes] cannot be that they are going to get fired; if you help them understand what’s going to happen next, you build little deputies of the security department – and that can be a major benefit.”