Just Eat's first CISO is building security in from the ground up

Kevin Fielder, CISO of food delivery service Just Eat, is using gamification and automation to bring security to the forefront

Security leaders are continually challenged to bring cyber awareness to the front of employees' minds; the best defences in the world won't protect against a threat that an unthinking user invites in.

Despite many - if not all - people who use IT on a regular basis acknowledging this as fact, entrenched business culture means that it is often difficult to push through changes. Security is still seen as ‘the department of no', making it difficult to perform even the simplest task.

Kevin Fielder is Just Eat's first Chief Information Security Officer, and has been both lucky and challenged to be recruited to a "relatively greenfield" team.

"[The security team wasn't] fully-formed or anything else, so it was a great opportunity but also a big challenge and responsibility", he told us. "I wasn't coming in to crank the handle; I was coming in to build the team out and work with the guys to decide how the team should look, how security should work for Just Eat."

Having a relative blank slate to work with has given Fielder an opportunity to make his mark on the company's culture of security, and he has proven keen to instil employees with the same passion for it that he already has.

The team is working to gamify security, making people excited to improve their rankings on a scorecard system. All of the components in production at Just Eat are assigned a red, amber or green mark in areas including security, reliability and scalability. The team is working to improve the system now.

"You don't want to be the guy at the bottom of the leaderboard, so we're looking at how we make it into a process that developers and people buy into… [It's about] how you provide security that people will work with, rather than trying to work around to get their job done."

I wasn't coming in to crank the handle

The most successful changes are driven through a combination of people, processes and technology, says Fielder. ‘People' comes through a security-first culture, and ‘process' is about finding and adopting an appropriate approach for your business. Tying these two together is the first step:

"What you have to do is work out what works for your organisation in terms of keeping the culture and the culture that your organisation wants to build, but also having the right steps in place."

The ‘technology' side is sometimes seen as the easiest part but, like process, the right solution is key. Fielder, who wants to make sure that his team can devote time to more than just ‘saying no', is pushing an automation approach.

"Taking the example of development, we're looking at how we can automate security checks on everything that gets to production. Rather than having tollgates and waterfall that stop people delivering, can we make sure that all code...is immediately scanned as it's checked in? Can we make sure that all third-party libraries are assessed for vulnerability as part of the build process, or earlier?

"We work on the principle of, how can we help the culture and the process, but also build security into that without slowing things down?"

What I'm aiming for is when security does ‘say no', the people take it seriously

A dedicated engineering team builds the automation tools that Just Eat uses and adds them to the AWS CodePipeLine. The company is now trialling a new approach that it's dubbed ‘Smart PipeLine', which is designed to be more flexible than the existing system. "We're trialling things at the moment, but building it out for the near-term," said Fielder.

The reaction to this increased automation has been "pretty good" - not just from the security staff, but general business employees as well. That's because it has helped Fielder's team be seen less as a roadblock and more as a resource.

"We're not a blocker unless it's absolutely essential," he says. "What I'm aiming for is when security does ‘say no', the people take it seriously, because it's so rare that they know it's a serious occurrence."

As AI and machine learning become more widespread, automation is increasingly going to have a seat at the security table. However, it is important to be certain that it's the right approach for your culture. The most effective implementations will be those where the business blends automation with the existing experts: the people, process and technology trifecta.