Securing TrueCar, Miles Apart

Driven by Code
Nov 23 · 7 min read

By: TrueCar Security and Compliance Team

With the changes that came with a worldwide pandemic, TrueCar has safely ensured business continuity through rapid enablement of our 100% remote workforce. While necessary, this shift was new to most of us at TrueCar, so we decided to explore the impact on the company’s culture and teams, starting with the team that focuses on cybersecurity.

Photo by Georg Bommeli on Unsplash

“We’ve been hacked!” That’s one three-word phrase that can get your mind racing and spark an automatic physiological reaction. These symptoms are often remedied by getting to know the Security and Compliance Team at TrueCar. We call ourselves “The Seven Deadly Sins of Security,” for the areas of focus each team member specializes in.

Just kidding, we don’t call ourselves that at all. But we do take securing the data at TrueCar very seriously. Imagine the damage a hacker could do with social security numbers, driver’s licenses, email addresses, or bank account numbers (aka Personally Identifiable Information — PII). The seven members of the Security and Compliance Team enforce and implement measures to protect electronic, print, and any other form of confidential, private, and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.

Meet the team

We figured the best way to get to know us would be to hear directly from everyone on the team, so here goes!

Jeff Elliott (Security Analyst) — Texas. 6 months at TrueCar. I am a buffet enthusiast. I co-wrote the highly-never-reviewed book “Think Like a Man Because I Am a Man!”, and starred in the never-will-you-ever-have-seen movie “Can You See Me? Because I Can!” I can also add to my long list of achievements that I’ve been a stand-up comedian for nine years now. I’ve opened up for Eddie Griffin, Dave Chappelle, and Deon Cole.

Brett Henry (Security Engineer) — California / Connecticut. 9 months at TrueCar. Unofficial Guinness World Record holder for most times wearing Batman shirts in a year. I have done pretty much every type of IT job in my career, including call center support, tech support, systems engineer, developer, and security engineer.

Evan Powell (Security Engineer) — California. 1.5 years at TrueCar. I had worked a total of five days at TrueCar before the shutdown. My wife and I had our first baby, Juniper, in August 2020. We recently purchased our first home, which we only got because the guy that outbid us had an aneurysm the day before closing. I used to work in a bakery decorating cakes and pastries.

Jackson Diamond (Senior Compliance Analyst) — California. 3 years at TrueCar. Proud father of 11 house plants. Hobbies include playing in basketball and soccer leagues and making breakfast burritos.

Timmy Chan (Network Engineer) — California. 4 years at TrueCar. I have worked on 4 different teams at TrueCar: Corporate Engineering, Employee Technology, DevOps, and Security.

Aaron Morris (Windows Systems Engineer) — Washington. 5 years at TrueCar. When I applied to TrueCar, my resume showed 20 years of experience, but only one job. I started at TrueCar as a remote employee and have been so ever since. I collect and repair vintage gaming and computer systems for fun. I love cars — I’ve owned over 12 cars since I started driving — and have been Autocrossing (racing) for over 6 years. I am a master of ’80s music and pop culture quotes.

Arpi Long (Senior Director of Security and Compliance) — Illinois. 6.5 years at TrueCar. I was born in Armenia, grew up in Los Angeles, live in Chicago, and own property in Kentucky. I went remote a year before the pandemic, when my husband’s job moved us to Chicago from Santa Monica. It’s been quite the climate change!

Every TrueCar employee has encountered a member of the Security and Compliance team in one way or another… they just may not have realized it. It might have been while reading an email from a food delivery service asking the reader to click a suspicious link in order to get some free grub; at TrueCar, that’s just Evan Powell performing random “phishing” exercises to keep employees on their toes and ensure they remain diligent in protecting TrueCar’s data. According to Tessian’s phishing statistics, 96% of phishing attacks arrive by email, and compromise:

  1. Credentials (passwords, usernames, pin numbers)
  2. Personal data (name, address, email address)
  3. Medical (treatment information, insurance claims)

When asked about the impact of successful phishing attacks, security leaders around the world cited the following consequences:

  • 60% of organizations lost data
  • 52% of organizations had credentials or accounts compromised
  • 47% of organizations were infected with ransomware
  • 29% of organizations were infected with malware
  • 18% of organizations experienced financial losses

TrueCar and the Security and Compliance Team are committed to preventing or mitigating as many of these consequences as possible, but it takes the attention of every staff member. So, the next time you see an email with misspellings in the URL, or that invites you to click on a link, investigate closely and send your email to spam, if necessary.

Keeping in touch

Meanwhile, miles away on the opposite coast, the leader of the team, Arpi Long, is attending virtual meetings with stakeholders from all across TrueCar, managing the daily stand-ups, and ensuring the team stays connected through Slack, brown bag training sessions, happy hours, and other regularly scheduled events.

Although Arpi had grown used to the adjustments required to be effective in a distributed workforce, she recognized that the Security and Compliance Team would need to make some changes to ensure all members were set up for success. Her first adjustment was to schedule recurring meetings with consistent start times and clearly defined objectives. Daily stand-ups were scheduled for the first half of the week for check-ins, and more substantial meetings were scheduled for the latter end of the week, covering special project topics and Information Security initiatives. The team immediately benefitted from the increased opportunities to communicate in a group setting. “Defining the value of each meeting helps you not to miss them and fall behind,” Brett Henry explains. “Securing TrueCar and the people who work with us has remained our utmost focus, despite our team’s physical locations across the United States.”

Sharing knowledge in brown bag sessions

As the team continued to communicate more frequently, ideas for training sessions often popped up during meetings. For example, the team had a clear need and interest in ensuring that every team member (not just the security engineers) understood how TrueCar employees could secure their home networks and safeguard TrueCar’s data, as well as their own, while working from home or various locations around the country. As the training session ideas continued to pile up, the team decided to schedule regular Security Brown Bag Sessions during the lunch hour to cover topics of interest. Team members would take turns leading Brown Bag Sessions to teach the rest of the team about a topic or specific area of expertise. “The Brown Bags originated because we have team members who owned specific tasks and processes and we wanted to ensure that the rest of the team was brought up to speed so we could support in these areas,” Jackson Diamond says. “Essentially, we wanted to make sure we didn’t have any single points of failure. There’s genuine interest within our team to learn from team members who have particular areas of expertise, and we invite other TrueCar team members to attend if they’re interested in a particular topic or identify topics that may be of use to them.”

It was clear after just one Security Brown Bag session that the initiative was a great mechanism to spread knowledge and increase camaraderie among the team. Even though the sessions were meant to help the core team members collaborate, the Security and Compliance team began encouraging other TrueCar teams to join Security Brown Bag sessions that were relevant to their interests. “It’s refreshing and important for collaboration and innovation to continue with TrueCar’s mobilized workforce,” says Aaron Morris.

Recently, the Security and Compliance Team has repurposed previous Security Brown Bag Sessions to present topics in company-wide forums, such as the weekly Newsdesk sessions and the bi-weekly Friday Forum meetings. They continue to plan future Security Brown Bag lunch sessions, Friday Forums, and Newsdesk sessions to address security awareness topics such as mobile device security, the latest phishing attacks, passwords, authentication, and much more.

Slack as a tool to connect

The Security and Compliance team also utilizes Slack to stay connected while working remotely. It has helped the team to communicate and exchange files as well as have a little fun with one another. Being the newest member of TrueCar’s Security and Compliance Team, Jeff Elliot says, “I’ve been able to be more vocal on this team with Slack than I have been in physical spaces on other teams. The Slack channel has good vibes.”

Ergonomics, swag, and more

While adapting to a changing workforce, TrueCar has consistently demonstrated that it cares for its team members and culture. As an organization TrueCar has made it a priority to ensure each employee has a comfortable workspace, wherever the pandemic has placed them. This involves shipping desks, office chairs, monitors, laptop risers, and whatever else an employee needs to do their job.

“That helped a lot with remote work,” Timmy Chan says, “as did the swag that the company periodically sent out, including allocating team budgets for happy hours, ice cream for the companywide Ice Cream Social, and GrubHub credits.”

In keeping with TrueCar’s values, culture, and success, the Security and Compliance team continues to keep things transparent, fun, and collaborative as they serve TrueCar passionately from across the country.

“Security is heavy stuff, but we find the right times to enjoy each other’s company and get through the heavy nature of the work with a sense of community.” — Evan Powell, TrueCar

We are hiring! If you love solving problems, please reach out. We would love to have you join us!

Driven by Code

Technology is our art.