How Jet integrates cyber security into its culture
Are you a cyber security super star? Jet.com’s Security team is growing and we have several open positions currently around application security, infrastructure security, and cyber security risk. Check out our current open roles to learn more.
Are you a security researcher or bug hunter? Check out Jet’s security bug bounty program.
No matter the size of your app, project, or company — there is a simple truth: It is always better to build security in from the start. If you do not make security a priority in your code, and in your culture, you risk moving security from an uphill battle to summiting Everest.
Jet’s early leadership recognized the importance of security early in our startup days. We continually explore new and innovative ways to integrate security into our company culture. Ensuring that our security program is relevant and engaging to our workforce is key to our mission. Two pillars of our strategy for accomplishing this mission are building empathy and tailoring our message so it fits our culture and can be certified jetty.
For many developers and business people, the security team is often seen as the enemy that pushes out draconian rules or reminds you of your mother wagging her finger in your face and telling you what to do. In most cases, this is not your security team’s true goal or intention. Therefore, it is important for your security team and leadership to counter such perceptions by continually making efforts to demonstrate that everyone is really on the same team.
An important part of building these relationships is understanding and developing empathy for each team’s needs. This means interacting with leaders and individuals throughout your organization. Members of your security team should learn about different teams’ projects and goals, and build relationships outside of the security advisory/enforcement context. At Jet, we seek to have a continuous presence and to find unique and engaging ways to influence positive security behaviors. We find that, as a result, conversations are more organic and happen earlier in the project life-cycle. It is natural and easy to reach out to our security team with questions or to report concerns. When this happens, we all benefit because we avoid the all-around pain of trying to shoe-horn in security late in the game.
In addition to establishing good relationships, we are always looking for ways to make security relevant and more personal. Instead of relying solely on standalone security events and presentations, we seek opportunities to partner with teams and groups throughout Jet and Walmart to infuse security into their events and processes.
For example, during Jet’s Take Your Kids to Work Day, the security team hosted a “Secret Spy Room”. Our activities for this event included fun and engaging activities including cryptograms, cipher wheels, and tips on talking to your kids after cyber-bullying and Internet safety. Beyond entertaining the kids, our goal was to find a way to take security out of the corporate context and make cyber security personal instead. First, this was a great opportunity to put a human face on Jet’s security team and was a method of outreach where we were able to entice people to come to us. In addition, we extended security’s value proposition from protecting the company, to helping to protect you and your family. People remember these interactions — many of the parents who participated in the activities will tell me how much fun their kids had when we bump into each other around the office. In many cases, this validates our hope that we would capture the kids’ interest and that the parents would help nurture those interests in security. Ultimately, the direct interaction and lessons from home will translate to beneficial security behaviors in the office.
Currently, we are partnering with Jet’s UniquelyJ private label team to host some really cool events that integrate Jet’s products with key security behaviors as part of Cyber Security Awareness Month. One of our signature events this month was co-hosting a Security Happy Hour in our Hoboken Headquarters. As part of the event, we made Security Sangria featuring UniquelyJ Blue Agave (see recipe at the bottom of this post). By channeling the existing love, goodwill, and support for what we do as a company, it makes our security messaging feel more natural. While the sangria was sweet and satisfying, we also leveraged it as a metaphor for secure password management focusing on three key concepts: (1) Make it fun and memorable (2) Mix it up and keep innovating and (3) Keep your secret recipe safe:
In another fun event, we hosted an internal UniquelyJ Coffee tasting. In addition to promoting Jet’s own products, we used this as another opportunity to get face time with people throughout the office and different teams. To make a lasting impression, we handed out custom coffee-themed coasters embedded with (a) reminders to lock your laptop before you step away, (b) as well as our team contact information. Everyone walked away with a cool memento that reinforces a positive vision of the security team and is an ever-present reminder of an important pro-security behavior.
If these events and activities sounds like fun, it’s because they are! But, there is more to this strategy than fun and swag. A key element to crafting successful initiatives like these is to understand your company’s culture. We work with the communications and people teams to fine tune what will and will not work here. At Jet, we have a very strong coffee culture (including some of finest cold brew connoisseurs I know) which was the impetus behind our coffee themed campaign. It’s tempting to use something generic you found on the Internet, but resist that urge — even if there is a great rhyming phrase. People can tell when things are inauthentic and it shows when security comes across as a bolt-on afterthought.
The same approach can be applied regardless of your organization or industry. To start, think about your core business and products and how you can relate them to security themes and objectives. Then, reach out to teams to find out what they are working on and explain that you are looking to partner with them to promote security and also promote the contributions their team is making to the organization. As you look for opportunities to blend security with products and services, explore creative ways to interpret concepts and use the language of your industry. This approach makes your security messaging feel like it is part of the natural flow and helps infuse security as part of your organization’s norms.
Jet’s Security Sangria Recipe
Mix up the following and serve chilled with ice:
- 1 cup Silver rum
- 3 cups Dry white wine
- 12 cups Cubed watermelon
- 1 cup Fresh blueberries
- 3 Oranges (quartered)
- 5 Limes (quartered)
- ½ cup Uniquely J Organic Light Blue Agave Nectar