John "Four" Flynn is Chief Information Security Officer at Uber—a roll that requires him to protect the ever-growing amount of information and platforms that help provide Uber’s ridesharing services to people around the world.

Before joining Uber and helping scale security as the company grows, Flynn served as the head of infrastructure security at Facebook and security operations at Google. He founded Google’s Innovative Intrusion Detection group, served as a technical advisor to the 2012 presidential campaign of Barack Obama and sits on the board of the Future of Automotive Security Technology.

International Business Times: Earlier this year, we saw a widespread cyberattack that occurred primarily because organizations failed to install an available security patch. How can organizations more quickly adopt necessary security measures to protect themselves?

John Flynn: Velocity is critical to modern security. However, maintaining velocity in security is as much about organizational culture as technical mitigation. As we’ve seen with several high profile attacks this year, organizational challenges can impede security even when the technical fix is simple and available. There are a number of principles from the DevOps approach that can help organizations and engineers foster a culture that can support ongoing change quickly and safely.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

First, automated testing environments allow you to analyze potential problems before changes are pushed into production. Second, consistently conducting peer reviews means more engineers are looking at new code written by others. Third, phased roll outs can be used to test changes in a small area to confirm they are stable and safe before rolling out broadly. Finally, if something does go wrong, known safe states can be quickly returned.

IBT: What are some of the biggest challenges for organizations when it comes to securing their systems and information as they grow?

Flynn: There are several traditional characteristics of large organizations that hinder speed for security. First, as companies grow older and larger, they tend to develop a culture resistant to change. Inertia takes over and people get comfortable maintaining the status quo.

Additionally, it’s easy for the fear of breaking something to overrule the risk of not updating or replacing it. As legacy systems are allowed to age, they’re often abandoned and become increasingly brittle. Even when these systems are mission-critical, the people who built them eventually leave the company, taking invaluable knowledge with them about how the systems work.

These characteristics are all too common in large companies and they’re counterproductive for security. Organizations cannot be completely risk averse and still thrive. Instead, we must help our organizations understand security within the context of existing business risks. Effective security leaders and teams do this well.

IBT: How can organizations be more proactive rather than reactive to protect against cyber threats?

Flynn: As more organizations such as infrastructure and IT adopt principles of DevOps, it becomes more realistic for security teams to quickly and safely patch and harden systems, fix and eradicate entire classes of bugs from their code, and better manage user endpoints.

To do this well, you need to build a security organization that can accept change and influence other teams. This requires you to articulate security risks in a context that other teams understand, and one that furthers their own objectives. It’s not uncommon for security teams to experience pushback from other teams who don’t share their priorities. My advice is to identify the blockers faced by other teams and be willing to commit your own resources to unblock them. One reason security teams need engineers is so that you can sit next to other teams and help remove their blockers. You can often tell whether a company truly prioritizes security by whether or not this team has their own engineering resources to do the necessary work.