Will Maier is the Chief Information Security Officer at Even. Before joining Even in 2019, Will led teams that built and secured online banking systems in the cloud at Simple and at BBVA.
Hundreds of thousands of people doing essential work at some of the largest companies in the world trust Even to make financial services work for them. And as Chief Information Security Officer, it's my job to make sure we earn that trust by building security into every part of our product. You can find lots of details about our security program in our SOC2 Type 2 report. And while I definitely hope you request a copy of our report from our sales team and read all 89 pages, focusing on three big themes helps us make sure we get all of the important details right.
It's a scary world out there, and security teams often find themselves playing the role of the enforcer. But aggressive or mindless nagging disempowers staff and diminishes trust. I learned how this can feel while building and securing financial services in the cloud at a large bank. And I have made it a priority to build an inclusive, welcoming security culture here at Even. That's why our security, compliance, and legal teams embed directly with other teams, learning about their goals and challenges, earning their trust, and seeing the work as it's actually done. With that insight, we can more effectively shape plans and products to ensure they take into account and mitigate threats.
Strong security starts with a healthy culture that brings policies to life and into actual practice. A dense policy manual can do no good if it languishes somewhere in the shared drive, unread and unreadable. So we complement our manual with short, readable, but comprehensive, documents like the information security policy acknowledgement we send to every new hire. When I wrote our attestation, I was inspired to make it as friendly and welcoming as the introduction that accompanies the (necessary) legalese in the offer letters we send candidates.
A slide from our annual security awareness refresher. Employees are more likely to absorb engaging and approachable content.
With that goal of providing a welcoming intro in mind, I revamped our security awareness training and made sure that it went beyond the basics of identifying phishing attacks. I wanted the training to give our staff the tools they need to assess information security risk in their everyday jobs (I also included lots of emojis 😀 ). These docs and trainings show our staff that they are trusted and expected to help build our security culture.
It’s hard to build a healthy security culture when security or engineering staff have to work through endless backlogs. Fortunately, it’s getting much easier to apply automation to do the many repetitive (but critical) tasks that might otherwise fill the day of many teams of security analysts. Automated systems monitor our open source software supply chain for known vulnerabilities. When new updates become available, those same systems implement the software update and propose it for review by our (human) engineers. This makes it possible for us to detect, test, and apply updates for known vulnerabilities hours after they become available and without burdening our security or engineering teams.
By investing in automation, we give engineers extremely efficient tools that make their jobs easier while ensuring we follow our policies.
Automated systems also handle the deployment of the hundreds of software changes our engineers deliver every month. These systems automatically scan each proposed change, ensuring every line meets our coding guidelines and performing complex analyses to identify security weaknesses. This allows engineers to focus on higher-level structural, operational, and security characteristics of a proposed change in their mandatory manual reviews. And after a change is approved, automated systems handle the delivery and promotion of the change, emitting metrics so that engineers can monitor the system without interrupting their work.
We use these automated systems to make it easier to do the right thing. If mandatory code reviews and strict coding requirements slow engineering teams down, they'll cut corners when faced with tight deadlines. By investing in automation, we give engineers extremely efficient tools that make their jobs easier while ensuring we follow our policies. This approach has made it possible to increase the rate of delivery by 15% while also adding many more tests, static analyzers, and other security tools to our secure development process.
Automated systems massively extend the reach of our dedicated security team. We have the time to invest in our security culture because we have hundreds of alarms configured throughout our cloud environment. Some of those alarms use manually configured static thresholds to send us alerts when metrics or logs go beyond expected limits. But an increasingly large fraction of our alarms use machine learning to set dynamic thresholds that automatically account for changes in metrics due to predictable seasonality. This makes it cheap and easy to add many more alarms without spending lots of time to manually calibrate each threshold. And all of the alarms feed into our automated incident escalation system, so our 24x7 security and engineering incident response teams can zero in quickly on threats and anomalies.
Just like we prefer to automate repetitive, error-prone tasks, we also prefer to buy the best available services rather than build our own. By developing a few deep partnerships with leading security and infrastructure companies, we’ve successfully handed off critical activities that those companies can do better and more efficiently. And while it can feel uncomfortable to trust a third party with these most sensitive services, careful build-vs-buy decisions have freed us up to focus on the problems only we can solve.
As GitHub discovers more vulnerabilities across its huge platform and incorporates that intelligence into its security analysis feature, we automatically get the benefit.
The automated systems that power our secure development process incorporate several open source tools. Because those tools are used by a diverse group of companies, we often find that they have high-quality documentation and are well designed to meet our needs. And by participating with other companies in the development of those open source tools, we get to benefit from their work and influence the direction of development. That creates value beyond each bug we fix or improvement we contribute to an open source project.
Our partnership with GitHub also creates value that grows faster than our bill. While GitHub serves as the center for all of our software development, they have also begun to place an increasing focus on security features. In order to help accelerate this work, we signed up to provide early input on their Advanced Security features. With Advanced Security, our engineers get automated security analysis embedded alongside the changes they develop. That analysis incorporates security best practices, public listings of known vulnerabilities, and patterns that GitHub and its other customers have developed. As GitHub discovers more vulnerabilities across its huge platform and incorporates that intelligence into its security analysis feature, we automatically get the benefit. And because this feature is hosted by GitHub, our team doesn’t have to do any extra work.
Even for our most sensitive services, we look first for the best available services before building ourselves. This is especially true for the systems that tokenize sensitive data and play a crucial role in our PCI compliance. I’ve led the design and development of tokenization systems as part of early PCI Level 1 certifications in the cloud. And while we could safely implement these important systems at Even, we were happy to partner with Very Good Security (VGS) instead. With this partnership, VGS securely vaults our sensitive card and other data and our engineers remain focused on making Even a better way for our customers and members to make progress.
Strong security starts with the right policies. But without a healthy culture, effective automation, and strategic partnerships, even the strictest policies cannot defend against the dynamic threats that most businesses face today. At Even, we focus on these big things to make sure that the many necessary details work together to keep our customers and members safe.
Get updates around new research and findings in your email.
Biweekly pay doesn't work for the millions of American workers constantly distracted by financial stress. That distraction costs employers billions, too. Learn why, and how you can fix the shortcomings of biweekly pay without changing how your payroll works.