An Interview with Larkin Ryder, Interim Chief Security Officer at Slack
Staff Writer at Plentyworks
8 min read
In 2004, Larkin Ryder knew nothing about database administration. She was working at a small company following the enactment of the Sarbanes-Oxley Act, a law designed to prevent fraudulent financial reporting. Sarbanes-Oxley, or SOX, was a response to abuses in power by publicly traded companies, causing investors to lose faith in corporations. Ryder’s manager, who was leading the effort to comply with SOX, went away on vacation right before the final phase of audits, which aimed to establish the integrity of the databases hosting the company’s financial systems.
“It was like being thrown into the deep end of the pool without having so much as a swimming lesson,” says Ryder.
Ryder had to become familiar not only with SOX legislation but also with security controls. She says that “a very patient auditor and a confident comptroller” helped her learn to navigate database security for the first time, over the course of a month. But there is no way to overstate how much hard work and research the job required.
“Information security, perhaps more than any other discipline in computer security,” says Ryder, “requires continuous focus on growing your knowledge.”
A reason for that, according to Ryder, is the constant threat of malware by ill-intentioned hackers. Companies will set up “bug bounty programs” (such as PlayStation did last June, as many other large companies have) to incentivize hackers to come forward with vulnerabilities that they found in their software, in exchange for money. But what prevents them from exploiting that vulnerability? Chances are, they can hold the company’s data for ransom (see: ransomware) and earn more money that way. Ryder says that criminal hacking is still very much prevalent, and possibly even on the rise, because companies are simply underprepared.
“We still see ransomware infesting companies with poor patching hygiene.” says Ryder. “The same old tricks are working for the attackers because the fundamental paradigms aren’t changing.”
Larkin Ryder started coding through what she calls a “happy accident.” At 16, her parents had a difficult divorce. She dropped out of high school in order to help financially support her now divided family by waiting tables. During that time, Ryder learned a lot about customer service, and also that she didn’t plan on waiting tables forever. She applied to college. They offered her a conditional acceptance due to her strong academic record.
She studied as a pre-med in part because it was practical and career-oriented, but loved mathematics more than anything. She had no sense of a practical career that would align with that love, as math research seemed unattainable.
Finally, she attended her first programming class, fell in love, and graduated with a Computer Science BA. Suddenly there was a middle-ground career path between practicality and passion.
In the wake of the SOX audit, Ryder became responsible for the design and audit of all IT General Controls at the company. The company also needed to comply with the “Payment Card Industry Data Security Standard,” (PCI DSS) which involves encryption, firewall configuration, and regular testing among other things, to protect cardholders’ data. Working in general controls gave Ryder the confidence that she could learn what she needed to.
“I spent time reading and learning from my peers, grappling with the complexities of network segmentation, segregation of duties, effective change management, and comprehensive logging and alerting.”
This burgeoning experience, specifically with PCI DSS, landed her a spot on Twitter’s security team.
Shortly after, in 2011, Twitter was served a consent decree by the Federal Trade Commission (FTC) for failing to secure its users’ information. The FTC complaint alleged that between January and May of 2009, hackers were able to gain administrative control of Twitter on two occasions (FTC, 2011) and Twitter had to improve its security as a result. Ryder got a “crash course” in ISO 27000, which is an international set of information security standards. If you’re curious about what that entails, go download “ISO/IEC 27000” from ISO’s website, and you’ll be in for 34 pages of hyper-dense reformulations of more or less the same idea: protecting information assets (namely, users’ data).
“I spent the next three years drinking from the InfoSec firehose,” says Ryder. (InfoSec refers to Information Security).
She credits her “amazing team” at the time for teaching her and having so much patience. Though Ryder loved Twitter’s mission and its legal team, she says it wasn’t easy being on their security team.
“Protecting so many users and so much data was hard and stressful,” says Ryder. “Users do not have much direct agency over a free service.”
You’ve probably heard some version of the saying “if it’s free, you’re probably the product.” In Twitter’s case, it’s true: the bulk of Twitter’s revenue comes from selling targeted ad spaces to advertisers. Ryder had a hard time reconciling her job’s mission – protecting users’ data – with Twitter’s mission of profiting from that data.
In 2016, Ryder joined Slack as the Director of Risk and Compliance.
By contrast to Twitter, Slack is a paid service, so employees have every incentive to protect the user, who is also the client.
“There are two things that drive my enthusiasm for the work I do at Slack,” says Ryder. “My great love for the team I helped to build, and the vision of making Slack the most secure communication system for business.”
Ryder describes how there were only a handful of people on the Slack security team when she started, and now it counts 50 people. She speaks very highly of the people she works with, as each one brings unique and important skills to a broad and evolving discipline.
“I owe each of them the best I can do,” says Ryder. “None of Slack’s tremendous value can be realized unless the product is secure.”
“Getting comfortable with Slack or any organic form of communication is difficult for a Chief Security Officer. They have to assume the risk of their most sensitive types of information making their way to Slack. Is Slack as secure as their own on-premises data center that only their trusted employees can access?”
Ryder considers this difficulty to be one of her main drives in her work. Seeing Slack used to its fullest potential, and seeing its power to build efficiency, to support culture, to engage workers across org boundaries — is a very stimulating challenge for a security professional, according to Ryder.
Ryder sees the rise of security breaches in general as an opportunity for increased awareness for these data protection issues. Companies are quick to try and protect their reputation once large-scale breaches occur, such as Facebook in 2018 when 50 million profiles were harvested by Cambridge Analytica. With more awareness, people can either choose to accept the unjust status quo, or demand better security capabilities from corporations.
From her first time parsing through SOX legislation and furthering her expertise in security compliance, to making Slack as close as it can to being foolproof, Ryder welcomes challenges and commends the people who stand by her in facing them.
“Either you overcome the challenge and learn something new, including understanding more about your own capabilities,” says Ryder, “or you don’t, and you learn from your mistakes.
Victories wouldn’t be victories if all we had to do to achieve them was keep rolling down hill.”
Join our community to learn from the best.
No spam, we promise. You’ll get our once-weekly digest including top distributed engineers available right now plus insights on tech careers and running remote teams.