Security Culture Committee

Mission statement

The security department as a part of GitLab should follow and live up to the GitLab values and mission. The transparency value can be especially difficult for a security department to embrace and embody, as due to the confidentiality of their work, security people tend to be secretive and intransparent by default.

Intent and goals

The intent of the security culture committee is to maintain a welcoming and transparent environment within the security department.

The committee goals are to:

• Identify areas where our core values can be strengthened
• Improve transparency while maintaining security & privacy across the security organization
• Foster an inviting and welcoming environment for questions, concerns and feedback
• Propose ideas to promote teamwork and collaboration
• Help drive the mission of being the most transparent security group in the world
• Provide actionable feedback and direction to the security department, so they may best live up to the GitLab values

The committee should draft the ways to reach these goals for an open, approachable and transparent culture within the security department. The department’s leadership should reinforce those ways by communicating and leading by example. The committee will provide an interface for all team members to express any concerns regarding the culture within the security department.

Participation

Current (September 2023 - February 2024) nominated committee members:

• Madeline Lake
• Janina Roppelt
• Greg Myers
• James Hebden
• Sofia Duarte

Previously nominated committee members (July 2022 - September 2023):

• Jeff Burrows
• Mark Loveless
• Mitra Jozenazemian
• Rohit Shambhuni
• Will Szabo

Previously nominated committee members (January - June 2022):

• Chris Moberly
• Marie-Claire Cerny
• Nick Malcolm
• Valentine Mairet

Previously nominated committee members (FY22):

• Andrew Kelly
• Juliet Wanjohi
• Liz Coleman
• Philippe Lafoucrière

Each nominated member completes a single six-month term aligning with the GitLab fiscal calendar, and ideally will not serve consecutive terms. New members are nominated and appointed using the process below.

Meetings

The meetings will alternate between APAC & AMEA-friendly timezones. The recordings will be available in the GitLab Videos Recorded folder. Any team member is welcome to join - ask in #security-culture if you can’t find the event.

Process for change

To suggest a change, create an issue in the Security Culture Project.

The security culture committee has an issue template available for creating new issues.

Current Committee Projects

We are tracking our efforts in this issue: https://gitlab.com/gitlab-com/gl-security/security-culture/-/issues/13

Committee formation

Once a security culture committee cohort nears the end of their term, they are responsible for the formation of the next committee. The committee must ensure that the nomination process is tailored to the current size and state of the security department and sub-departments. There is an issue template that can be used to track the progress of the nomination effort and have any necessary discussions.

For FY22 and the first half of FY23, the committee was selected by sending out a Google Form with a list of everyone in the department separated into the three sub-departments: Security Assurance, Security Operations, and Product Security/Research. Security department members were encouraged to nominate one person from each department. The people earning the most nominations from each group were selected. The two people receiving the most nominations overall were selected, for a total of 5 people.

In the event of a tie, the team members tied for nominations will be sent a group direct message notifying them of the tie and asking if any of them would prefer to decline the nomination. If this does not resolve the tie, the nominees will be determined by a dice roll.

Formation process overview

The following steps need to be taken in order to form the next committee:

• Prepare the nomination forms
• Announce that nominations are open
• Form the new committee
• Conduct a handover meeting

Prepare the nomination forms

• Locate the previous nomination forms in the Nominations folder in Google Docs, it will be used as a template
• Make a copy of the previous Security Culture Committee Nomination Form
• Edit the newly copied document as necessary to include new team members, remove people who have left the company/department, or accommodate any departmental changes
  • In order to give everyone a chance to participate, make sure to remove team members that have already served on the culture committee

Announce that nominations are open

• Send an email to the security team email address (security-gl-team@gitlab.com) announcing that nominations are open
  • Be sure to include a link to the nomination form and mention the date when nominations will be closed
  • Consider using the previous emails as a template
  • Depending on the Google Group configuration, you may need to approve the email in order for it to be delivered. Do this by going into Google Groups, finding the security-gl-team@gitlab.com list, and approving the email via the Pending section on the left side of the page
• Announce in the #security-department Slack channel that nominations are open
  • Be sure to link to the nomination form, any relevant documentation, and specify when the nomination period will end
  • Mention that team members who are particularly interested in being on the committee are encouraged to express that interest either in the announcement thread or via the #security-culture channel
  • Consider making three announcements on different dates, and considering different timezones: initially after sending the email, once halfway through the nomination period, and one more when nominations before nominations close
• Consider adding an announcement to the FYI section of an upcoming Security Department meeting, if time appropriate

Form the new committee

• Based on the current formation process, determine which people have been nominated
• Privately direct message each nominee via Slack notifying them that they were nominated and asking if they are interested in participating
  • Be sure to mention that this is completely voluntary and can be declined for any reason or no reason at all
  • Give nominees some time to consider it and be available to answer any questions they might have
• In the event that someone declines a nomination, determine who received the next highest amount of nominations and ask that person
  • Continue this process as needed until the expected number committee members have agreed
• Once the appropriate number of nominees have accepted, announce the new committee to the department via the #security-department Slack channel

Conduct a handover meeting

• Invite the new committee members to the next upcoming security committee meeting or schedule a separate meeting specifically for the handover
• Communicate anything that was unfinished, in-progress, or that they upcoming committee might want to consider taking on
• Be sure to link the new committee to the issue tracker or relevant documentation and answer any questions the new committee might have