EP 45 — Toast’s David Kosorok on Leading Application Security with Collaboration, Empathy, and Good Data

In this episode of the Future of Application Security, Harshil speaks with David Kosorok, Director of AppSec at Toast, a restaurant point of sale and management system. They discuss how to build an application security program from the ground up by prioritizing initiatives, establishing security champions, and bringing in great people — and why gathering and analyzing good data is the foundation to it all. They also discuss how to identify and fix struggles your team may have, why collaborating with product managers is key, and ways in which to positively impact security culture.

Topics discussed:

• How to build an appsec program from the ground up by establishing and prioritizing initiatives, leveraging security champions and ambassadors, identifying resources, and bringing in great people.
• The importance of collecting and analyzing data in order to gain clarity and understanding on the current state of security and where to take action.
• Why working with product managers is key to building better security programs, and how to build trust and collaboration with others across the organization.
• How to identify struggles the team is having in implementing security standards, and how to improve processes through education and vision.
• How to impact security culture by increasing transparency through regular open meetings, storytelling, and inspiration.
• How David has mentored individuals who went on to join the security community.
• The importance of sharing learnings to the security community to increase overall education and awareness.

Guest Quotes: 

“We collect the data, make sure it’s good data, maybe work with the security champions that we have, and clean that up, and then present that data. … We want to have clarity, vision, and ensure that people know exactly what we’re asking for.” (13:45)

“Don’t forget that in your list of contacts of people that you build relationships with of trust that you reach out to them and explain to them, What’s the strategy? What’s the vision? Why are we doing these things? Helping them understand that ‘why’ helps them reprioritize.” (16:57)

“It’s not the story of fear, uncertainty, and doubt. It’s a story of success and partnering with your customer, showing your customer love by protecting them.” (17:56)

“That’s where that clarity of data comes in, where they have a picture, there’s a story behind it, they can tell the story, and inspire someone else to give them higher priority.” (25:38)

“You want to have people know what the clear vision is. Have a clear strategy yourself. Make sure the data itself is crystal clear, that there’s no ambiguous data there. To make sure that you bring in the right people, that you have contacts, collaborations. It’s this whole kit together that helps you be successful and builds that security culture as a company.” (28:08)