Status is a decentralized organization that works on creating decentralized products for the Ethereum ecosystem. This combination introduces a drastically new paradigm for what “security” is. Instead of the traditional methodology of focusing on centralized, localized, highly-control networks and devices, we minimize such a thing and whatever infrastructure does exist lives in the cloud.
What does this mean?
In much the same way we’ve decentralized the organization and applications, we’ve done the same for security.
It means the vast majority of the attack surface is you, the people that contribute. Furthermore, the controls and information a security specialist has in terms of making decisions and monitoring how things are run is constrained.
It also means education takes a forward step in importance across the organization, and personal responsibility of quality security practices become paramount. It is up the people to understand potential threats, take preventative measures, and report any issues they come across to the security team to protect the organization as a whole.
Security Week Proposal
With all of the above in light, it seems a great idea to have a week of education and personal checklists that help an individual audit their personal practices and get on track, broken up into multiple sections that focus on certain things (structure also up for discussion). Something like the following:
Some time in advance (1-2 weeks??)
- purchase/upgrade personal necessary hardware (on company’s dime).
- Configure/set-up said hardware for personal procedures week.
Personal Security Week
- days 1-2:
- establish channels of communication and ground rules for what they’re used for
- initiate personal procedures checklist (focused on personal property and asset management)
- days 3-4:
- continue personal procedures checklist (focused on company based interaction)
- days 5-7:
- initiate company-wide checklist
- come together on company-wide practices
- start regular interval security education series
Please discuss how this sounds and what we should add/remove. I’m hoping that this can be a collaborative effort across the company, and upon a successful finish, we can publish about this experience: what we learned, how we’re moving forward, and how other companies that structure themselves similarly can do the same to move the entire community forward w.r.t. security (both traditional and decentralized).
Stay safe out there!