RSAC, Security Staff Acquisition & Development

Zoom executives offer deep dive on revamped, post pandemic governance framework

From Zoom to Slack, more an more people access business apps through a browser. In response, companies are developing browser isolation technologies designed to separate web browsing from the rest of an organization’s IT network.  (Kena Betancur/Getty Images)

In 2020, Zoom ballooned from niche product to ubiquitous. That rapid shift resulted in a complete restructuring of the company's organizational goals and workflow to secure what quickly became a global infrastructure necessity.

"If you think back to January, 2020, Zoom was being used really by businesses for work interactions. It wasn't the household name that we all know it to be today," said Heather Ceylan, head of security standards, compliance, and customer assurance at Zoom. "Fast forward just four months later to April, and it was being used by people for medical appointments and for going to school, for talking with grandma and grandpa — all of these different things that changed our business profile and really shifted our risk profile."

Ceylan, along with Ariel Chavan, Zoom's head of security product and program management, will present the governance framework they used for rapid transformation at this year's RSA Conference, the second week of June.

Governance frameworks figure out the organizational principles behind a company. Where a security framework determines goals and actions for security initiatives, the governance framework determines the interrelated roles of workers across an organization.

But Zoom found its governance framework had to be predicated on a security framework to create the goals that interconnected employees would be working toward. In fact, a big part of Zoom's framework was aligning the company to the NIST framework.

"If you're mature security program you probably have elements of this framework in place and you may have a very similar framework and paste in place. So what we're sharing with the framework is not necessarily any revolutionary idea," said Chavan.

"We implemented things that worked really well and some things that didn't work so well. We'll share some of those lessons learned at RSA. So hopefully, people can take that back to their own security organization and apply it to their specific frameworks," he said.

For example, when Zoom brought on new security staff to plug their rapidly changing needs for employees, they tried to adopt some of the silo-breaking communications strategies used in other large firms, including instituting monthly business reviews. But without better guidance from an internal framework, those meetings became lists of what everyone was working on — providing very little value to the attendees.

By formalizing ideal outcomes for the meetings, and framing it around who was looking for help and who could assist, the meetings grew more critical for tangible outcomes.

Formalizing individual and group goals allowed Zoom employees to better communicate with each other about progress and needs, and better route problems to their appropriate solvers.

"Security is not possible without the buy-in from the cross-functional organization," said Chavan. So we want to go through the processes and lessons learned, how we do our annual planning, quarterly planning; how we communicate upward and outward those priorities, and also the challenges that we face."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.