Every now and then, a person comes along who is genuinely nice, excels in their field, and eagerly passes learnings on to the next generation of industry leaders. Figma’s Head of Security Devdatta Akhawe is that guy. Our CEO Ryan recently connected with Dev for a wide-ranging chat.
Let’s start here: How’d you find your way into information security?
I grew up in a small town in India. I was lucky enough to go to a good college there. After university, I was lucky enough to get accepted to good PhD programs, including one at UC Berkeley. The moment I set foot in California, I was interested in learning everything I could about technology.
There’s a meme in security that you have to be this kid growing up actively breaking into computers and hacking from the very beginning. My interest in security was mainly due to the potential to make things, not break them.
There’s a meme in security that you have to be this kid growing up actively breaking into computers and hacking from the very beginning. My interest in security was mainly due to the potential to make things, not break them. - DEVDATTA AKHAWE, HEAD OF SECURITY, FIGMA
From Berkeley onward, I felt security was the only place in Computer Science and tech where you could do virtually anything you wanted and build the most interesting stuff. I ended up focusing on security research and building a career from there.
We first met while we were both working at Dropbox. How’d you end up there?
I loved the product and used it a lot when I was a PhD student. I ended up liking the people as well during recruitment so it made sense to join—even though I was a very early Dropbox Security hire. From there, I grew up and scaled my experience along with the company. Over time, I moved from Security Engineer to Manager to Director, etc. After six years, I was in charge of roughly half of Dropbox’s Security org.
And now you’re leading Security at Figma. Can you tell me a bit about the change and what attracted you there?
It was an exciting challenge moving from Dropbox, which had gone public and was a big company when I left, to Figma, a startup at the very beginning of building out the Security team. I was ready to try something new and it was also cool to be brought in specifically to launch and scale the function. Figma is a collaborative, multi-player design tool inside the browser. Even before joining, I saw Figma as a generational change in the tools we use to develop software. Joining a company that’s redefining how we make software: what could be more exciting than that?
It seems like everyone in security these days is chasing the CSO or CISO title. What’s your take on that?
I think each situation is unique but I go back to values to figure out what’s important to me. The Figma security team has a set of values, which live side-by-side with Figma's broader company values. One of the central security team values is “earn influence, don’t mandate it.”
In general, I don’t think people should chase titles or wear them for the sake of it. They should chase opportunities that help them grow and their teams solve problems or mitigate risk. That said, I understand that a C-suite title can be important in security and in business, particularly for effecting change inside an organization. But, I think it should also be earned and by definition, a C-suite title should be accountable to the Board of Directors. This also complements Figma’s company values of Love your craft and Grow as you go. We spend time honing our skills and being rigorous about the work because it's the right thing to do. Growth—and recognition—are the results.
I don’t think people should chase titles or wear them for the sake of it. They should chase opportunities that help them grow and their teams solve problems or mitigate risk.
How do you think about diversity when it comes to security?
Dev: Diversity is important for many reasons. There’s value in collecting as many different perspectives as possible on a single issue and hashing them out to find a novel solution. For security, there’s value in exposing people with diverse backgrounds to new and legacy security problems that remain multi-faceted, elusive, or challenging to solve.
There’s value in collecting as many different perspectives as possible on a single issue and hashing them out to find a novel solution.
From my own experience, and in general, it's clear that the current standard isn’t working to prevent every type of hack or rectify every failure mode. As a security industry, we desperately need fresh perspectives and ideas. Not only is boosting diversity in security (and beyond) the moral thing to do, but it’s actually better for security teams and overall business outcomes. Diversity is crucial and fundamental to our success as an industry and, frankly, a society.
Let’s turn, as we often do in security, to recruitment and talent. What characteristics do you look for in a new security hire?
Dev: Security can be a tough field in that it constantly exposes what’s broken, what someone’s done wrong, or what you don’t know. If an attacker breaks into a security product you built or a network you secured, it can be hard to pick yourself up out of the ashes and get back to work.
Security can be a tough field in that it constantly exposes what’s broken, what someone’s done wrong, or what you don’t know.
In my experience at Dropbox and Figma, it’s the curious, humble, resilient, and open-minded people who succeed in security. I’ve found that the more a person learns, the more humble they become (or should become). They realize the true scale of what they don’t know and the many ways they can mess up (sort of a reverse Dunning-Kruger effect). You really need a fundamental openness to learning.
Trust is an important currency in security, both for the team internally as well as for an effective security program. While hiring, I look for people who internalize the importance of trust and work towards building it with intentionality. Trust must be earned, and with remote work and a calendar full of Zoom meetings, we’ve all had to get creative in order to swiftly build trust between security team members and the rest of the organization. Of course having virtual happy hours, Donut Bot meetings, and scheduled 1:1s help, but working together on fixing a specific problem or releasing a new product feature is a good way to do that too!
Last but not least is empathy. A lot of security people miss out on the importance of empathy in the course of our work—empathy for developers and product managers as they handle many needs, including security; empathy for each other in security as we handle stress; and empathy for individuals in sales, marketing, and customer support who have to do their jobs while still trying to be secure. I find that having empathy for someone else’s perspective always leads to better outcomes.
What makes a good security team?
Dev: A good security team is adaptable and flexible. It hides complexity from the rest of the company. That process requires intense and intentional prioritization at every level from lead to new hire—approaching problems one-by-one, or few-by-few, in order of urgency, severity, and complexity.
A good security leader minimizes complexity for the team while building trust and communicating clearly with staff—especially challenging when some or all team members are remote. For context, I joined Figma in the first cohort of fully-remote employees at the beginning of the pandemic. It was awkward and it took time for me to figure out the best ways to collaborate, share ideas, empower employees, and provide feedback. Now, over 60% of Figmates have joined fully-remote and the whole company has had to learn and adapt to this new normal, while also going through hypergrowth.
A good security leader minimizes complexity for the team while building trust and communicating clearly with staff—especially challenging when some or all team members are remote.
What are the most important books that you recommend for people (both leaders and ICs) in security?
I think of leadership as an attribute, not a title. Everyone in security (ICs and managers) can (and often needs to) be a leader. There are several good books I’ve read over the years, but three stick out for leaders:
- The Thin Book of Trust – Trust really is the key currency of an effective security program and this book is fantastic: short and sweet, it’s 60 or so pages of wisdom on how to build trust inside an organization.
- Extreme Ownership: How Navy SEALs Lead and Win – Security can be a hard job, requiring leaders to make tough decisions under stress and uncertainty. This book really helped me understand and learn ideas on how to do this well, by people (Navy SEALs) who make far more critical decisions under a lot more stress and uncertainty. And made me realize that my job is not that hard compared to them!
- Resilient Management: Security teams have to deal with rapid change as attackers evolve, the threat landscape changes, and as their companies change. Resilient teams can handle and take these changes in stride. I found this book really helpful as a security leader growing a team.
Awesome. All good things come to an end. One final question: What’s the most important thing you’ve learned since launching your career in security?
I can tell you that from years of hanging out with security people, I’ve learned the importance of security fundamentals/the basics, like threat modeling, for example. You don’t have to be fancy about it, just think about what your security team is really solving for and what you should actually be worried about. Play out as many likely or possible scenarios as possible and devise plans to prevent them in the real world. Regardless of how you do it, your team should be constantly measuring and monitoring risk factors in order to mitigate and minimize them.
I’ll leave you with a piece of advice: never stop learning and encouraging members of your team to do the same. No one has all the answers, especially in security.