Go back

“Earn influence, don’t mandate it” — a conversation with Figma’s Devdatta Akhawe

Every now and then, a person comes along who is genuinely nice, excels in their field, and eagerly passes learnings on to the next generation of industry leaders. Figma’s Head of Security Devdatta Akhawe is that guy. Our CEO Ryan recently connected with Dev for a wide-ranging chat.

Industry Insights
June 2, 2021
8m read
8m read
8m listen
8m watch
8m watch
one headshot of one person in a purple background
speakers
speakers
speakers
authors
Material Team
participants
No items found.
share

Every now and then, a person comes along who is genuinely nice, excels in their field, and eagerly passes learnings on to the next generation of industry leaders. Figma’s Head of Security Devdatta Akhawe is that guy. Our CEO Ryan recently connected with Dev for a wide-ranging chat.

Let’s start here: How’d you find your way into information security?  

I grew up in a small town in India. I was lucky enough to go to a good college there. After university, I was lucky enough to get accepted to good PhD programs, including one at UC Berkeley. The moment I set foot in California, I was interested in learning everything I could about technology.

There’s a meme in security that you have to be this kid growing up actively breaking into computers and hacking from the very beginning. My interest in security was mainly due to the potential to make things, not break them.

There’s a meme in security that you have to be this kid growing up actively breaking into computers and hacking from the very beginning. My interest in security was mainly due to the potential to make things, not break them. - DEVDATTA AKHAWE, HEAD OF SECURITY, FIGMA

From Berkeley onward, I felt security was the only place in Computer Science and tech where you could do virtually anything you wanted and build the most interesting stuff. I ended up focusing on security research and building a career from there.

We first met while we were both working at Dropbox. How’d you end up there?

I loved the product and used it a lot when I was a PhD student. I ended up liking the people as well during recruitment so it made sense to join—even though I was a very early Dropbox Security hire. From there, I grew up and scaled my experience along with the company. Over time, I moved from Security Engineer to Manager to Director, etc. After six years, I was in charge of roughly half of Dropbox’s Security org.

And now you’re leading Security at Figma. Can you tell me a bit about the change and what attracted you there?

It was an exciting challenge moving from Dropbox, which had gone public and was a big company when I left, to Figma, a startup at the very beginning of building out the Security team. I was ready to try something new and it was also cool to be brought in specifically to launch and scale the function. Figma is a collaborative, multi-player design tool inside the browser. Even before joining, I saw Figma as a generational change in the tools we use to develop software. Joining a company that’s redefining how we make software: what could be more exciting than that?

It seems like everyone in security these days is chasing the CSO or CISO title. What’s your take on that?

I think each situation is unique but I go back to values to figure out what’s important to me. The Figma security team has a set of values, which live side-by-side with Figma's broader company values. One of the central security team values is “earn influence, don’t mandate it.”

In general, I don’t think people should chase titles or wear them for the sake of it. They should chase opportunities that help them grow and their teams solve problems or mitigate risk. That said, I understand that a C-suite title can be important in security and in business, particularly for effecting change inside an organization. But, I think it should also be earned and by definition, a C-suite title should be accountable to the Board of Directors. This also complements Figma’s company values of Love your craft and Grow as you go. We spend time honing our skills and being rigorous about the work because it's the right thing to do. Growth—and recognition—are the results.

I don’t think people should chase titles or wear them for the sake of it. They should chase opportunities that help them grow and their teams solve problems or mitigate risk.

How do you think about diversity when it comes to security?

Dev: Diversity is important for many reasons. There’s value in collecting as many different perspectives as possible on a single issue and hashing them out to find a novel solution. For security, there’s value in exposing people with diverse backgrounds to new and legacy security problems that remain multi-faceted, elusive, or challenging to solve.

There’s value in collecting as many different perspectives as possible on a single issue and hashing them out to find a novel solution.

From my own experience, and in general, it's clear that the current standard isn’t working to prevent every type of hack or rectify every failure mode. As a security industry, we desperately need fresh perspectives and ideas. Not only is boosting diversity in security (and beyond) the moral thing to do, but it’s actually better for security teams and overall business outcomes. Diversity is crucial and fundamental to our success as an industry and, frankly, a society.

Let’s turn, as we often do in security, to recruitment and talent. What characteristics do you look for in a new security hire?

Dev: Security can be a tough field in that it constantly exposes what’s broken, what someone’s done wrong, or what you don’t know. If an attacker breaks into a security product you built or a network you secured, it can be hard to pick yourself up out of the ashes and get back to work.

Security can be a tough field in that it constantly exposes what’s broken, what someone’s done wrong, or what you don’t know.

In my experience at Dropbox and Figma, it’s the curious, humble, resilient, and open-minded people who succeed in security. I’ve found that the more a person learns, the more humble they become (or should become). They realize the true scale of what they don’t know and the many ways they can mess up (sort of a reverse Dunning-Kruger effect). You really need a fundamental openness to learning.

Trust is an important currency in security, both for the team internally as well as for an effective security program. While hiring, I look for people who internalize the importance of trust and work towards building it with intentionality. Trust must be earned, and with remote work and a calendar full of Zoom meetings, we’ve all had to get creative in order to swiftly build trust between security team members and the rest of the organization. Of course having virtual happy hours, Donut Bot meetings, and scheduled 1:1s help, but working together on fixing a specific problem or releasing a new product feature is a good way to do that too!

Last but not least is empathy. A lot of security people miss out on the importance of empathy in the course of our work—empathy for developers and product managers as they handle many needs, including security; empathy for each other in security as we handle stress; and empathy for individuals in sales, marketing, and customer support who have to do their jobs while still trying to be secure. I find that having empathy for someone else’s perspective always leads to better outcomes.

What makes a good security team?

Dev: A good security team is adaptable and flexible. It hides complexity from the rest of the company. That process requires intense and intentional prioritization at every level from lead to new hire—approaching problems one-by-one, or few-by-few, in order of urgency, severity, and complexity.

A good security leader minimizes complexity for the team while building trust and communicating clearly with staff—especially challenging when some or all team members are remote. For context, I joined Figma in the first cohort of fully-remote employees at the beginning of the pandemic. It was awkward and it took time for me to figure out the best ways to collaborate, share ideas, empower employees, and provide feedback. Now, over 60% of Figmates have joined fully-remote and the whole company has had to learn and adapt to this new normal, while also going through hypergrowth.

A good security leader minimizes complexity for the team while building trust and communicating clearly with staff—especially challenging when some or all team members are remote.

What are the most important books that you recommend for people (both leaders and ICs) in security?

I think of leadership as an attribute, not a title. Everyone in security (ICs and managers) can (and often needs to) be a leader. There are several good books I’ve read over the years, but three stick out for leaders:

  • The Thin Book of Trust – Trust really is the key currency of an effective security program and this book is fantastic: short and sweet, it’s 60 or so pages of wisdom on how to build trust inside an organization.
  • Extreme Ownership: How Navy SEALs Lead and Win – Security can be a hard job, requiring leaders to make tough decisions under stress and uncertainty. This book really helped me understand and learn ideas on how to do this well, by people (Navy SEALs) who make far more critical decisions under a lot more stress and uncertainty. And made me realize that my job is not that hard compared to them!
  • Resilient Management: Security teams have to deal with rapid change as attackers evolve, the threat landscape changes, and as their companies change. Resilient teams can handle and take these changes in stride. I found this book really helpful as a security leader growing a team.

Awesome. All good things come to an end. One final question: What’s the most important thing you’ve learned since launching your career in security?

I can tell you that from years of hanging out with security people, I’ve learned the importance of security fundamentals/the basics, like threat modeling, for example. You don’t have to be fancy about it, just think about what your security team is really solving for and what you should actually be worried about. Play out as many likely or possible scenarios as possible and devise plans to prevent them in the real world. Regardless of how you do it, your team should be constantly measuring and monitoring risk factors in order to mitigate and minimize them.

I’ll leave you with a piece of advice: never stop learning and encouraging members of your team to do the same. No one has all the answers, especially in security.

This interview was edited for length and to remove awesome, but irrelevant tangents.

Related posts

Our blog is your destination for expert insights, practical tips, and the latest news in technology. Stay informed with our regular updates and in-depth articles. Join the conversation and enhance your understanding of the tech landscape.

blog post

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

Patrick Duffy
4
m read
Read post
Podcast

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

4
m listen
Listen to episode
Video

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

4
m watch
Watch video
Downloads

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

4
m listen
Watch video
Webinar

New in Material: Detections, Remediations, Reports & More

As the days grow shorter and the weather gets colder, Material’s ready with a steady stream of hot platform updates to keep you warm.

4
m listen
Listen episode
blog post

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

Josh Donelson
5
m read
Read post
Podcast

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

5
m listen
Listen to episode
Video

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

5
m watch
Watch video
Downloads

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

5
m listen
Watch video
Webinar

Identifying Risk in Google Workspace with Material & SADA, An Insight Company

Partnering with SADA, An Insight company, companies big and small can get deep insights into the types of risk that live inside of Google Workspace, powered by a data-driven analysis of user behaviors, sensitive data in email and files, and posture settings by the Material Security platform.

5
m listen
Listen episode
blog post

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Material Team
10
m read
Read post
Podcast

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Rajan Kapoor
10
m listen
Listen to episode
Video

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Rajan Kapoor
10
m watch
Watch video
Downloads

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Rajan Kapoor
10
m listen
Watch video
Webinar

Risky Biz Podcast Interview with Rajan & Dan

Dan Ayala, Chief Security & Trust Officer from Dotmatics joins Rajan Kapoor, Field CISO from Material on Risky Business to discuss how to wrangle securing data that ends up in corporate cloud email and file stores.

Rajan Kapoor
10
m listen
Listen episode
blog post

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Material Team
35
m read
Read post
Podcast

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Abhishek Agrawal
35
m listen
Listen to episode
Video

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Abhishek Agrawal
35
m watch
Watch video
Downloads

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Abhishek Agrawal
35
m listen
Watch video
Webinar

Material Product Demo: Securing Google Workspace & M365

Abhishek Agrawal gives an in-depth product demo walkthrough on Risky Business

Abhishek Agrawal
35
m listen
Listen episode
Privacy Preference Center

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.