An insider view of information security at Delivery Hero03 January 2019
We are Mauricio and Rulfo, the information security team at Domicilios.com, the Delivery Hero brand in Colombia, Perú and Ecuador. We were invited to the Headquarter of Delivery Hero in Berlin to meet the Global Information Security team in November, and this is a summary of our experience.
We have been at the company for over two years and have been involved in many recent projects sponsored by our CEO and CTO. Some of those are:
- Creating the infosec area in the company;
- Optimizing security across different business areas;
- Security training for developers;
- Working with the DevOps team to improve the security in our AWS based infrastructure;
- Internal pentesting;
- Black box testing of sensitive features like online payments, wallet and referrals;
- Training and awareness-raising for all employees;
- Implementing a data protection plan and the ISMS.
We have seen an incredible improvement in the maturity of our processes since the old days and we were happy learn more about how the Global Information Security team in Berlin is working.
Why information security?
Information security is a trending topic nowadays. It moved from being a geeks-only topic, to becoming a regular part of every newspaper, TV news and social media. It now also affects the stock price of a company, as breaches are happening every day and everywhere. Movies (from Die Hard, Mission Impossible, The Matrix and Avengers, or even WiFi Ralph) and TV series (Mr. Robot, Scorpion, Blacklist and Black Mirror) show the infosec topics embedded into the plot in a very engaging and realistic way.
Personally, as a trending topic, we found it a playground for ideas and challenges in a field where we can freely propose, research and finally improve. As in any other area, there are some trends and movements to keep an eye on.
The global information security team
Meet the team from left to right: Marty is Delivery Hero’s Chief Information Security Officer (CISO). He manages the scope and resources of the team and negotiates the priorities for both Delivery Hero central and our brands around the world. Mike is a Network Security and Monitoring Expert, Caglar an Ethical Hacker, and Lars a Security Generalist. All of them work in incident response and incident management too.
After talking with the team and learning about their backgrounds, we confirmed that anyone can become an infosec team player and have a great career, as long as they are really interested, curious and resilient.
What do they do as a team?
The team showed us how challenging, dynamic, complex and wide-ranging information security is at Delivery Hero and also demonstrated some clever ways in which they make progress. There is plenty of scope for cooperation across areas like:
- Regulatory and legal
- Governance, risk and compliance (GRC)
- Technical issues
- Mergers and acquisitions (M&A)
- Incident management
- Training and awareness
- Physical security
- Access management
- IT and helpdesk
Achieving great results requires involving everyone in the company and to keep improving on a regular basis. The use of any recognized framework is recommended to address such a task by an entity like NIST CSF (identify, protect, detect, respond and recover) or ISO/IEC 27001 (plan, do, check, act cycle – PDCA), giving them the tools to have a 360 degree view of the business and enough flexibility to adapt as needed.
We had the chance to see the team in action, responding to some recent incidents and helping other brands in the process by stopping similar threats from happening in the future, a great example of knowledge sharing so as to be ahead of the threat. They also work on their daily tasks of the sprint and the OKRs.
We shared with the team our experience of having and ISMS and a data protection plan in place at Domicilios.com. It is accepted and used by all at the company, mainly thanks to the senior management support, and the openness of everyone to welcome change.
We shared some technical achievements from Domicilios.com, like creating an integrated process of security monitoring with our continuous integration pipeline where the status of security monkey total score can be tracked after every deployment with a dashboard using Grafana. This goes into the direction of having a great DevSecOps approach at Domicilios.com.
We shared some results about fraud and account takeover (ATO prevention), and we learned from DH Global infosec about other cool automation and data analytics already in place by the team.
Are other areas involved?
As information security is a company-wide matter, we also had additional meetings guided by Marty, with leaders in the field of:
- Identity management, Single Sign-On (SSO), flows automation, two-factor authentication (TFA);
- Search and discover (data aggregation and anonymization);
- Global payments (PCI-DSS and fraud);
- Data protection (useful tools that can be used eventually with entities outside GDPR scope to automate and improve processes);
- GRC – We already worked with Larry Herzog, Senior Director of Internal Audit, this year and we were the first entity to perform an internal audit.
We shared some of our concerns and thoughts on some challenging topics related to information security, how we are managing them at Domicilios.com, and also we learned about interesting challenges that they have already solved or that we never imagined could be an issue at all because sometimes we assume that everything works perfectly.
So what is the direction of information security?
With new product features and initiatives being released faster than ever, more people joining the company, sales skyrocketing year over year, cyber attacks increasing in every industry, stricter regulations with bigger fines, and a scarcity of information security experts, here is some advice for the infosec enthusiasts, based on our experience at Domicilios.com and what we saw in the central team. The following is applicable to global and local brands:
- Each member of the Global Security Team has a key role to provide visibility and to help different teams and entities make improvements to their processes, code and infrastructure.
- A CISO should ideally be at C-Level to get more visibility and relevance for the security issues.
- Train people and give them the tools to embed security compliance into their job, and developers deserve deeper technical security training.
- Make everyone responsible for their decisions, after all, we all are security!
Implement automation in discovery and remediation of vulnerabilities as part of CI/CD and SDLC.
- Make every employee aware of their responsibilities, and behavior in real time, and teach them how to improve and solve any issue by themselves.
- Include the security expertise from the start with the creation of robust, fast, privacy by design, resilient and secure services, components, infrastructures, etc by default.
- Learn a lot about the business goals, becoming a domain expert is mandatory to be a successful security professional in the tech industry besides being agile and feeding the hunger for more technical knowledge at the speed of our deliveries!
- Security at Delivery Hero can be fun! They can be real Heroes for everyone!
If you feel interested and want to join a world class security team, go for it and have a look at our openings.
BONUS: Anything else to do beyond work?
As work was only one part of our visit (a very important one if our manager is reading this), we participated in the annual technology meetup known as Novemberfest. It was a great place to eat and to drink traditional Bavarian food, see traditional Bavarian costumes, and listen to traditional music while everybody sang and danced with a 1-liter glass of beer in their hands and a smile on their face. We met more people from the tech team with different nationalities, roles and entities, and shared some jokes.