Diana Birsan interview: Why the right culture matters for online security

Culture matters

Recently GoDaddy attended the European Women In Tech Event in Amsterdam.

There, we interviewed Diana Birsan, technical programme manager at Shopify.

She talked to us about adopting security-aware behaviours and best practices, and also gave advice for women looking to start a career in tech.

Can you introduce yourself?

Sure. So just recently I switched into a role. I’m a technical programme manager at Shopify. I deal with a lot of the authentication services for our merchants and for our employees, so we’re currently working on a lot of those systems. I also deal with awareness advocacy at the company, now more related externally than internally. But just finding creative ways to motivate people to be more secure in ways that fit our culture at Shopify.

Why is it so hard to get people to follow best practices when it comes to security issues?

I say this everyone and everyone laughs because they think it’s my like tag line now. Security isn’t sexy, right? So I think that something that really holds people back is it’s complex. There’s nothing out there that’s gonna really give you a great checklist, a great like feeling of understanding “if you do these things you will become more secure”. And I think every company is working separately to try to do as best as they can. So because then the message is muddled I think a lot of people don’t really understand the impact that can have, and if we had more of a general kind of guideline to it, it might make people understand the “why?” better. And I think a great example is considering multi-factor authentication. It’s called two factor it’s, called two-step, it’s called whatever by every single company. It confuses people and I think that confusion leads to “well I’m going to take the easiest path” so that’s probably the biggest problem.

What’s the biggest thing businesses get wrong when it comes to improving security?

That one’s tough because it’s really deciding on the type of business that you’re dealing with. So businesses that are sort of really established, they’ve been around for several years, they’re very much of the mentality that “if I lock things down then I will prevent bad things from happening”, right?

But what happens there is that you’re not trusting your employees to do the right thing, you’re not trusting them to make active decisions and you’re not giving them the tools that they need to succeed in protecting themselves.

So locking things down will limit certain things but, for example, your employees will still get emails and if education isn’t given to them they’ll still click the phishing emails they’ll still get malware and all these kinds of things.

Where I think we need to start thinking more along the lines of how human beings think about these problems rather than “if I lock these down it’s never gonna be a problem again”, which has never been the case. I think businesses that are very established keep doing that, smaller businesses I think this is becoming a little bit more common to think about culture.

What techniques can be used to boost security awareness in small teams?

I think what I talked about at the at the conference was, using some tactics like gamification and using tools like, when a crisis happens you have the ability to impact people and rally them get them excited to make some changes. I think that whole idea of making security sexy, so gamifying it, making people really feel like they’re achieving something, and being intrinsically motivated to make a difference is really what drives change in behaviour.

It takes a very long time, and unfortunately it’s a very long term commitment that you have to make, but if you are the kind of company and the kind of small team in business that wants to succeed the long term, then I think those kinds of steps of really thinking creatively on solving the problem, rather than just automating everything and letting machines do it for us that’s gonna that’s going to really make an impact.

Do you think more could be done by public bodies such as governments and schools to boost security awareness?

I am a strong advocate for this, and I myself have participated in helping a colleague build a security training for seniors, so 65 and over. I think that we took that on ourselves individually just because we thought we could make a difference and I would love to see just small simple ways to engage the community. Whether it’s through schools, whether it’s through programmes. I think that it makes it makes a big, big impact in the long term.

Another example that I think would be really helpful is making an impact in in schools. Whether it’s you know children that are between 10 and 18 let’s say, getting them to not only realize that security is important and their privacy is very important but really get them excited by teaching them some really, really cool things like learning to hack something. I think hacker culture is something that everyone finds really fascinating and giving them sort of an outlook of how it is, and an outlook of how you can lose your identity, how bad things can happen. Having courses like this will engage people at a young age and give them an opportunity for protecting themselves in the future.

What advice would you give women looking to start a career in tech?

So I mean my history in tech is very broad. I started in film and I was a sound engineer, for a little while for probably four years. And I honestly and the end of school I didn’t know what I wanted to do, so I pursued the thing that drove me the most. I’ve taken my career constantly in a sink or swim situations where I just throw myself in.

I say “I’m gonna give it a try”, if I fail then I will accept that as you know education for furthering my career and I think the best advice I can give is sort of this this idea of failure should be part of the growth opportunity, and joining tech should not be this scary kind of beast that you can’t conquer.

I think it’s a confidence thing we’ve heard it in this conference constantly that women are very not confident about their skills the level of their skills. The biggest impact I think you could have is really starting to get more aware of how much confidence you should have in yourself and just to throw yourself into situations.

And did you have a mentor?

I had a mentor when I used to be an IT. I think that I was extremely lucky. She taught me a lot about what it means to be in tech. She also challenged me a lot in that sense, where it wasn’t “a hold my hand and do things” it was a “I’m gonna throw you a problem and you’re gonna sit on it and think about it for a little while and I’m sure that you’ll come to an answer”. But that belief in me to be able to get to this answer as myself was something that really drove me and helped me in the rest of my careers after I left the IT industry.

And since then I also became less afraid to ask questions to people and find mentors, you know whether it’s a short-term project-based mentor or not. I was less afraid of that because I’m like “you know what like the worst thing they can say is ‘well I don’t know’ or ‘that’s a stupid question'”. And then I walk away going “that’s alright, I’ll find the answer myself somewhere else”.

What changes would you like to see from organizations to help support women in tech?

So at Shopify web have we have employee resource groups. So they work really well for us because they create like small little opportunities for growth. We have like luncheons with leadership and it gets women engaged in these, and it’s not just women resource groups its various other kinds of resource groups. I think those were created by our diversity and inclusion team, and by employees that were really passionate. I would love to see more of those initiatives being powered by top-down kind of thing. We do see a lot of smaller companies now really caring about diversity, but in larger companies that can easily be lost because everyone’s too busy working on the product seeing more of those initiatives would be really great and I think they do make a difference.

And how has the environment for women in tech changed over the course of your career? Are things better or worse?

It’s crazy because the environment’s so different from film to the programme management that I’m doing. I’m still I’m a programme manager now and I deal with a lot of product teams at Shopify and more often than not I’m the only woman in the in the room still. I wish I had the numbers to tell you whether it’s improved or not. I have gone through so many different changes in my career that I haven’t stuck around long enough to determine if it’s made a major impact, but what I have seen, especially when I was an IT, was by the end of me switching roles to security I think we had five times more women in it than when I started because our company grew so quickly. I can’t tell you why that happened but I was really grateful that women were engaged in IT careers and were less afraid of it being like this challenge they couldn’t overtake, or you know the fear of men knocking them down or whatever the case. I’m just really grateful to see like there’s been a boost in my experience.

What do you imagine the tech industry will be like for women in 20 years’ time? Do you think things are currently on the right track?

I think they are. This conference, I was here two years ago, and it was probably around 200 women, a few men. I think it’s on the right track but I think we still need to engage more male advocates to actually rally for our cause. What we’re doing here I think is very much like preaching to the choir. The women that attend these conferences are passionate about the issues, passionate about diversity but when you see European Women In Tech a lot of men don’t feel comfortable joining and like understanding that you know they’re invited and they’re welcome. And I think the more we diversify these conferences as well and like these initiatives that we have and maybe still have these really great rooms for women to just be just be with the other women and you know talk about problems, I think that that’s also going to increase what we see in 20 years.

I don’t know what I see 20 years from now for the future of tech because, I mean, I was just in a talk where they were saying the they were talking about the error rate for telling the weather and how it’s almost next to impossible to tell the weather three to six months from now and I think that that’s the case here. Like you have statistics that is increasing over the years but it’s really gonna be hard to see. I’m just hopeful that eventually it will be it will create a major impact and we have more role models that are women engaging younger girls and the whole thing is about building for the long term and making changes that impact us ten years from now. If we keep up the initiatives that we have I think that we’re gonna see an exponential growth 10 to 15 years from now.

Juliane Mueller
Juliane is a proud member of the GoDaddy family and leads the content marketing efforts for the EMEA region. Before joining GoDaddy, Juliane worked in several marketing roles for Host Europe and on an online game project for the Ministry of Education in Germany. When she’s offline, she relishes any kind of sport, traveling, concerts and explores her adopted country, the UK. Contact her on LinkedIn.