Google Security. PHOTO: Cybercrime Magazine.

How Google Builds Its World Class Security Team

Heather Adkins on a readiness to fail, teamwork, and resilience

David Braue

Melbourne, Australia – Mar. 19, 2021

Few people who have had to manage a full-blown cybersecurity breach would likely describe it as “super exciting,” but that’s exactly how Heather Adkins recalls the one that changed her life.

Working at a small internet service provider decades ago, Adkins found herself scrambling to respond when the company’s Unix servers were hacked — but instead of getting worried, she found the experience enervating.

“Getting hacked was super exciting for me,” Adkins told Cybercrime Magazine, “and I decided at that point that was what I wanted to do for the rest of my life — to keep people from getting hacked.”

“Having had that early experience myself, directly,” she said, “I’ve always been very passionate about this idea of keeping people safe online.”

That passion has remained Adkins’ true north throughout a career that has taken her from studying biology at a Northern California university, to working at that small ISP, to being headhunted by Google in 2002.

Back then, she recalls, the security industry was still evolving organically, comprised of technology-minded individuals who were “moving from other fields into doing security full time, realizing how important it is.”

“It was a really exciting time,” she said. “You learned a lot about people, and you learned a lot about technology and how the two work together — and it’s interesting.”

That interest has continued to burn throughout two decades that have seen Adkins rise to become Google’s director of information security and privacy — putting her in the line of fire in a company that has become a global hotbed of thorny security and privacy concerns.

Cybercrime Radio: Getting Hacked Launches A Career

Heather Adkins, Director, Information Security & Privacy at Google

Cybercrime Radio

Teamwork means expecting to fail

As in any company, effective teamwork is critical for being resilient — but building a pervasive, resilient culture took time, even in a company as progressive as Google.

“When I look to the early days of Google, and I look to how the leadership showed up then — myself included — we were… not ready,” Adkins confessed, noting that years of growth had highlighted three key requirements for resilient teams.

The first is, simply, being ready to fail.

“Just admitting to yourself,” she explained, “knowing that you’re going to make mistakes and committing to failure — and committing to fixing things once they have gone wrong — was one of the most important lessons for me.”

Ensuring diversity of teams is also important, she said, because team members solve problems differently from each other — something that is crucial for helping security teams mirror the diversity of attackers they face on a daily basis.

The third key element in making a team resilient, Adkins said, is “people who are passionate about each other.”

“When you’re working in a crisis situation where everybody is potentially not feeling great,” she explained, “you need people who can lift one another.”

Cybersecurity leaders who can do those three things, she said, “can solve almost any problem — whether it be an innovative problem, or a strategic organizational issue, or even just a tactical crisis that gets thrown at you.”

“That’s how we build the teams at Google — and I’m really proud that we’ve been able to put the teams together that we have. If you get a good team together, and you have good support, you can get anything done — including recovering from some of these really terrible events.”

From curiosity to resilience

Ultimately, even in the best-prepared teams every cybersecurity professional will face the time their preparations are put to the test.

“But almost inevitably, if you are in the cybersecurity field, you are going to be a professional in the moment when something horrible goes wrong,” Adkins said, “and the first time that happens to you, it doesn’t feel fine.”

The real measure of resilience, she added, is how well cybersecurity professionals can navigate uncertainty that not everybody perceives in the same way.

“We’re seeing a lot of people come into the industry either directly from college or directly from related industries, like risk or insurance,” she explained, “but as people come into the security field for the first time, they’re not always coming into it with the mindset that ‘we’re actually here to clean it up when it breaks.’”

“A lot of people get into the field thinking, ‘how can we make it better ahead of time?’ They want to study authentication and authorization, and resilient systems, and security by default — which is fantastic.”

Yet for all their desire to improve cybersecurity, she added, building a resilient team becomes much easier if individuals motivate themselves to be resilient across many different aspects of their lives.

Being resilient “is probably the best skill set you can possibly have,” Adkins explained. “Apart from your knowledge, it is the ability to look at a situation and say, ‘this is terrible and ambiguous, and we don’t quite know what to do’ — and then to be able to come in and really lead in that situation.”

“If you can do that, you can solve almost any problem.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.