Rapid7 Information Security Team

Additional Info

Job title of nominated professional (or team name)N/A
Company (where nominated professional or team is working)Rapid7
Websitehttp://www.rapid7.com
Company size (employees)850
CountryUnited States

Overview

Rapid7 is a hyper-growth company, placing constant demand on its infosec team to grow its internal security program alongside the business. This team’s work is critical to protecting Rapid7’s employees and customers, including Fortune 500 enterprises and government organizations. This team doubled in size over the course of 2016 but did not rely on headcount alone to increase output. A focus on automating key processes has significantly increased the team’s productivity and improved Rapid7’s overall security posture.

One process improved by automation this year was quarterly access reviews. Manual access reviews were extremely time consuming, left room for error, and didn’t scale with the company. To combat these issues, the team developed a completely home-grown tool that automates the process. In addition to saving a security analyst 30+ hours per quarter, this tool makes it easier for application owners to see a “big picture” view of who has access to their applications, making the review more effective. This is just one example of the many automation projects carried out this year – in 2016 the team also automated much of its vulnerability management process, phishing analysis, company policy acknowledgements, and cloud security benchmark monitoring.

This team also stands out through its contributions to Rapid7’s roadmap. As a security team at a security company, this team supports the Products organization by ensuring security is built into every aspect of Rapid7’s solutions, and by continuously providing feedback about their day-to-day use of Rapid7’s solutions as an “internal customer.” Sometimes these contributions are even more direct: this team recently drove a very exciting proof-of-concept (PoC) integration that is currently being implemented in Rapid7’s platform. The PoC demonstrated this initiative could ultimately save 3,000+ developer hours.

Accomplishments

•Rapid7’s information security team does not settle for the status quo. This group is always looking for new, creative ways to automate security workflows and improve existing processes.
•This team stands out in its ability to work cross functionally, closely collaborating with all parts of Rapid7’s business. They’ve worked tirelessly to build a strong rapport with employees, who need to feel comfortable reaching out to the team with concerns or questions. They work closely with the Products organization to contribute to Rapid7’s core business offerings; with IT to secure Rapid7’s corporate infrastructure; with Sales to help customers and prospects understand how Rapid7 will protect their data; and with Marketing to ensure collateral is accurate, relevant, and useful to security practitioners. The team’s responsibilities and contributions across the organization go far beyond those of a traditional information security team.
•This team is committed to trust and transparency, both within Rapid7 and across the security community. At Rapid7, the team builds trust by driving industry-standard security audits done by third parties and by directly interfacing with customers to support their security assessments of Rapid7 as a vendor. Additionally, the team has developed an internal pentesting program that leverages Rapid7’s in-house penetration testing, security research, engineering, and offensive security talent to conduct specialized, targeted pentests of Rapid7’s environment. The team is becoming more and more involved in the security and IT communities, with team members speaking at local and national events, serving as board members, hosting meet-up groups, teaching community college classes and contributing to several open source projects.