Slack's CSO calls for industry-wide security transparency

Slack's security head has doubled down on transparency within his organisation and wants to see his competitors follow suit.
Written by Asha Barbaschow, Contributor on

Cloud-based collaboration tool Slack is in the business of making work life simple, but the startup darling's chief security officer Geoff Belknap is in the business of making sure this comes with an unsurpassable level of trust.

The route Belknap has taken is one of honesty, providing Slack's customers with as much transparency as possible -- which means divulging as much information as possible.

"The reality is -- from our perspective -- trust is about a constant open conversation," Belknap said.

"Trust is not: 'Well, they've probably got it covered'. That is not a reasonable process. The more we talk about it, the more we have these conversations ... the better that is for everybody."

Speaking with ZDNet in Sydney, the CSO explained that his role as the company's security head sees him constantly think about both the customer and the end user when protecting the platform and how to securely store data. Belknap said being transparent is often difficult, however, as a lot of people do not comprehend the benefits in highlighting something like a security breach.

"In our case we've been very open about how our bug bounty works, how the features work, what features we have, and I think in some cases it's very difficult, and it's almost a little bit risky, to bet on transparency -- my hope is long term that this is the right bet," he explained.

"I think at our end especially sharing more information, being transparent, and being direct about what we're doing and how we think about it, in the long run is beneficial and actually protects people.

"I'd love to see some of our largest competitors go that route as well."

Belknap feels it important for cloud providers -- startup or not -- to show security is at the forefront, noting consumers tend to hold a presumption that an established software company is secure.

"If they've been in the market for 10 or 15 years, they get a default pass on a lot of things which is probably undeserving, and not so safe if you're making those assumptions. At the same time, I think there's an extra onus on newer technology companies to establish that they care, that they're taking due steps, and that they are going to protect customers' data," he said.

"I think the onus is on people like myself to make sure that we're actually doing things to protect customers' data and to explain to them what we're doing and how we're doing that."

Earlier this month, Slack revealed that it had fixed a security flaw that let hackers steal user authentication tokens used to gain full and complete access to accounts and messages.

The vulnerability was luckily found by a security researcher, who scored $3,000 from Slack for highlighting the oversight.

Belknap is of the opinion that a breach at any cloud service provider -- even his competitors -- hits his business, as the stigma attached is often hard to shake from public perception.

As a result, Belknap is on the Bay Area CISO council, which sees 50-odd security heads from Silicon Valley's tech organisations get together to exchange information.

"It's all the cloud providers that everyone is trusting," he said. "One of us being left unsecure hurts everyone."

Slack currently boasts 4.9 million daily active users, including 1.5 million paid users.

The Californian-based startup also employs 650 employees across eight offices, with Belknap recently going on a hiring spree, bringing in staff to cover security, operations, engineering, product security, incident response, compliance, regulatory, and risk areas.

Editorial standards