Defining Cedar's Security Values

In 2020, as Cedar crossed the hundred-employee milestone, the engineering organization minted our values to ensure we had a clear framework for decision-making as we scaled. Since then, Cedar passed 500 employees, celebrated a 5th birthday, became a unicorn and joined forces with OODA Health. Today, our customers and their patients trust Cedar with a ton of sensitive and regulated data. Security and resilience are integral to what we do.

Since Cedar was founded, we’ve maintained a rigorous security program, including maintaining HITRUST certification since 2017. Aaron Zollman joined Cedar as CISO in 2019 to build a “modern security program structured around the latest threats and technology that builds security into the core of our platform.” I joined in 2020 as employee 150 and have been lucky enough to watch our security team almost triple in size.

One of Cedar’s engineering values is “explicit over implicit,” and in this spirit we’ve decided to publicly codify our security values as well—to align current Cedarians and help guide anyone looking to join the team in the future.

The Process

During a recent team offsite, we put aside time to brainstorm the values that could shape our organization through Cedar’s next phases. To seed the discussion, I brought in a variety of inspirations—Amazon’s Security Tenets (as outlined by Eric Brandwine at re:Inforce 2021), Gitlab’s Security Vision and Mission, the Threat Modeling Manifesto, and the Mindsets & Principles from my friend Clint Gibler’s DevSecOps State of the Union. While these are all different groups than Cedar, it was helpful to get the team thinking about where these values resonated and conflicted with our idea of a security organization.

We then had a relatively unstructured discussion, influenced by CultureIQ’s “A Guide to Defining Your Company Values” and Greenhouse’s “Exercises to help you achieve a cohesive company culture.” Every member of the team was asked to suggest values or principles they felt were important. People were encouraged to consider both our current culture and what they saw as our ideal team culture. Throughout the process, there was a clear bottoms-up focus on how we work with the rest of the company.

After gathering the raw data from the team, our security leadership refined these thoughts into concrete values. Our main focus was defining actionable values, ones which we’ll be able to operationalize as we scale up the security programs. This means values that will hold true in five or ten years, inform our hiring, and guide decisions we have to make every day as individuals and a team.

Cedar Four Security’s Values

Explain why, with empathy

Scaling any company requires constant prioritization. In our work, and especially when we ask other teams to do work on our behalf, we need to provide and document the context for our recommendations. We trust teams to exercise good judgement when giving the right context on risks. Where possible, we collaborate with teams to maximize their optionality for reducing identified risks. We embrace dialogue on our reasoning in the spirit of “Reject Mediocrity” and Learn/Share/Help.

Make it simple and scalable to be secure

Our partners across Cedar have their own day-to-day responsibilities to make the company successful. In order to just build the product, we do not ask them to do work that requires multiple steps or assumes deep security knowledge. We make tools, documentation, and processes that are easy to use and use automation and security-as-code to make systems as efficient, reliable and maintainable as possible. We design business processes with the user experience in mind. We automate our own repeated work for simplicity, repeatability and transparency.

Be pragmatic and decisive

We build cross-functional relationships by giving actionable guidance informed by business risk on timelines useful to a fast-moving business. Security is a problem of imperfect information.  Getting stuck waiting for more information, more thorough analysis or unnecessary approvals just trades one speculative risk (of missing an important threat vector) for another real one (that we prevent the business from solving clients’ needs within an effective time frame).

To Focus on the Vision, we apply this same lens to security investments of all kinds. When the work is undifferentiated we move faster by building on prior art and buying from aligned vendors who can help us reduce risk today. We invest in the people, tools, and partnerships that deliver specific near-term security outcomes and long-term benefits.

Security is everyone’s (distributed) responsibility

We rely on our partners’ good judgement and subject matter expertise and equip them with the tools and guidance they need to make decisions that maintain patient safety. Wherever we can, we help people make good decisions by providing them with timely information that educates them about risks, puts their work in context, and supports them in operating security on their own. We empower teams to own their own risks through strong guardrails, approachable standards, pragmatic guidance, and ongoing partnership.

Rami McCarthy

Rami McCarthy

Rami McCarthy is the tech lead for Security at Cedar. He previously worked with NCC Group to assess & secure multiple Fortune 500 and most of the Big Five tech companies.