Defining Cedar's Security Values
Several years ago, the Cedar Engineering Team defined a set of values to create a clear framework for decision-making as we scale up. Those values help inform our approach to continually improving our products like Cedar Pay and Cedar Pre or introducing additional products like our Affordability Navigator and our multi-cloud AI solutions. Our customers and their patients trust Cedar with a ton of sensitive and regulated data. Security and resilience are integral to what we do.
We’ve maintained a rigorous security program, including maintaining HITRUST certification since 2017. Aaron Zollman joined as CISO in 2019 to build a modern security program structured around the latest threats and technology that builds security into the core of our platform. The team has grown in size since then, with 40+ team members across security and platform.
One of Cedar’s engineering values is “explicit over implicit,” and in this spirit we’ve decided to publicly codify our security values as well—to align current Cedarians and help guide anyone looking to join the team in the future.
The Process
Cedar’s security values draw inspiration from a variety of sources – Amazon’s Security Tenets (as outlined by Eric Brandwine at re:Inforce 2021), Gitlab’s Security Vision and Mission, and the Threat Modeling Manifesto. While these are all from very different groups than Cedar, they were helpful guides when capturing the values that work best within Cedar.
When we originally started outlining Cedar’s security values, we wanted to make sure the process was open and deliberative. We started with unstructured discussion, influenced by CultureIQ’s “A Guide to Defining Your Company Values” and Greenhouse’s “Exercises to help you achieve a cohesive company culture.” Every member of the team was asked to suggest values or principles they felt were important. People were encouraged to consider both our current culture and what they saw as our ideal team culture. Throughout the process, there was a clear bottoms-up focus on how we work with the rest of the company.
After gathering the raw data from the team, we refined these thoughts into concrete values. Our main focus was defining actionable values, ones which we’ll be able to operationalize as we scale up the security programs. This means values that will hold true in many years to come, inform our hiring, and guide decisions we have to make every day as individuals and a team.
Cedar Four Security’s Values
Explain why, with empathy
Scaling any company requires constant prioritization. In our work, and especially when we ask other teams to do work on our behalf, we need to provide and document the context for our recommendations. We trust teams to exercise good judgment when giving the right context on risks. Where possible, we collaborate with teams to maximize their optionality for reducing identified risks. We embrace dialogue on our reasoning in the spirit of “Reject Mediocrity” and Learn/Share/Help.
Make it simple and scalable to be secure
Our partners across Cedar have their own day-to-day responsibilities to make the company successful. In order to just build the product, we do not ask them to do work that requires multiple steps or assumes deep security knowledge. We make tools, documentation, and processes that are easy to use and use automation and security-as-code to make systems as efficient, reliable and maintainable as possible. We design business processes with the user experience in mind. We automate our own repeated work for simplicity, repeatability and transparency.
Be pragmatic and decisive
We build cross-functional relationships by giving actionable guidance informed by business risk on timelines useful to a fast-moving business. Security is a problem of imperfect information. Getting stuck waiting for more information, more thorough analysis or unnecessary approvals just trades one speculative risk (of missing an important threat vector) for another real one (that we prevent the business from solving clients’ needs within an effective time frame).
To Focus on the Vision, we apply this same lens to security investments of all kinds. When the work is undifferentiated we move faster by building on prior art and buying from aligned vendors who can help us reduce risk today. We invest in the people, tools, and partnerships that deliver specific near-term security outcomes and long-term benefits.
Security is everyone’s (distributed) responsibility
At Cedar, every employee shares the commitment to keep patient data safe. The Security group leads the security mission. And we rely on Cedarians’ good judgment and subject matter expertise to build and service the best patient-centric healthcare platform. The Security team’s responsibility is to equip others with the tools and guidance they need to best protect patient information. We help people make good decisions by providing them with timely information that educates them about risks, puts their work in context, and supports them in operating securely on their own. We empower teams to own their own risks through strong guardrails, approachable standards, pragmatic guidance, and ongoing partnership.
____
Learn more about Cedar here.
Interested in a career at Cedar? Check out our open roles.