Skip to main content

Team Building @ Riot

Back in early July 2015, on a uniquely dry Thursday evening, the Riot InfoSec team ran a small meet-up at our new Dublin office as I previously mentioned here.



The goal of the event was to engage with the local security community, several of whom are also huge League players as I noticed by negative KDA :'( My main memories of the gaming that night being constantly head-butted away by 60 minute Alistair (also spamming his heal) and an extremely fed, axe-wielding and catching Draven, killing at will.

As a team, we felt that the event went well and it seems to have been well received by those who attended. My talk was about the lessons that I have learned from hiring a team into Riot Engineering, which is the first time I've ever had the opportunity to build a team from scratch. It's not only be incredibly educational and exciting, but also humbling as I've had phenomenal support from so many folk in both the Dublin and LA :)



Given there's probably quite a bit of context missing from my talk (if you only look at the slides here) followed the format below:

  • Who I am and who Riot Games are
  • Set context on Riot, League of Legends and the security challenges we face
  • Levelling up the team
    • How I went about it
    • What mistakes I made
    • How I learned
    • That "exciting" feeling when you interview a game-changer
    • How we've improved the process and continue to improve through
      • being data-informed
      • conscious of bias
      • training
      • incorporating practical elements
    • Team (alignment)
In addition to the presentations, we also showed off some tools that we've written to help raise that security bar.



Given we are a diverse team, split across multiple countries and timezones, with different backgrounds, alignment is a challenge because we are all ultimately remoties. As a result, we are always thinking of how we can improve in terms of communication, collaboration and yes, alignment. We took the opportunity with the open-evening event to bring over many of our North America-based InfoSec team to

  • hang out for the week
  • deliver some cool awareness and social hacking presentations to the Riot Dublin office
  • build a lego deathstar (yes, a deathstar :) )

Sadly, one of our Darth figures was stolen and taken back to St Louis by a malicious insider :(




All feedback on the slides is greatly appreciated.

Hopefully the next meet-up will be in early 2016. If there's anything in particular you'd like to hear about at the next meet-up, let us know (@markofu or @davidrook).

If you want to help level the team up, we're still hiring (multiple locations), so please reach out!!!

Comments

Popular posts from this blog

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer".  As a clue, it's not what Urban Dictionary   says   - A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.   and doesn't always involve this - Image Source: http://half-bakedbaker.blogspot.ie/2009/11/cannoli-and-broken-computer.html As you can see  here , there's lots of open roles in  10gen  and more specifically with 10gen, in  Dublin . I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer". I could be wrong but didn't Google come up with term " Site Reliability Engineer " to do away with the stigma associated with being a

MongoDB Authori(s|z)ation

Introduction Having answered numerous questions on the new and old authori(s|z)ation within MongoDB, I thought I'd write a short blog post explaining how things work as there seems to be some confusion. What's New Prior to version 2.4 , there was a very basic sense of "Role Based Access Controls" (RBAC) within MongoDB as there were only two roles - read readWrite which is quite limited. For example, if the user has "readWrite", that user is essentially "root" and the user can add/remove users as well as inserting data into the database, i.e. there is no role segregation. Version 2.4 added in the following 3 core roles - userAdmin dbAdmin clusterAdmin with a notable extension such that there are now 4 roles that apply across all databases - readAnyDatabase readWriteAnyDatabase userAdminAnyDatabase dbAdminAnyDatabase This increased RBAC is a significant improvement from a security perspective in MongoDB. It is imp

Start-Up Security

After many years in Security @ Riot Games and eventually putting the "s' out there, I recently decided to jump out of my comfort circle for a new challenge and joined a   start-up   (yes, I left a comfortable, stable job in a pandemic, lunacy lol). Now that I've been here almost 6 months, I wanted to share some findings because security at a start-up is significantly different.  When you join a start-up, there's going to be so much that you can do and it will be incredibly easy to "boil the ocean", and try to fix everything. At best, this guarantees failure for the Security team, at worst, alienation from the engineering and product teams. There are some obvious quick wins that a Security team can make without slowing down iteration and innovation speed, while also reducing risk: Auth  Partner with Engineering/IT/CTO such that there's alignment on Security owning all things "auth(n|z)".  As part of this ownership, you need to be prepared to resp