Mozilla's Window Snyder: A CISO With A Different Agenda

Mozilla's Window Snyder isn't your average security chief. For starters, her title is "chief security something-or-other" (yeah, it's on her business card). It befits her wide-ranging role at Mozilla, which is responsible for open source projects such as the Firefox Web browser and Thunderbird e-mail client.

Like other CISOs, Snyder develops the company's internal security strategy. Unlike most others, she's also charged with communicating its security strategy to the open source community, working with Mozilla engineers to develop security features for the company's products, and establishing a rapport with external security researchers who analyze the security of Mozilla's software.

"The strength of Mozilla is absolutely the community. We have to make sure they know they're being heard," says Snyder, who joined Mozilla last August from Matasano, a security services firm. "Where's the corporation if the community doesn't agree?"

Among Snyder's credentials is a three-year stint with Microsoft, where she introduced the Blue Hat program, which opened a dialogue between Microsoft developers and outside security researchers. Now she must summon all her collaboration skills in reaching out to the open source community. "We don't go out and hire a bunch of developers to solve a problem," says Mozilla VP of engineering Mike Schroepfer. "There are lots of advantages to the open source model, but one of the challenges is it's a distributed group of volunteers. You can't just bang your fist on the table and tell them they've got to make their numbers."

One of Snyder's goals is to find ways to communicate complicated security requirements to those programmers, who are also the company's end users, without them tuning out. "Software development in general needs to make it easier on end users and come up with security that doesn't require users to make security decisions," she says. "That's one of the biggest issues we're dealing with at all levels at Mozilla."

Threat modeling is a big part of Snyder's approach, a process to identify entry points, targets, and assets--"a complete picture of what an attacker will go after," she says. "I can say, well, we're worried about everything, but in a project that's millions of lines of code, you need a productive way of knowing where to focus first."

Return to the story:
Cigna's Craig Shumard: One Man's Security Mission Continue to the sidebars:
PayPal's CISO's Psychological Warfare
and
PCI Standard Drives Some CISO's Work This Year