Security teams often get a bad rap. They can sometimes be seen as ‘blockers’, the ones who seem to slow everything down, issue restrictions, and argue with engineering about why a product can’t launch tomorrow. To compound this, traditional security teams often lack the engineering expertise necessary to fully understand and support the development process. And let’s face it — this approach isn’t just ineffective; it’s outdated.
But at Cresta, we’ve flipped that script. Our security team is not your average compliance-driven, process-heavy group of generalists. Instead, we’ve built something entirely different, engineered to empower the business and redefine what a security team can do.
What makes Cresta’s security team different?
Here’s the biggest differentiator: Our team is entirely made up of engineers. We don’t have generalists on the team, and we don’t have leadership that only knows security theory without understanding product development. Every team member is hands-on, technical, and part of the solution, not just the gatekeepers.
This means that Cresta’s security team is actually building and contributing to the product itself. Does a customer need two-factor authentication (2FA)? Our security team delivered this. Customers asking for audit trails? Delivered by us. We’re not a group sitting on the sidelines hoping that security can be squeezed into the development process at the last minute. We’re in it from the start – designing, building, and shipping security features that not only protect Cresta but most importantly, strengthen our product for our customers.
Security as an engineering discipline
At Cresta, our approach is that the security team is not just a security team, but also an engineering/product organization. Our team is structured like an elite engineering squad, composed of security engineers, including a full-stack engineer.
This approach allows us to move fast without compromising security. We’re a small, agile, and highly talented team that doesn’t have to push work over the fence to engineering or product teams to get things done. We own product security from design to release, and it’s that level of control and autonomy that lets us develop security features faster and with more precision than traditional security models.
Breaking the mold
Cresta’s security team is deeply embedded with our go-to-market (GTM), product, and engineering teams, forming partnerships that unlock and speed up the business, rather than slow it down. We’re not blockers, we’re enablers. Because we work so closely with these teams, our security initiatives don’t sit in the backlog for months, waiting for resources to free up. We build, implement, and release them ourselves.
For example, when a customer needs a new feature to meet specific security requirements, we’re a dedicated team that is able to prioritize and deliver it right away. This becomes a competitive advantage, especially in an era where customers are increasingly concerned about and prioritizing security when selecting vendors.
Security by design: A new standard
We design with security in mind from the very beginning, refusing to make security an afterthought at any stage of the process. This is a core part of our product approach, ensuring that everything we build is secure by design. And that’s not just about processes or procedures – it’s reflected directly in our product.
We don’t simply comply with security standards because we have; we lead with them. We see compliance not as a burden, but rather as an opportunity to build trust with our customers. And as security threats evolve, we don’t just react – we innovate. Our team is constantly finding new ways to improve security in the product, which means our customers benefit from the highest standards without even needing to ask.
Hiring engineers, not ‘security experts’
According to a recent Forbes article, we are experiencing a ‘cybersecurity talent shortfall’ with up to 3.5 million cybersecurity jobs vacant worldwide in 2023. At Cresta, we don’t see it quite so much as a shortage problem; we think it’s a hiring problem. Most companies are looking for security experts who may not have the engineering background to do the actual work. Our approach is to hire engineers who both understand security and want to build. Our security team builds internal solutions and works with external security vendors to drive roadmaps and implement improvements.
That’s why you can apply to our security team even if you’re a software engineer or a full-stack developer with an interest in security – in fact, we highly encourage you to do so. Here you’ll still get to do the engineering work you love, but with a security-first focus.
The inside scoop
Hear from Sergey Kruk, a member of our security team on his experience:
It has been 7 months since I joined the Security Team at Cresta. After more than 15 years of software development it felt like a career pivot. At the same time, as a Software Security Engineer I’m able to do much more things that I enjoy doing than I imagined. Here are three things that I find great about the way we do things here.
- We use detection as code. This allows me to fine tune the rules to fit our setup instead of mass-dismissing useless alerts. We also gather those alerts from all the services into a single channel. If it doesn’t have a ready-to-use integration, it becomes a small engineering project, which I enjoy implementing. If it has anything other than web UI, it can be funneled into our SIEM and improve SecOps experience.
- We set up all of our tooling using the same IaC flow engineers use for managing the product. After just half a year I found myself among the top 10 contributors to the infrastructure codebase. This also means that we eat our own dog food when it comes to policies we subject our Engineering to.
- Speaking of policies, we also work in the product code. Like all other Security Teams in the world we do ask Engineering to fix things, but we also can work on fixes and product features ourselves. I don’t believe I saw this anywhere, but I find this very cool. Knowing the insides of the product allows us to better triage AppSec findings before talking to Product Teams.
This hands-on approach gives us the overview which I feel often lacks in a Security Team. I definitely enjoy having such a perspective. It also reduces noise when it comes to what we ask other teams to do. Working across multiple teams brings me joy and I think improving processes at the boundary between Security and Engineering is very useful in the long run.
The future of security engineering is here
The way we see it, security is more than just safeguarding against threats – it’s a strategic advantage and organizations should treat it as such. At Cresta, we’re building a modern security team that does more than protect the company. We’re shaping the future of our product and strengthening our relationships with customers by ensuring that security is a priority from day one.
If you’re looking for a place where security isn’t an afterthought, where your skills as an engineer are sought and valued, and where you can contribute directly to building a more secure future, Cresta is the place to be. Let’s build that future together.
Want to join a security team that’s doing things differently? Check out our careers page and see how you can be a part of Cresta’s next chapter.