Shopify’s Andrew Dunbar runs a tight ship to help keep millions of merchants secure

With a remote and distributed workforce of over 8300 employees, Shopify CISO Andrew Dunbar believes it’s imperative to implement a disciplined and controlled approach to technology to help keep the millions of merchants that rely on the company’s platform secure.

His core philosophy around security is that a homogeneous platform approach helps maintain a consistent security posture across the company. As a remote company, he says that it would be extremely difficult to stay secure in an environment where different teams were using different tools. To that end, he maintains rigorous oversight over everything from external vendors to programming tools, preferring to provide well-proven approaches, rather than exploring every new thing that comes along. 

He would also much rather have his engineers build something, and understand exactly how it was created, rather than relying on external products where he doesn’t always have that clarity and assurance. This approach translates directly into the products they build on the Shopify platform by building security defaults like two-factor authentication into the products to help reduce merchant risk to the extent possible. 

Providing clear paths

Dunbar joined the company in 2012 when it was just 100 people. He was the first person in charge of security. Early on in his tenure, he made the decision to provide a set of trusted tools over letting people experiment. It was a bold approach in 2012 when we were smack dab in the middle of the consumerization of IT and the notion of bringing your own tools to work. It’s fair to say that he didn’t embrace that approach, even back then.

“Going back to the early days, one of the early decisions that we made was that we wanted to be a very homogeneous platform from the inside,” he said. The idea from those earliest times was to have a very clear vision of the tool set, whether it’s the programming language, the infrastructure or anything else, and he has stuck to that philosophy. 

“We're very opinionated when it comes to tooling, and we keep a very tight circle of trusted vendors where we only allow one particular way to solve a particular problem. This is not a bring your own tech kind of environment,” he said.

They achieve this by finding what they consider the best way to complete a particular task, and the engineering team can easily follow that, knowing that it’s a safe way to go. “We operate on a model that we call scouted paths, where we try to predict where people are going, and we build a way that they can get there using common libraries and common security safeguards,” he said.

A single security voice

Five years into his tenure, Dunbar took over the CIO role as well. This dual-role strategy isn’t unique to Shopify. As BILL’s Rink Sethi, who also has both titles, explained in an interview with FastForward last year, it is another way of taking the friction out of the building process when it comes to security concerns.

“So that friction goes away, because now if we want to prioritize security, we can remove roadblocks and say, ‘Okay, this is how I'm going to fund it or resource it’. And it's all managed in that way. Instead of having that constant prioritization discussion, it all falls under me,” Sethi said.

Dunbar has a similar view. “We use a lot of our IT tooling to drive our security framework, and so that allows us to not have to negotiate when it comes to what is the business need. When it comes to new technology, that's solved for us by having a consolidated view across all of that,” he said.

But it’s not just the combined role that contributes to his ability to control security as much as he can, it also involves the entire company’s core focus. “We're a founder-led company, and we're a very engineering-focused company. We need to make sure that we have an environment for our employees that we call ‘an environment for safe innovation,’” he said.

Building over buying

In the calculus that all organizations go through when it comes to building versus buying, Shopify prefers to fall on the build side whenever possible, especially when it comes to security.

“We can build a lot of things ourselves. Our default within security and IT is that we use very few vendors for basically every component. Anything we do in security is built by us,” he said. But that’s not to say they never look at new tools; it’s just when they do, they have a vetting system that allows them to quickly assess if it’s worthwhile before adding it to the stack.

“It’s about removing individual user choice, while allowing for global choice, and allowing us to take new things on quickly and deploy them,” he said. He uses the AI code editor Cursor as an example. “We heard about it, vetted it, got a contract in place, launched it company-wide and encouraged everybody to use it within about two and a half weeks.”

It’s impossible to operate a modern software company without some experimentation, especially when it comes to AI, but they always set up guardrails for testing new tools. “We have strategic bets where in a controlled way we're going to unlock this access, and then let people experiment when needed,” he said.

But Dunbar always comes back to the default security state whenever possible where “we deliver common libraries, common infrastructure patterns, and then people use a very secure environment as they start any new service or project.” 

Photo supplied by Shopify.