Andrew Dunbar was one of the first hundred employees to join Shopify, the Canadian multinational e-commerce company, when he joined in 2012. In the years since, he has worked his way up to lead the cybersecurity operation at Shopify as CISO.

Today, Shopify has expanded to over 7600 employees as it supports retailers and brands around the world with their online and point-of-sale services.

Global brands including Huel, Gymshark and Victoria Beckham’s fashion label are some of Shopify’s high-profile customers, while the platform is also used by millions of independent retailers.

For Dunbar, that means he isn’t just responsible for securing Shopify’s internal ecosystem, he also must ensure the company’s products, which aid retailers with building websites and selling their wares, are safe against evolving cyber threats.

In this conversation with Infosecurity, Dunbar detailed how his ‘engineer first’ approach has helped Shopify manage cybersecurity as it has grown, how the company balances innovating using AI with cybersecurity needs and the benefits of the firm’s bug bounty program.

Infosecurity Magazine: How do you approach cybersecurity at Shopify?

Andrew Dunbar: Our company has always been very engineering driven, the person who wrote the first lines of code is our CEO and that extends throughout our organization.

I’m engineer myself and building out the security organization, making sure we do it from an engineering first perspective, is something that we have always prioritized.

The amazing thing we’re seeing right now is that the barrier to entry with AI has become so low that we are now seeing it across every role at Shopify: writing code, building apps, building workflows. This has become a huge unlock in the space of security specifically, but more broadly across the entire company.

IM: How has AI changed how you approach cybersecurity?

AD: On the positive side, with agentic development, our people are unlocked to realize the thing they’ve always been looking for, and they can transform that into ‘How can I make AI into an enabler for the business I’m responsible for?’

Our compliance teams, for example, can agentically gather evidence and analyze policy in a way that scales tremendously well, delivers precise outputs and does it in a really efficient way and that has been the case with everything we have done. It’s fully democratized and everyone can have access to it.

On the IT and security side, IT is responsible for creating the environment that allows all of this to exist.

What we think about is ensuring Shopify is an environment for safe innovation. This is a thing where we need to build out a set of controls and a set of technologies that allows every employee of our company to be AI enabled but also keep our data and our employees safe.

IM: How do you find the balance between cybersecurity and innovation?

AD: One of the things we’ve built is an AI proxy which all AI requests across the company go through, including every downstream connection made.

This saves people’s personal accounts from being used. Because it’s easy and it works, that becomes the path our agents choose to use.

We architect with security principles built in from the ground up. We have a sandbox where we have our user authentication and we have a zero trust environment. That means we can unlock all the things that will be useful but provide them in a way that is governed.

IM: How does Shopify embed security principles from the ground up?

AD: We’ve always been a natively zero trust environment. The idea of device authentication, user authentication, permissions, those are things that have been foundational to how we built our company.

Shopify was officially launched in 2006, which is an advantage because it means all of it was built in a cloud native way. This allowed us to always run our security program without the idea of a perimeter or being on the inside of a network, principles which extend really well into the world of AI.

We need to understand who is it that is making AI  requests, what permissions do they have, what are they allowed to do, how do we observe it and combine all those things together into the way we establish the AI foundation.

IM: Are there any additional challenges that come with being a provider of a technology platform?

AD: I don’t feel like it’s a challenge, I feel it’s a responsibility. Our goal as a company is to be the most trusted technological partner a merchant can reach for. Every day is about being worthy of that trust.

For us, being able to see the entire threat landscape, being able to see what’s impacting businesses across the world at the same time, it allows us to ensure that everything we do is to protect all our merchants on our platform.

We run a bug bounty program where security researchers can submit findings to us. We operate the program, but it’s our merchants who are benefiting. Every finding that comes in, we can address and patch across the millions of merchants who use Shopify.

It delivers at scale in a way where we can be at the bleeding edge, living this every day without our merchants having to experience it individually.

IM: What benefits does the bug bounty program bring to Shopify and its customers?

AD: The diversity of thought you get when you are partnered with thousands of security researchers is something that you can’t get through traditional penetration testing or security assessments.

The ways they can think about identifying vulnerabilities in the platform push our features, they’re living in the world of exploitation, which helps us safeguard the platform for everyone. It has been a huge component of how we think about security for the benefit of our merchants.

We’ve built up the program over 14 years, we’ve paid over $8m in pay-outs to our bug bounty researchers and it has been incredibly helpful to us.

IM: What cybersecurity challenges are pressing for Shopify right now?

AD: AI has introduced challenges when it comes to how attackers leverage it. AI-enabled attackers can move away from the traditional spray and pray model. Now, every communication, every campaign that gets authorized can be highly personalized and credible and the susceptibility of falling victim is much higher due to AI. This is a threat we need to be on top of all the time.

Another big issue that has emerged is how AI enables attackers to have custom exploits for vulnerabilities they identify. So rather than having one exploit across hundreds of thousands of companies, every malware they write can be novel. That bypasses a lot of the traditional security signature-based detection methods and requires a paradigm shift on the defensive side.

This level up of attacker needs to be matched and outpaced by the level up that we can use of AI on the defensive side.

By using AI, we’re able to create agents that can receive log events, perform investigations, triaging, observe novel behaviors across our systems and alert us when there’s something to take a look at. We can leverage AI to help us remain ahead of attackers and keep our ecosystem much more secure.

IM: What skills and expertise do you look for when hiring for a security role?

AD: One thing that is critical in the world of security is curiosity. We need people to be tinkerers; we need people to be high agency. We need people to be living, thinking, dreaming about the world they are in, so that anything that comes to them can be turned into the next agentic test we’re going to run or workflow we will build.

We always look for people who are thinking about new ways to learn from our industry and new ways to apply that to the things that they are doing.

IM: What has been the biggest success in cybersecurity in recent years?

AD: Passkeys are an incredible success. We have crossed the bridge to where everyday consumers are leveraging cryptography and the best security principles to protect their accounts.

The partnerships between the device manufacturers and browser makers allowed this to be something which seamlessly entered the world of consumer technology. I think it will bring many dividends for the future of how secure accounts are.

IM: What is your one key piece of advice for other cybersecurity leaders?

AD: What we’ve observed over the last year is how third-party ecosystems and the interconnected nature of everything is flying under the radar of a lot of security teams. And a lot of people have been surprised by the success of attacks that have leveraged vulnerabilities they may not have known about.

You need to understand the landscape of who your trusted vendors are, who is in your circle of trust, who has access to your data and being able to govern that and respond to changes is something that every team must be world class at this point.

Image credit:  FotoField / Shutterstock.com