How to build a world class product security program

In this episode of Securing the Future podcast, we sat down with James Zollinger, one of the first security hires at Netflix, to unpack what made their product security team one of the best in the business.

🔥 Topics Covered in This Episode:

• From helping Netflix scale securely from DVDs to streaming
• To embedding security into user experience from Day 1
• To leading cross-functional privacy and security initiatives at Humane
• And learning the hard truths about what breaks when companies grow past 1,500 people…

James drops lessons that every CISO, security engineer, and product leader should hear — especially if you’re trying to shift left, build a security-first culture, or lead with context, not compliance.

‍

💥 You’ll hear:

•  Why UX matters more than you think in product security
• The hard pivot from organic security culture to consultant-style models
• How Netflix redefined product security org structures
• Why building your own security protocol might make sense
• And what “making a breach embarrassing (for others)” actually means 😮

‍

🎙️ Hosted by Jesse Meadors & Ramin Lamei

If you’re serious about securing the future of your product — don’t miss this one.

‍

Topic Intro:

• Focus on product security.
• Special guest: James Zinger, who spent 11+ years at Netflix.
• James helped build Netflix’s world-class product security program.

‍

James Zinger's Background:

• Started at Netflix as first Product Security Engineer.
• Netflix streaming org was only ~20 people when he joined.
• Early focus: Convince Hollywood studios Netflix could securely stream their content.
• Built product security "from scratch" rather than retrofitting later.
• Early focus on engineering, leadership, and strong user experience.
• Left Netflix after 11 years, then worked at Humane as Head of Product Security (startup environment).

‍

Key Insights on Product Security Success:

• Shift Left: Address security early during design, not after deployment.
• Start from scratch: Build security in from the beginning, don't bolt it on later.
• User Experience (UX) Matters: Best product security engineers deeply understand user flow, not just technical security.
• Cross-Functional Collaboration: Security engineers embedded into product teams — almost like "dotted line" reporting.
• Hiring Strategy: Soft skills (collaboration, empathy) more important than hardcore cryptography skills.

‍

Organizational Structure Tips:

• Embed product security engineers directly into product development teams.
• Shift from "security police" to "security enablers."
• Trust and direct communication are critical early on; need structure as company grows beyond ~1500 people.

‍

Security Champion Program:

• Started a small voluntary group at Humane (~12 people) from across the company.
• Encouraged two-way learning: security taught non-security teams, and learned from them too (e.g., AI team).

‍

Challenges with Growth:

• Pre-1500 employees: Trust-first, organic security integration.
• Post-1500 employees: Need for more structured consulting model.

‍

Handling Risk Ownership:

• Security team isn't the owner of risk — product teams are.
• Security provides options, guidance, and lets product owners decide.

‍

Quarterly Threat Modeling (Netflix and Humane):

• Built matrices mapping threat cost (in dollars) vs probability of occurrence.
• Informed where to prioritize security efforts.

‍

Generative AI in Product Security:

• Variance detection in network traffic a good use case.
• Believes good product design can minimize need for reactive AI monitoring.

‍

Privacy by Design Example (Humane):

• Designed user-driven privacy experience.
• No default access to photos or locations — users actively grant access in real-time via voice interaction.
• Privacy controls built into product flow — not hidden behind complex settings.

Lessons Learned:

• Embedding privacy/security early improves user experience and reduces risk.
• Netflix sometimes had to invent custom security protocols to optimize user experience (like quick media playback with low latency).

‍

Closing:

• Hosts praise James’s deep insights.
• James emphasizes importance of UX + security combined.
• They hint at inviting him again for a deeper dive into privacy-focused product security.

‍