Empowering Teams for Better Security

Intro:

Just to piggyback on what you said is always ask the question, what’s the cost of not doing it? What’s the risk?

What’s that impact? And as you tell that story, which they understand. Right? Whether it’s a developer, whether it’s a business leader, whether it’s your CFO, or whether it’s your CEO.

At the end of the day, if I’m a CIO, my job is to develop that value proposition within my peers who are c levels. Or go to the board.

So that’s one of the things which I really, really do is I always tell people I’m not running a technology department.

I always say I’m running IT as a business.

There’s a difference. I think this statement is so powerful. Run your IT department as you’re running a true business.

How you’re enabling the business to run better with your IT practices. Whether it’s IT, whether it’s your cybersecurity, how are you keeping your company safe?

How are you making sure that all your end users are safe and not attacked by any of the hackers.

Conversation:

Welcome to Secrets of AppSec Champions. Today we’re talking with Jigar Shah, an executive global leader in IT, identity, access, and application security. Jigar, please introduce yourself.

Thanks so much for having me. This is exciting, and it’s always a pleasure. Hello everyone, I’m Jigar Shah. I’m passionate about technology, business, and security; all the things that keep us safe. I’m really looking forward to this conversation today on building a security champions program and how to make security part of our day-to-day life.

Establishing a Security Champions Program

Very good. Let’s talk about building a security champions program. What does it take to get one started?

That’s a great question. It sounds simple, but it’s complex. My first question to anyone in the company is, “Whose responsibility is it to keep the organization safe and secure?” I’ve gotten various responses. Some say it’s the security team, others say security, compliance, and legal. Some say they handle bits and pieces of it. My conversation starts there, and then I tell them that security is everyone’s responsibility. Period. That’s where you start building a security culture.

I believe technology and business are driven by a culture established by leadership. That culture is reflected internally and externally to your customers and end users. This is why security champions are so important. It’s about building a philosophy, a culture, a framework.

To build a security champions program, number one is getting everyone on the same page that security is everyone’s responsibility. Then, bring in people from IT cross-functional teams, application development, infrastructure, product, even marketing, finance, and HR. These folks are the ones who will be attacked when something bad happens. They can be vulnerable because they may not be aware of the threats.

Get the right stakeholders in a room to talk about the objectives and goals of the program. In short, it’s about finding the right people who are passionate about security, developing them into spokespeople, and amplifying their voices to create that culture of security within the company.

The Importance of Culture in Security

I love how you talk about culture. So many people I’ve talked to about building a program think the first thing they should do is reach out to developers and have a meeting. Those efforts are destined to fail. You need to make sure the executives are on board and understand the program. Without executive buy-in, when you reach out to developers and say, “Hey, you’ve got your security champion,” and that resource is split between development and the champion role, the executives might say, “We’re behind on deadlines, we need them programming, forget security.” It can all go away. So, culture is critical, making sure everybody’s on the same page, from the executives all the way down to the security team, the management, the champion, and the developers.

Totally. Gaining executive support is key. Half the battle is won that way. When your executives or leaders buy into this philosophy, they become champions themselves, creating champions within their teams. That’s where the success lies.

Selecting the Right Security Champions

That’s the key. But once you get that executive support, you need to identify and select the security champions. How do you do that?

As a leader, you need to be clear on the criteria. Develop criteria for selecting champions, such as someone who is strong technically, but also has great communication skills and understands the importance of security. I always tell people, security champions don’t have to be security experts, but they need to understand the importance of security so they can convey that to their teams.

Develop those criteria, and maybe even use a nomination process. Ask your peers or other leaders, “Who would you nominate from your team?” There are different ways to go about it. You can ask for volunteers; some people are interested and will volunteer. Ultimately, you bring those right folks into the mix.

That’s a great point. Asking for volunteers worked pretty well for me when I was setting up a program. Some really wanted to learn and know more about security. Those volunteers are your best assets. They are vested and have the drive and desire to be a champion. Asking leaders for recommendations through a nomination process is also excellent. When you go to someone and say, “You were recommended by multiple peers. We would love to extend this offer to you to be a security champion. What do you think?” That builds desire from their side. It’s not being told or pushed into something they don’t want to do. It’s more like, “That’s great! I’m being nominated or recommended by peers who trust me.”

Absolutely. One thing that worked for me is influencing without authority. I read this book that really shaped my thinking. Most of the time in our careers, we don’t always have a specific title, but we are put in leading roles where people don’t necessarily report to us. But you need them to do their work for the project. So how do you become more effective? That’s where I took some lessons from that book and started influencing without authority.

I started by having cross-functional meetings with leaders, bringing those teams in, and making them socially aware about cybersecurity. Slowly, I started getting interest from people. Cybersecurity is such a relevant field now; it’s not foreign to anyone. Even people outside the industry understand what it means at a high level. So, the job becomes a little easier when you’re talking to people who are already in the industry.

You need to start bringing the leaders into the fold and telling them the implications of not prioritizing security. How does it impact them? Once you start telling that story and providing data points, you give them a line of sight. Even though it’s not in their job description, they’ll still want to become a security champion because they see how it indirectly affects them. You have to make that clear.

Bring them into your day-to-day or weekly updates so they see how the security programs are run and what affects the rest of the company. Give them that line of sight, be transparent, and tell them, “This is what is expected, and we are here to train you. We’re not asking you to come with all the knowledge.”

We need those security influencers. I really like this term because people can relate to it. It’s not about being the champion and needing to know everything. It’s about influencing people. The whole mindset changes.

You bring up a good point. Sometimes I’ve seen where somebody says, “I’m the champion, I’m in charge of security. You’re going to listen to me.” They bring down the hammer and alienate the developers. It becomes problematic. I love your word “influencer” because that’s what they’re doing. They’re influencing good security practices at the development level, teaching developers what they’ve learned from the security team and applying it to the code base to make everything better.

Totally. A lot of people try to enforce things, and that’s where it doesn’t work. Security is sometimes seen as a hindrance, an obstacle. If you ask an end user, they might say, “Why do I have to go through these steps when I can just do it?” To be successful, you need to be a creative thinker.

I always say being a CISO or CIO requires empathy. It’s so important. If you don’t understand empathy as a leader, you’re never going to be successful, whether it’s an AppSec program or any IT initiative. It’s all about people. How are you impacting their lives as end users? What kind of business outcome are you bringing? How are you making sure technology enables that? Empathy is crucial. Once you understand that, you can get these non-security folks to buy into your vision and strategy. That’s when they become your true influencers and build that security culture.

Building a Security Culture Through Champions

Absolutely. I’ve heard a lot of security teams say, “I don’t have a developer on the security team because I can’t hire one.” The beauty of a champion or influencer program is that you’re bringing someone internal into the fold and promoting them into the security area. This gives them the opportunity to learn, grow, and become better.

Throughout my years of developing software, one of the biggest things I wanted was to be better. Early on, I saw that databases were the future. Because of that, I took a job only working with databases, which propelled my career. I was able to apply what I learned and help others. It paid dividends. That’s the same thing with the influencer program. You’re taking someone, helping them grow, whether they volunteer or are nominated, and taking them to that next level of security understanding.

How many times do we hear, “I just got another email that company X has been compromised, and my information was in there,” or “Data has been stolen and it’s on the dark web”? You ask yourself, “How did this happen?”

You bring up a good point. We live in a highly digital, interconnected world. Imagine those threat actors moving freely, having our personal information. How would we feel if someone came into our house and knew everything that was going on? That’s why I said security is not foreign to most people anymore. Everyone, even non-technical people, knows what identity theft is, what security is, or they know the phrase “I got hacked.”

It’s not foreign anymore. People are becoming aware, and our job as leaders is to develop that culture of security within our companies. It starts at home, and then it grows.

This brings me to my next steps. Once you have the champions or influencers, what do you do with them?

Defining Roles and Responsibilities for Security Champions

The next step is defining roles and responsibilities, and then providing training and resources. Defining responsibilities is crucial. Sometimes, people start security champion programs with a big bang, but fail to define the roles clearly. As a leader, we have to make it super clear what is expected. For example, “You are a security champion, and we will equip you with the training and resources you need to take back to your team. You will be the gatekeeper.”

Let’s take application developers as an example. Can we bring security “shift left”? Can we bring security in at the beginning during design sessions? That’s what’s called threat modeling. If you want to ensure security is involved during those initial design sessions or even during requirements gathering, you need that security spokesperson to bring that security view when product and marketing teams are coming up with new initiatives.

You can use security champions to be your spokespeople, to call things out, to say, “This is how we can do it. If you’re writing code, let’s do another round of review from the security perspective.” Even if it’s further developed and progresses into the SDLC cycle, they’re still there to ensure security is inbuilt.

You bring up a good point. I’ve talked to others who tried to start a program, and the problem was the security team was too busy. They’d bring someone in and say, “Guess what? You’re going to be part of the security team. Go learn it on your own.” You’re destined for failure. You’ll never get off the ground.

What you said was spot on. When you bring someone into the program, they become one of you. They’re invited to your daily or weekly standup. They know what you’re working on, that you’re looking at new tools, and you ask for their thoughts. When they’re vested and feel like part of the team, they can relay that back to the developers.

One of the things I always did with penetration testing was record the results in a video. We sat down with the manager and software architect and said, “Here’s our finding. Here’s how we did it. Here’s what happened.” When you have that transparency, it goes a long way. Having that influencer, that champion, allows them to focus on things like, “This week is SQL injection month, or command injection month.” They can pick topics and start looking through findings in the tools or within the code. They can take the most critical things and say, “Is this real? Can this happen?” They can start building awareness. “Here’s what needs to be addressed. Let’s put this in the next sprint. Or, we just found something really bad, let’s get a hotfix out there.” When they’re intertwined with the developers, software architects, and management, it makes it an easy conversation. “Here’s a finding. It’s critical. This is why. We address it either now with a hotfix, or we put it in the next release.”

Transforming Security from a Cost Center to an Investment Center

Right. Always ask the question, “What’s the cost of not doing it? What’s the risk? What’s the impact?” As you tell that story, they understand, whether it’s a developer, a business leader, your CFO, or your CEO. At the end of the day, if I’m a CIO, my job is to develop that value proposition with my C-level peers or the board.

One of the things I always do is tell people I’m not running a technology department. I’m running IT as a business. There’s a difference. This statement is powerful: Run your IT department as you’re running a true business. How are you enabling the business to run better with your IT practices? Whether it’s IT or cybersecurity, how are you keeping your company safe? How are you making sure all your end users are safe and not attacked?

You bring up several good points. Think about it this way: People usually look at security as a cost center. It’s costing money, not making money. You hit the nail on the head when you said, “What is it going to cost if we have a breach or data loss? What is it going to cost if we have PHI that gets released?”

Absolutely. That’s when you get these leaders thinking. Now you’re talking their language. Now you’re talking a CFO’s language. “If you don’t do this, you’re going to lose X amount of money. Revenues might go down, profits might not be there.” Instead of IT and cybersecurity being a cost, I turn it into an investment center. When you do that as a leader, that’s when you see the culture change. You make sure that you break down the silos. What happens is security is in one area, development is in another, and they both have this constant friction.

Breaking Down Silos for Better Collaboration

I don’t even want physical silos. I want developers and security to sit together. Break those barriers, break all those silos. Be a part of one team. You’re a part of IT at the end of the day. To me, you’re part of the information security or information technology department or program. That’s where you start gaining respect from your entire team. You give them a line of sight: What is the cost of not doing it? What is the impact? What is the risk?

One thing I usually talk about is finding a way to incentivize this role. If you’re dispersed with multiple locations, bring everyone together in one location for a week. That helps make the influencers or champions feel like they are part of the security team. It gives them a feeling of, “Hey, I get to travel.”

The other thing is to create a bonus or incentivize through a slight increase in salary. A company I worked with had 15 to 20 developers who were going to be part of their champion program. I suggested a bonus, and the pushback was, “That’s going to add up.” I said, “Look at it this way: What would it cost to pay a full-time employee to do this job? More importantly, what will be the cost if you don’t do this?” You’re talking less than one FTE, and now you have 15 to 20 “security” guys versus just the one. You have much better reach.

You have a good point. Reward and recognition are important. You’re asking someone who doesn’t have that responsibility to do something beyond their normal duties. Public recognition, bringing them into all-hands meetings or town halls where you felicitate them, giving them feedback – that pushes them to do their best.

People are motivated by different things. Some are financially motivated, some are motivated by appreciation, some by feedback. You need to understand who is who and tailor your rewards and recognition program.

Then, start measuring and tracking progress. How do you know the program is working? How do you track that? That’s where you need to define metrics to see the before and after picture. For example, with code reviews, you might see a reduction in vulnerabilities or false positives. That’s what shows real progress, real success.

Addressing Resistance from Teams

One thing I see in some programs is that when you’re a larger company, you may have that one team that just won’t do the security stuff. “We have a finding? We don’t care. We have to get this out the door.” How do we work with those teams?

It goes back to the fundamentals. If you don’t paint that risk picture for them, they won’t get it. Sometimes it even takes communication from the top, not just the bottom. That’s why I talked about culture at the beginning of our discussion.

If you put a product out in a rush without making sure it’s secure, no matter the industry, you will either end up recalling the product, facing legal implications, or damaging your reputation and finances. Most people don’t understand this because their job is just to get the product out the door. But as a leader, whether a CIO, CISO, or executive, it’s my job to educate my peers and leaders. It’s about explaining the risk. “How much risk are you willing to accept?” Then the conversation shifts to, “If you’re willing to accept that risk, then sign off on this.” You start holding people accountable.

Accountability and outcomes are two main things I’ve emphasized within my teams. You make them accountable, not only within your team, but cross-functionally. “If you do this, you are accountable for X, Y, and Z. If you do this, this is the outcome.” Once you start painting that picture, and if you’re a good storyteller with the right data, facts, and figures, everyone understands.

Communicating Risks and Outcomes

And if they don’t, then then you have a problem. Then you really have to have an honest discussion with your teams. But I think most of the time, it’s just a matter of bringing that line of sight, talking about risk, talking about business outcomes, and explaining the consequences of inaction. Those are the key takeaways.

That’s spot on. It’s funny how many conversations I’ve had where it’s, “There’s just this one team.” Sometimes you have to elevate it to the executives and say, “Look, we’ve done everything we can. You’re a problem.” And see what they can do.

Right. So awesome. We’ve talked about a lot of different aspects of champion and influencer programs. Is there anything else you want to add related to running a program?

It’s been an honor to be here and talk with you. You have a wealth of experience and knowledge. This is a great platform where you’re bringing leaders together to understand security and IT in detail. You’re doing a great job for the community, especially for those in similar roles, helping them learn from your experience and mine. I can at least share what went right and what went wrong. So I appreciate you having me.

One thought to leave with the audience: As a leader, make sure you emphasize that security is everyone’s responsibility, not just one team’s. If you develop that culture, you will find success in your organization.

Well said. I can’t say it any better. Jigar, thank you for today.

Thank you.

Thank you for joining us on Secrets of AppSec Champions. If you found today’s information valuable, hit that subscribe button on your Apple Podcast, Spotify, or wherever you’re listening. Ratings and reviews are valuable to us. If you’re feeling generous, please leave us a kind word as it helps others find our show. Until next time, take care.