Security education is the foundation to product security

Give a person a fish and they will eat for a day. Teach a person how to fish and you’ll feed them for a lifetime. We’ve all heard variations of this phase or proverb over the years. The concept is simple. When you teach an individual how to do something, you are giving them the means to continue to provide themselves with the sustenance that they require. In the case of the proverb, food.

This concept isn’t far fetched when it comes to cybersecurity. Security teams are often overstretched, overworked, and overstimulated with crisis and alerts. This often leads to a security team that is fighting fires across the organization with the inability to dive deep into the trenches of the daily ins-and-outs of an engineering team’s pain points.

Bring on the education

Where does this leave organizations looking to leverage their security team to reduce the overall risk? Often, the security team is the one that discovers, triages, and prioritizes security vulnerabilities as they are discovered through the various tools and assessments that they have available to them. The security team will work closely with the engineering team to attempt to reduce the overall risk by devising a remediation or mitigation strategy.

But what if the organization instead focuses on creating an environment in which the engineering teams have the knowledge to remediate or mitigate a possible vulnerability before it reaches the security team?

This is where raising the security IQ of the engineering organization can be helpful

I have taught security related content in organizations and at the university level. I’ve taught security awareness to parents, and children. Although each of these settings and audience are different, the underlying theme is the same: bring security awareness to as many people as possible. Doing this means that we can begin to democratize security across the user base. The best part about that? Security education is cheap and can scale well. Probable the two most sought after qualities in any security initiative.

It’s more than just compliance

Organizations often think of security training as the annual, check-the-box activity that we all go through in order to learn about not clicking on links, keeping sensitive data secure, and ensuring that we are not exacerbating the security complexities that the organization faces. This training is often used to meet some compliance requirement and can be seen as a compliance activity.

However, providing education to an engineering organization takes a bit more than just a series of videos and gamifying assessments. It takes building in secure concepts early in the development lifecycle so that engineers learn the muscle memory to avoid coding habits that bring about security vulnerabilities.

This can be as simple as lunch-and-learns and conferences. Or online and in-person training. It can also be as complex as micro-learning and just-in-time training. Each of these will have varying effects on the engineering organization. However, the goal is to have a well-rounded approach to bringing security education to the engineering organization. Which means leveraging several or all of the options.

Integrating training in the organization

Starting with the basics, the organization can leverage a learning management system (LMS) to deliver training that is comprehensive and able to reach a large audience. Its ability to be automatically assigned to new and existing employees allows for the training to be widely applied. Additionally, the organization can create its own content, or leverage existing content within the LMS in order to deliver training.

Although not quite as scalable, in-person training is helpful in providing very tailored content to the audience. Whether the training is developed internally within the organization or brought in from an external vendor, often the content can be focused on what the organization values the most. For instance, perhaps the organization is struggling with specific issues related to authentication and authorization. In-person training with hand-on activities that are in the context of the organizations technology stack and how to approach common authentication and authorization patterns will go a long way.

Conferences and lunch-and-learns (where the organization hosts a talk from an internal or external speaker) are great ways to augment the overall training program. These events allow for the attendee to get information, often from expert sources, about specific security topics. Many of them tend to relate their content to trendy or current topics that may be relevant to the organization. Although these are helpful in bringing new ideas and concepts to the organization, conferences are infrequent and often expensive. Also, getting external speakers for a lunch-and-learn can be challenging given logistical and potential costs constraints.

Lastly, two of the more targeted and scalable training concepts are microlearning and just-in-time training. These can be used to deliver training at the moment and time that it is needed and where it can be most effective. Even better, they can often be integrated with tools that the organization is using to track defects and vulnerabilities. This works well in a DevOps model where automation and a constant feedback loop are critical for the development team to be able to move fast.

How does this help?

Training can be a powerful force multiplier for a security team that is working at maximum capacity. The simple math is that an organization that introduces fewer vulnerabilities is spending less time later in the lifecycle protecting and otherwise mitigating vulnerabilities. Of course, new vulnerabilities will become known and will require the organization to react, however, building in secure knowledge early in the development lifecycle allows the organization to reduce the effort spent on mitigating vulnerabilities that could have been prevented.