BSides Calgary 2021 Closing Keynote: Tanya Janca

[Music]

[Music] you kind of gotta love the video right hi i'm tanya jenka and i'm hoping to there are my slides awesome i'm gonna turn those on now and i'm gonna give you all a talk about well how to build security champions um so basically i wanna so we're gonna talk about what our security champions we're gonna talk about how to build them we're gonna talk about scaling your team so when i say scaling i don't mean when you catch a fish and you're out fishing and then you do that thing where you take their scales off and quite frankly i think all of that's gross we're going to talk about scaling your security program we're

going to talk about scaling your security team so you can do way more with the same amount of people and budget and we're also going to talk about what the heck are security champions and how we can find the right people in our organization to fulfill that role and then how we can build them up to be champions as opposed to just regular employees with a regular amount of respect for security we want them to champion our cause and basically help us make an entire program way better so i have a recipe we're gonna follow so we're gonna go throughout this the entire time i'm talking so we're going to try to recruit people we're going to engage those people we're

going to teach them recognize and reward them which are different but both important and then we're going to make sure that we don't stop and that we're consistent so who the heck am i um so i'm tanya jenka and i'm the ceo and founder of we hack purple uh i'm also known as she hacks purple on the internet and yes some of my hair is violet um i'm the author of alice and bob learn application security um i think next year i have to change this to 25 years i think um i'm past 24 i'm on my 25th i started uh my first job in 1997 when i was just 18 years old and um i was have a long time then i

switched to sec i'm one of the founders of wosack women of security international i've started i love owasp i just love them i'm a blogger podcaster streamer a builder or breaker i run the wehack purple community and basically i'm a giant nerd on the internet and we speakers do these about us slides not because we're like i really need you to know all about me and i need you to look at a great big picture of me it's actually because we're trying to convince you this talk is worth sitting through and i'm qualified to give it and so you have been through two days of ridiculously awesome talks you have been giving your attention to

besides calgary for this whole time and so i'm the last one i have the hardest sell of everyone at the conference and so i'm hoping you're like she seems all right let's do this um also i wanted to just give a quick shout out to besides calgary because i think they've did an awesome job and if you haven't yet um please like send them a little thank you in the chat so they know that you appreciate all their hard work because there's probably the one person that you've seen announcing people but they have a whole team of people working their butt off for months and months and months to make this activity awesome and i got my care

package in the mail and i have to say it was awesome i have the hat right back there and i have not eaten all the treats yet yeah it's the operative word okay but let's go back to the matter at hand so what's the problem tanya what why do you want to do this why are you giving this talk there are not enough security professionals to do all the jobs there is not enough especially application security professionals to support all the software developers at every org in making sure they reliably release secure software and so it's difficult to hire them it's difficult to keep them they cost a lot of money and so we want to scale our program in other

ways not just by hiring more professionals we want to find other ways to do it and so you can scale your team so we know there's not enough abstech professionals to go around we know we need to scale you could do automation you could do um outsourcing there's like a lot of different options but the one i want to talk about is security champions so i'm going to give you a super formal definition from wikipedia a security champion is a member of a team that takes on the responsibility of acting as the primary advocate for security within that team and acting as the first line of defense for security issues within the team so that's from wikipedia

and although i do agree that's technically correct what i would say is they're interested they're passionate they're the person that's more excited about security than everyone else they want to read the book fix the bug ask the questions they show up at every security thing that's open to them they ask questions afterwards they come talk to you for what seems like no reason that is the person that's the one you want all the people who act like that gather them up because they're awesome okay so what does the security champion like what's their responsibility what do they what do they do like what so like a definition's different than like what they do and why you need them

so the security champion is your communicator they deliver security messages to each dev team they teach they share and they help so they bring your message back to their team and kind of take on that role and some of the responsibility of getting stuff done they also are your point of contact and so they will deliver security messages back to you like oh so my team actually needs some help with this oh we're about to get to that stage in the project which means we're supposed to do this security snap could you help us arrange that oh someone thinks they can write their own cryptography and i thought you might want to know yes i want to know that and that happens

way more often than you think they're also your advocate so this person they perform security work for the dev team for you but they also advocate for security so they are a peer a person that is on the team who's saying security's important or you know the security team said we should do this or that's breaking policy do which should we do that maybe we shouldn't i don't know so that person is advocating on behalf of what you need doing at that organization in a positive way and that is awesome so how about we build some security champions together let's talk about what we can do so i have this recipe recruit engage teach recognize reward don't stop

and so i know that sounds really simple it's like oh yeah this is that's my talk i'm done i'm gonna leave now no could you imagine they're like that is the worst so i am thinking that we will go through this recipe and break it down for the whole time we're just gonna come back and we're gonna do these one at a time and i'm gonna give you a bunch of ideas for each one and the reason why i'm doing this is quite frankly i would love it if some of you did this at your organization and by doing this i mean if you're on the apsec team or on the information security team and you

realize you know our security culture is not really super awesome where we work like what can we do about it this is one thing you could do to help change the culture of your whole work those people proliferate your awesome message they or they federate it depending upon how nerdy you want to be and so it's just i hope that some of you consider starting a program i also hope that a whole lot of you consider being a part of one of these programs like you right there you you could be a champion but for real seriously we need people like you so let's talk about recruiting champions yeah so the first role of recruiting is never

ever ever volunteer someone to be a security champion i don't know about you but when people tell me to do things it rubs me the wrong way i don't like it if you tell every team well you have to have a security champion so you better appoint someone you know i don't want someone that's late to a meeting as their punishment they have to be a security champion or you know you're the crappiest dev on this team so you're going to be this no those aren't the ones i want i want a person who's interested even if that person is the most junior person on the team if they're passionate about it that's the right person that person will

get you more results even if they have less experience and technical knowledge so i want us to attract the right people instead and the second really important rule that you need to remember of all these things we're doing these two are probably the most important things number two is managers need to be on board um i i have heard of first of all security champion programs where they want 20 hours a week so you're never going to get that no um but if managers are gawking or balking at the idea of giving you one hour a week or even two hours a month of their champions time well then like life's gonna be bad i don't know

what else to tell you if the managers are saying like no you don't have time for that crap i've got real work for you you know that's not part of your job stop doing it like your program's over right and so get management on board like if you could do a top-down approach where you've asked permission people are cool with it maybe they're they're like fine you can do that and they're not particularly interested but at least they're not gonna block you and then recruit people attract them people that are interested and you will get much better results than either trying to force your way through without management support or well forcing people to do extra

responsibilities on top of their regular job for no extra pay doesn't sound that attractive so let's talk about how we can recruit people successfully because that's what we want so recruiting like i said we ask for volunteers instead of appointing people without consent consent is cool provide opportunities for them to reveal themselves so i like so i'm doing public speaking literally this exact moment so you're probably thinking oh she's really good at doing that i'm not so i can't do that no this is how i started my first my first security champions program i didn't even know what that was i realized there was one of me and i think we had 150 debts and so way more of them way less of me

and so i started showing them how to use the security tool and scan their stuff and so i just held a lunch and learned i had no idea what i was doing i'd never presented before and i'd been on the dev team then i moved to the security team so these were my peers so i really liked these people and so i was really nervous to mess up in front of them and you and like a lot of them were quite frankly like my friends people i really really liked but that made me even more nervous because i care what they think so much but it still worked out and i was clumsy and imperfect

and i i asked them to help and they did and before i knew it i had one person on each team and they would always run that tool and fix the things and like oh it was such a huge success and i didn't even know what i was doing and so you can definitely do this and so having a lunch and learn to reveal themselves um i i know this might sound so silly but adding to your email signature i'm looking for security champions is that you ask me and i know someone that did that and he found two champions that way four people emailed him about it over the course of three months just four

he only needed like 20 champions though and then two of them when he told them about it they're like yeah i want to do that that's really cool thanks so lunch and learns trainings like you don't have to give the training or lunch and learn if you're terrified someone else can anyone who asks questions or attends all the events get some books send some emails you can make a newsletter list and i know that that might sound really silly like a newsletter tanya but yeah it really works like if the security team has a newsletter and they send it out once a month and it's like here's updates from the security team and that's it and at the bottom would

you like to become a security champion just ask us how we're dying to meet you and also use super interesting titles if you can i used to have really crappy titles for things and people wouldn't show up and so uh someone politely informed me you have the most boring titles of all time for your talks so i started livening them up a bit um also another thing that i find really helps people be more open and more warm and interested is if you can have a really good mantra for your team so for instance um when i first joined security a lot of it was you better do these things or you can't get to prod

and that wasn't so great so then i changed it to it's my job to help you get to prod securely and so like i need these things how can i help you achieve them so we both win and you get to prod so you get your goal of releasing your code but i get my goal of the code you release does not scare the pants off me and when i changed it it's my job to serve you i have this friend named ray who has this really cool blog called hella secure and he says his devs are his customers and i love that idea and he's like i work for you and they're like no you

don't he's like i i really do i really do i work all day long for you and your teams that's what i do and when you have that opinion and that way of thinking is expressed with every sentence you say and it definitely is a breath of fresh air let me tell you okay so let's talk about how to engage your champions so i'm going to explain what engage means so this is uh off the dictionary.com i should just add it so to engage someone is to occupy attract or involve well i want to do that with security activities but it also is the other way around so participate or become involved with i want to

participate in them so i want to meet with my champ once a month and say hey what are you working on do you need help do you have any questions like how can i support you and your team and doing whatever you're doing securely and when you do that oh well it that's a really good start but let's talk about more about what you can do so if there's a security incident with their app bring them in on it they know way more than you about the inner workings of that app and then you know security and incident response and together you could do a better job share appropriate secrets um i worked somewhere once and we deputized a dev

team and we got them to put their right hand up and promise not to tell and then we shared a bunch of information with them about a really bad incident we've had and we're like you know you're the only team that's not on board that keeps like pushing back against every single thing and like this is the thing that happened last week and it was with one of your apps and it's because you wouldn't let me do security testing like i could have found this we could have stopped it we can't do this without you and sharing that secret information and the ridiculous damage that it caused was hard on my ego honestly i didn't like it

but it worked and it got them on board let your champion see literally everything first if there's a new tool you tell them if you're gonna do a new policy you consult them whatever the thing is you always treat them special because they are special um create a mailing list for your security champions like if you work somewhere and there are eight dev teams it's just an email with eight people and you're like hey y'all this month we're doing this and that's happening and if you need me i'm still here being a nerd over on the fourth floor whatever it is that you would write um i suggest meeting with them once a month and have a set of questions

um you need to brace yourself for bad news so you can play it cool so i really suck at hiding my feelings um and so i had to learn to not freak out when they would tell me bad security things that were happening in our organization that i was unaware of so i would build trust with them they'd get to know me and then they would be like so there's this thing i saw and it would be awful it would be like oh my god um and at first i'd be like oh my god but then they would regret telling me so i learned to be like oh that doesn't sound very good um mind if i show up and like maybe we

could work on it or fix it or like find like a better way to do that thing you're trying to do and they're like yeah cool um i'm big on team building events or having open office hours i have bribed many a dev with cookies let me tell you and also invite them to join any online security communities or in-person security communities so um there's the we hack purple community which is totally free for everyone um but there's owasp who i mean i am their the president of their fan club if there was one i would i would be it um but i used to invite all my devs to go to oas meetings with me and some of them

would say yes and we would walk from the office over to the meeting hang out sit together learn together eat pizza together whatever it is um but it made them more interested and engage them more okay so teaching so we need to teach our champs and i have to say that this is one place so the number one place where companies go wrong is they start a huge program and then after three months they just lose steam and then the number two is like not getting management approval and or volunteering people to do stuff and then you get crappy results but the number three thing so i just see these three things a lot the rest is fine

is that they teach them tons of crap that they do not need to know so much stuff they do not need to know like let's teach them all how to be hackers and get them to take the oscp i'm like why that's a huge amount of work why would you make them do that is it their job to do network security testing no it's their job to write secure code it's like that's so off topic like don't get me wrong if you want to be a network penetration tester like that's awesome go pursue that but we want the devs to write secure code and we want them to fix bugs we find and like let us do our jobs we don't

anyway so i see a lot of company or oh my gosh teaching them the history of encryption like this is what diffie home he started this or they did and blah blah and here's the difference between symmetric and they don't care unless they're building an encryption app why are you teaching them that crap so it's really important to teach them what you need expect and want from them as champions so here's a bunch of topics of what i would suggest for you besides defining exactly what you want from them so first of all oh so these are three sections and then i'm gonna give you more stuff for each section because like if you don't teach your champions

your whole program is garbage right like you can't just be like you're a champion and then that's it and you just walk away and you don't teach them what to do so secure coding and secure architecture your policies that apply to them and doing their job and then cool tools so first one secure coding and architecture so formal training on secure coding preferably with labs i'm a huge fan of threat modeling and security architecture so you could do this as one thing you can call it whatever you want but it's a session where you review the risks and stuff that's happening with the architecture i like draw stuff out and i ask pertinent questions and

eventually that dev knows how to ask the questions too and eventually they can threat model and it's awesome um how to review code for security issues how to fix bugs they find and it's absolutely essential that you repeat this once a year because things change and people forget and i don't know about you but if you i want them to be threat modeling all the time if you don't give them training it'll start getting different and weirder and weirder over time same way same with any of these things like if there's a thing you're expecting them to do you need to train them how to do it topics for champions so your policies so which policy standards and or guidelines

apply to them literally teach it to them just telling them oh there's a bunch of policies here you should just read it they're not going to i know because i was a dev and i didn't do that um help them create missing guidelines so let's say you have lots of stuff on how to make secure web apps lots of stuff on how to make secure apis but they're you know starting to build serverless apps and you've given them no guidance well guess what you're going to get a surprise and it might not be a good one so instead you know oh yeah we're going to build we're going to start building a thing in serverless great i'm going to

give you some best practices i'd like you to follow as a bare minimum so then you can steer them the right way from the start teach them how to be compliant with any standards that you expect them to meet and help them get there if you can especially teach them their role during an incident like when to call you and when not to touch anything and what need to know means um i'm a big fan of doing job shadowing if that's an option like if there's a thing you want them to know like offer them to job shadow you and always hold consultations so if you're going to do a new policy or standard or guideline whatever you want

to call it if you're going to write a new doc and expect them to comply with it you should ask for their advice and opinion and feedback on it before you set it in stone because they are literally the subject matter experts and not asking them is ridiculous but also it makes them feel more engaged like they matter because they actually do matter okay so tooling this is a great one to do job shadowing on right if you're going to look through a bunch of static application security testing results for four hours on thursday invite and see if any of them want to come do it with you for an hour at a time or

something so they can learn about how the tool works you need to provide or create custom training on tools that you expect them to use if they're going to be the expert on their team you better make them the expert you don't want to set them up to fail teach them what the output means teach them how to validate those results teach them how to install and configure them help them so like let's say they're they want to select a tool they're like we want a code review tool but we want to select it cool help them do it give them your feedback and advice give them suggestions i'm also a big fan of holding a lunch

and learn and just teach everyone how to do the thing or have a hackathon like we're all gonna review this code for this whatever but events really help people um so i wanna talk about a teaching style which i call coaching i felt the kitty needed a lifesaver i was trying to like make the kitty seem like really smart but the lifesaver really helps you know that this kitty is a jedi um so coaching so coaching means enabling individuals or teams to meet their full potential so how do you coach you facilitate the exploration needs motivation skills but basically you want to help them make change real lasting change you want to change it so this person's always

security aware for the rest of their life they're always the security dev one of the people from my original program told me he just got he's in charge of his first outset program now i'm so proud he was a dev he became interested more interested more interested and now like five or six years later he's in charge of his own absec program i could not be more proud of the mischief i have caused um if we want them to start practicing a secure system development life cycle like we have to support them in actually doing that right if we want our security champions to sing the praises of security we have to constantly reinforce those

values with them so how do we coach so we first of all we get a kitty and we give it a life saver but after that we can set up office hours so every thursday from two to four i've just got this open zoom session uh come on tell me you're there don't be creepy and just watch me work um and then like come ask me questions i'll just be hanging out doing whatever answering emails whatever i'm doing for those two hours i'm here for you set up repeat meetings with your champions that's really important and don't let them miss more than one month it's really important you check in regularly help them prioritize their security

activities or bugs be available help them set goals and then help them achieve those goals and check in with them don't forget teach them specific tools or skills that they want to know and ask them what they need and then provide i know that coaching does not sound easy it's a lot of hard work but if you do this you're going to have amazing champions and that's what you need for a great program and a really crappy security champions program is often a waste of money like you want to do it right or maybe save your money for something else like you want to do a really good job if you're going to do this do it right so

special note on delegation some items are the abstract team's responsibility like some some are our responsibility and some aren't right and so you should delegate the following things so fixing security bugs like maybe you happen to be in the code your hands are already dirty so you fix something that's cool but fixing all the bugs no you can't do that i have to tell myself this all the time i'm brutal for that i'm like well i'm right here so i'll just do this and then like three hours later i'm still like fixing their app and putting my fourth pull request in and everyone's like where's tanya and i'm late on all my other stuff that's crap that is not an effective use

if you're the only one on the apsec team if you're just sitting there fixing everyone's bugs for them because there's 400 devs and there's one of you updating frameworks no i i've done that before planning releases or upgrades that's none of your business assignment of who that works on what bug none of your business implementing or tuning every single tool running every single scan writing all the unit tests etc like don't take over the devs jobs that's not your job but on the other hand of that some things should not be delegated validating static application security testing tool results unless you give them training on how to do this and you're sure they're confident don't

expect them to do this just like so many companies they're like we bought this 200 000 tool we've scanned your things you deal with the crap it spit out oh that is how to lose friends it's not good you if you're gonna do sass set them up for success teach them how to do it or you validate those results um the security team's approval can never be given except for the security team um using any tool without some sort of training i'm training new champions so just remember we're looking for a partnership and assistance we're not looking for a replacement right so there are helpers they are not our teammates hopefully that made sense okay so the next thing in the recipe is

recognize so i have recognized and rewards so i'm going to briefly explain why they're different so recognition is basically making you look cool in front of your peers having your boss notice you did something i remember i worked at microsoft and i went on this big trip to israel and i worked out a whole bunch of awesome stuff and then the chief technical officer of azure wrote a letter to my boss back in north america in the united states i'm canadian as you may be well aware um and so and they were like tanya's a gift oh my god i thought i was gonna cry i felt so good and my manager was like holy crap she basically never talks to

us and like for her to write like a formal letter and go on and on like that's a big deal and i was just like oh my god i don't need a raise that's all i need is just praise but other people they need to have a physical or financial incentive like they need to have a thing and that's the thing that works for them and both of these are about making that person feel valued and for some people receiving like a physical award is the thing that makes them feel valued or like and that could be like a book a gift certificate a raise whatever it is but for other people it's having their

peers or their boss or whoever know that they did a really good job and so i am a recognized person not a reward person but if you want to give me extra money just to be clear that's okay so let's talk about recognizing your champion and you have to do both because you don't know which one the people on your team are so you have to do both to make sure everyone has that feeling that they are valued okay so it's important to recognize your champions because we want them to know they're doing a good job and we see that and that we don't want them to feel like they're doing two jobs but only

receiving one paycheck see how this kitty looks squished we don't want them to feel at all like this kitty okay so how can we recognize people make them feel good besides having someone write a letter to their boss which you should do but we could create a certificate to put on their wall i kid you not it's awesome do things to recognize them or center them out in front of their peers so i've seen people put a special virtual background or a star on their name in slack or teams to denote i am a champion right and then it helps their peers know and it just makes it really obvious in meetings and people are like how do i get one of

those like let me tell you how make sure that you put a note in their performance review it's absolutely essential that when they have their yearly review that it's in there that they did this extra work um tell their boss every time they do something big so let's say they tell you about a thing that was really really bad that you would never have found out about you write a note to their boss and you're like listen uh you know brian went the extra mile and did this this and this and i just want you to know i really appreciate you letting us have time with this awesome employee and just that he's kicking all

the butts you also want to tell them that you saw because sometimes we forget i literally this morning one of my employees was saying sorry about something and how she hadn't spent enough time on it and blah blah and i was like oh let me repeat the thing i clearly don't say enough your work makes my life infinitely better you do this and that's awesome you do that and that's awesome you do this and that's awesome and if you left work 20 minutes early i assure you i don't care thank you for everything that you do you're amazing and clearly i need to tell you this more if you're fretting over that and she was just like

but if we forget to tell people how much they matter sometimes they forget so make sure their role on their team is clear to their peers it just make sure that they're aware of how much you appreciate them yeah this guy we don't need this guy okay so rewarding them so i've heard this before and it's true you want to reinforce good behavior instead of punishing bad behavior and so if someone does you know if you've pointed out someone's made an error three times and it's a damaging error that's costing the company money that's like negligence and you fire their ass however if someone makes a mistake this one time or they're like oh i told them that

probably this would be the more secure way but i wasn't sure and it's like oh that like you know there's an even better way than you said so like let's go see if we can improve that with them but like thank you for trying and like clearly you're learning and you're learning more and more every day and like good job and i appreciate you exerting effort but if someone's doing something good you want everyone to know how good they are i started consulting at a place where i kid you not the previous consultant had made a name and shame list of devs that had written crappy code and they put them on the fridge in the

kitchen and apparently some of the devs were so embarrassed they stopped bringing their lunch to work because they felt too embarrassed to go get it out of the fridge and so we changed it to here are the rock stars and i started like coming up with reasons that you know these guys got their code out on time those guys fixed 10 bugs though and whatever i could come up with to like do the opposite of that and life got a lot better and just apparently some of the devs were just completely humiliated by this name and shameless and i have to say that sounds ridiculously awful so rewarding good behavior with security related gifts so this is the

bet this is the most win ever like buy them a ubi key buy them books buy them videos buy them training you know give them passes to a ctf giving them your undivided attention and time so as an abstech person you have less than zero time you're always running on negative you never have enough of all the things you want and so like when someone comes to your desk put down your phone stop typing turn your chair and look at them that in itself sends a message of you matter to me right like there's so many things that we can do so remember that giving them your time is a gift help them with more than just security

so again my friend ray um so he was an architect for a long time before he did security and like i was a dev for a long time like you have all sorts of awesome skills and so if they say well we're having this prom but whatever don't worry it's not for you if you can help you should help so for instance oh yeah we're gonna do this like xaml token thing and i've never done that before and it's like oh actually you know jen on this other team she did that like six months ago she has all the code and everything why don't i just introduce you to and then you know you don't have to

reinvent the wheel you can just ask jen for help you making that introduction can be priceless i literally someone asked me if i would write a book that was not about absec why would i write a book navajo apsec but then i thought of a perfect person that should write that book and i took extra time to ask the publisher would you like to meet this person i asked the other person and then i just sent the intro and they're like that person might get to write a book now but that took like 10 extra minutes of my time but then that matters so much to first of all the publisher that i would actually find someone else that's

qualified to write that book for them and then the person who might get to publish their first book like it's win-win win right let them see new tools or anything else first always ask their advice if it makes sense let them help you make decisions you get the final say but you should consult this team of awesome humans with lots of experience corporate knowledge and all the security knowledge you gave them plus tons of knowledge you don't have anything you can think of to reward them you should do i worked somewhere once and my team was way out of date on training they didn't know any new technologies and i was super frustrated so i started this lunch and learn

program attendance was amazing but there were a couple people and i have to say they were the crappiest ones like their work was like not stellar um and so one of the management said well can we give them a reward and so we made it that if you attended five of these sessions you got friday afternoon off and we'd have you know one or two sessions a month so every few months a couple people we get to have this one friday afternoon off and their peers see them and they'd all like high five and they're like let's go have a coffee together and like you could see oh well it's that special friday that they get

off because they attended all the things and that became a big pure thing and then all the people that weren't as good started attending and they started doing more stuff and being more awesome and more engaged and anything you can think of that makes them engaged and makes them feel rewarded for their time and effort is good okay so again this is this is probably the worst thing is just companies that start a huge program they burn out then they stop having any sort of sessions they give no support to the champions and then like a year and a half later they're like where did our program go so don't stop when endo over communicate so like let's

say it's december so december has all sorts of religious holidays and it has uh in canada statutory holidays as well so even if you're not religious at all you get days off work and i like it but anyway the point is there's the least amount of people in the office during the last two weeks of december so let's say you're not going to have any sort of activity for your security champions and you're like planning nothing that month because you feel it's a write-off still send an email say like listen so you know december with ramadan hanukkah christmas and like whatever else is going on that month we we're not gonna have an event because

you know someone's gonna have to miss it but we're gonna be back in january and we're gonna do this i hope you'll have a great holiday you know no matter what you're up to and here's a here's a podcast i listened to recently an episode about this i thought might help some of you because i know a bunch of you are java programmers see you in january come and get me if you need help that little gesture tells them i'm still here don't go it keeps them engaged not a huge engagement by something even if none of them respond to the email i assure you it mattered to some of them so if you don't communicate regularly

your program will disappear way faster than you think way faster i do lots of different consulting calls um so i'm faculty at a place called ian's research tons of them are about well two years ago we had this program and after six months we lost steam how can we pick it back up it's way easier to not let it slip so what can we do about that consistency if you i at one place i actually so we started doing this monthly thing and i ran out of things to talk about so you know what i did i went on the oauth youtube channel and i found a really really really awesome talk that i really wanted them to see and then i

bought donuts i told them i had done i have carbs and sugar um and then i invited them and i'm like this talks really good i was hoping we could just all watch it today because none of us have a thing to present to you lots of people still came and i don't think it was just the carbs um so even if you just meet with them one on one per month to check in with them or just a call or an email some champions will need more of your time some of them will need less some of them will do the bare minimum no matter what you do they'll just be okay and that's way better than nothing but

some of them are going to be amazing and this is sort of a thing you have to accept if you accidentally drop your schedule that's okay pick it back up just send an email out be like so i know we haven't had anything in two months but next month i'm planning something if anyone has suggestions blah blah blah it doesn't matter the point is is that culture is a practice and it must be repeated over and over and over again and when you stop repeating it it it just it falls apart faster than you think so this was our recipe and we're completely awesome because now we're gonna build security champion pro we're gonna build security champions

we're gonna build them up into champions and so conclusion we learned how to attract the right people to your program what we should teach them how to reach them how to engage them and turn them into advocates what to delegate and what not to delegate i should put two not do um how to motivate them and basically how to build an amazing program and so like i said this is our recipe with don't stop being the most important part and now i have a couple resources for you i was going to say free resources but i do talk about some books and they're not free but everything else is free okay so resources uh so one of the resources is i have an

online community that's free it's like it's kind of imagine if there was facebook but there was like no spying and no bullying and no mean people and we just all talked about security it's that and so community.we have purple.com it's free we have a code of conduct and you have to follow it but everything else is cool and if you want to give a presentation if you wrote an article if you listened to something and it was cool if you have a question about work i literally ask questions all the time of them because sometimes they know and i don't awesome books i believe you can't do security right unless you are doing it right and i believe devops is the way

for making awesome software i just i love devops so much and so a bunch of these books are about devops and modernizing the way we build software and the last one is by me and me and my mom both think it's the best book about application security out there um i have a podcast we're gonna do season two soon and it's gonna be basically like tons of tips season one was about how to get into various jobs within security and what it's like to do those jobs resources me i have a blog on my professional company site i'm also gonna eventually have the purple uh personal purple blog um alice and bob learn if you wanna come

to some of our live streams saturday we're having a free live stream where we go over chapter nine i have a newsletter etc i'm a nerd on the internet like i said earlier i hope all of you get to spend your life doing strange things with weird people because i think that's the best type of life a person could have uh and i want to thank you all so much for staying the end of this amazing event i want to thank all of the organizers for all our hard work i want to thank you for showing up and learning and especially thank you for choosing me as the closing keynote it's it's such an honor to speak at a

canadian conference and i just want to say thank you okay so i'm going to minimize my slides and we have time for q a so who has some questions i think that they would go into oh there's so many questions all right oh thank you let's see if there's questions uh because there's like so much in the chat um don't over commit or you are you will hurt yourself in the process adam you're so right and then aj says that's a good idea this isn't our material but we heavily endorse it let's watch together and our champs can answer the follow-up questions yeah exactly um record management folks at a place i was at rolled out record management

champions oh that's awesome oh that's so cool yeah you can have all sorts of champions and really if you're gonna make a huge security champions program you could also have privacy champions because quite frankly i really think privacy is important uh as a person who just had a company put her home address on the internet oh anyway thank you so much are there any questions because there's so many comments i i didn't even realize that they were happening because all i could see are my slides thank you thank you so much for coming and again thank you to the organizers i don't know if any of you have ever organized the conference but i have and

it's hard it is so hard it's like hundreds of hours that and you're like oh i'm gonna just spend this much time oh there's a question do you see um a budget commitment to security champion program or is it kind of off the shelf program in your experience so i would say a whole bunch of security champions programs um at first we have no budget and then eventually people like it better and they see some results and then they'll say well i'll give you a thousand bucks for for like rewards for the champions and i'm like mmm um but often uh this might sound ridiculous but i'll like bake cookies and stuff because i kind of like doing that and i

know other women get really annoyed because they're like then they're gonna expect me to bake cookies and i'm sorry i'm that person in the office i'm i'm annoying and i know it um but all like i remember baking 150 cookies for so every single dad could have one um but it works um someone says you should have a p.o box for your business yes i do have a p.o box but some jerk face decided that instead they would put my home address which i want yeah so i might be suing someone but anyway yeah cookies are good i also made some gluten-free cookies just so like i could cover all my bases and also because i'm

gluten free and then there were leftovers and i got to eat them so if you're new to an organization how do you find the teams that you want to participate in programs like security champions so also if you want to be a security champion i usually just so when i was a dev and i was really excited about security i literally just went over i'm like hi i'm tanya i'm one of the dev leads and like i think security's really cool and they're like you're an alien but guess what within one year i was on their team i kept reporting security incidents to them i kept telling them about things i did and i was like yeah i'm in this

mentorship program and well but they're just like god she's so annoying but i grew on them like mold and then eventually one of them came up to me and he's like so we have a position open on our team and i was like oh my god and he's like i didn't even offer to you guys i'm like you came to my desk i know it's me yeah it was pretty good um yeah awareness versus champions where is the line in your mind so champions means that there's like a person on each team that is the security person and they actually have responsibilities well with awareness so i have this long time client and i do

like a couple hours a week with them and so once a month i often do a presentation and that has helped change their culture and made them more aware but they don't have a security champions program and it's resulted in better code it has resulted with way more people coming to the apsec team rather than going to stack overflow uh which i have opinions about stack overflow's awesome but i wish that they would i wish there was more secure options on there um so i would say the line is whether you expect them to have responsibilities or not for the security team um picking cookies storing cookies there's a web dev joke in there somewhere yes

oh thank you yeah i was like i was so excited i remember when i was on the security team at one point like i guess i'd done something really good that impressed the boss and he came up and he had taken tin foil and made a tinfoil hat out of it and wrote don't worry i'm here now he's like you're officially part of the team you have this tinfoil hat don't worry i'm here now it was hilarious oh you can see yeah that's that wait wait that is the book i wrote yeah alice and bob learn application security yeah i'm hoping to write another book but not yet because i'm busy thank you so much for having me so

if there aren't any more questions i want to invite the organizers to come on and like wrap up the conference and say goodbye and say all their awesome stuff thank you so much for having me i appreciate so much the chance to present it's just there's not very many canadian conferences so it's just like really wonderful that i could go to one what's the camera set the quality is hella clear i have um a 4k camera it's a lumix yeah and uh and then i have a shotgun mic overhead with one of those muffs on it and it's plugged directly into the lumix and the lumix is is actually a regular camera not a webcam and then we have it

going into another system that turns it into a webcam so is it like a camera not a video camera but we managed to change it into a feed and this was from when i first started my company but now when we shoot real training videos we have an 8k blackmagic and it's [Music] thank you tanya so so much here we really really appreciate your your closing keynote here thank you bye well we're getting right close to the end everybody thank you for being with us thus far we still got a few fun things that we would like to talk about so just be with us for the next few minutes and we'll we'll close it up pretty

quickly here first thing that we wanted to do is we wanted to just um as these sides we're you know community foundation we work with a lot of organizations and we also want to give back so with a couple things here was that we wanted to um just announce that we're giving back to a couple organizations here both to chic geek which is a community organization here as well as the calgary drop-in center specifically around their i.t program we just want to say thank you for what they do in the community and want to support them as well as from their foundation as well so thank you very much and we just wanted to be able to give this this forward to

you as to be able to use in your programs all right well that's just closing up for us everyone that stayed for the whole time here we want to say a huge thank you um i want to just give reach out and say thank yous to all the attendees for for being through this the whole time set you know two years of being remote we know it's hard to be remote thank you for sticking with us being part of the community um thank you to our sponsors for helping you know fund us so we could put this on if it was you know within any of these groups we would not be here a huge thank you to our volunteers here

that have put this on tirelessly they've given up their time their effort here over not just the last couple days here but over the time leading up to the event as well um a couple couple other things if you're looking at in the next couple weeks we're hoping to get the videos out on youtube so that'll be out for the whole community to consume looking for that on our twitter or on linkedin from us other than that thank you so so much for attending we're looking forward to doing this again sometime in the future so you know if you want to see us make sure you just bump it up and bring the community together on the socials there thank you

so much