Shifting Smart By Building Up Your Security Champions - Akolade "Kay" Adelaja

good morning I always honored to be among people with an interest and desire to ensure our digital world is safe um I just want to reiterate my thanks to Sam and the rest of the bsides team for accommodating my my little bit of a drama and switching this to a remote session early this morning it does provide me an ample opportunity to discuss what I feel is a powerful strategy how we can cultivate security Champions within our organizations and effectively shift our security practices to the early stages smartly my name is Kay um I'm a final year cyber security student at the University of sford I'm currently a placement student within the application security team at maillian and um after

my placement here I was fortunate enough to remain there as a part-time as an infoset analyst as well well I I have a passion for all things token and Chelsea Football Club unfortunately my brief industry experience and my passion for this topic uh has brought me here to share some insights on how we can look inward to address the shortage of trained and experienced cyber security Personnel by effectively building a security Champions program which is what I'm going to spend the next 15 minutes talking about today but before I go into that the the digital landscape has evolved hasn't it this network of interconnections can also be seen as an expansive realm of vulnerabilities this is a world where

our attackers only have to get it right once but we we we have to get it right every single time and that can be a little bit daunting most of us here are well aware that cyber security demand is exploding almost every report we read s of underscores that urgency that we need more hands on deck but what if I told you that there's a Hidden Reserve Force within our own organizations that we can definitely look inward rather than outward so what is a security Champion it sounds a little bit cliche but I want you to imagine the world where every team be development product management HR even legal has at least one person who wears the Hat of security

these are security Champions they aren't full-time Security Experts but advocates for security within a team these are those colleagues of ours who can ensure that security is a part and passle of every conversation and every decision and they serve as the first line of defense against security issues sometimes acting as our Bridge know communicating critical security messages imparting knowledge and bringing us all up to speed on matters that count to the team for me personally I say they are heroes in Disguise because they can provide us with an impromptu Force multiplier effect in security and in our organizations as well so you might be wondering how do we uncover these hidden GMS the process I

feel is pretty similar to discovering hidden talents in a fun talent show but how do we really go about it to build an army of security Champions we definitely need a strategy that's rooted in attraction it it begins with Outreach not mandates but inspiration we want to be able to inspire uh our colleagues to be able to look up at that poster and be like you know what I can also wear this cloak I can put that hat on we can do this by performing Outreach organizing launch and learns bringing in guest speakers who are fascinating stories of the Cyber trenches we can initiate email campaigns to Spur interest and then we observe those who lean in those who ask

questions those who engage actively these are potential Champions we have to change the security team's manra to I am here to serve you I feel that if we're able to do that effectively your team will be able to attract even more candidates to join to become a security Champion keeping the same of you all my customers to the rest of it and the rest of the organization in general is basically the truth um the Golden Rule here is is to attract not to

force so now we danify them we've got a room full of brand new cyber security Champions and they are itching to learn all about cyber what do we do then what what do we teach them how how do we even impress them well I feel that the only thing we only the one thing we could do is to teach them what they need to know nothing more and really nothing less what do they really what do they really need to know though in their everyday jobs topics that specific to our organizations and that technical topics that they need for their daily jobs for application security this could be things like formal training on secure coding threat modeling how they fix the

bugs for the infoset team this could be knowledge of the security policies that normally relied on to answer certain security questions regarding your product if you're V if you're a vendor allowing them to be submerged in workshops Hands-On exercises and real world case studies and letting them learn from season professionals through mentorship will definitely will definitely help a well-informed champion I feel is definitely is a confident Advocate we want to aim to empower those Champions with knowledge and teach them exactly what they need to know to perform their roles effectively tooling is also very important we have to be able to show them how and what the output of the tools mean how do they validate result

how do they install and configure it it is our job to help them pick the right tools or involve them when we're choosing tools that would help them in their day-to-day tasks other topics for the infos team could be the knowledge of your asms and U the security certifications that and security white papers that your organization is involved with well a quick question here I know you guys didn't come all the way to Newcastle to come speak to a Love Guru but who's ever read the five love five love languages or heard about Love Languages any takers for for those who haven't heard of them uh they are a predictable pattern of how people people respond to various acts of

kindness someone's love language is the specific type of kindness that they are most affected by think about it for a second how often have you done that extra bit because someone acknowledge your efforts I I know it happens to me all the time I feel that that pushes me to want to even do more not not to seek that recognition but the security of knowing that what I do has direct impact and is valuable helps my mentality a lot on a day-to-day basis and our Champions are no different when we are creating the security Champions program it's very important that we ensure a balanced approach this usually prevents the program for failing so we want to make

our Champions feel appreciated they are doing double duty without extra pay so we need them to feel very aware of our gratitude gifts words of affirmation quality time acts of service can all play a vital role in making our Champions feel valid organize Awards maybe even gamify the learning process a bit engage them in team building activities and like I said I and I can't reiterate this enough always always thank them for their indispensable contributions I feel we want to make sure that they continue to contribute to our organization security with renewed Verve every every day a quick note uh a not in the performance review always goes a long way from personal experience I know that adding

that appreciation on that on the on the performance reviews on a quarterly basis it does go a long way to to show that uh gratitude and appreciation for the work that they do

but creating Champions this isn't a one-time effort it is a sustained initiative to be able to sustain the energy in our Champions program we need to Foster an environment of effective communication we need to open channels of communications and in all our interactions have open-ended conversations with our champions have that informal chat over coffee get their feedback through surveys and most importantly make them feel valid I might say that a few times but they but they do need to feel valid to be able to give a proper output for our program their insights are golden and they can definitely help to reshape our program and make it even more effective one thing we do do one thing

we do is we meet our Champions once a month we hold semi-regular launch and learn meetings where during these meetings we teach them something like I said that you want them to know or sometimes they might even provide a topic that they want to specifically gain knowledge on pick up on that and arrange that seminar to impact that that knowledge to them we can show them training videos or even a recording of a conference I hope someone's recording this to show their team in the future but that would really hit home we we want to keep them informed of any changes any updates to our security initiatives we also want to be able to provide them with the necessary support

to make sure that they are successful this might include access to experts Technical Resources and any other resource that may need even if it's just just someone to talk to to vent out their frustrations that could really be helpful as well we live in an era that's driven by data so we have to measure our programs impact we need to track those tangible metrics like how swiftly issues are remediated in the absc world what vulnerabilities have been uncovered by our champions but and this is really important we have to try to avoid vanity metrics what are the metrics that truly matter engagement satisfaction real contributions that fortify our cyber defenses we should focus on measuring

the program engagement how many people attended an event how many people reported issues to us how many people ask questions focus on instances where Champions have told us about a security issue that we wouldn't have known about otherwise focus on Gathering stories of our Champions saving the day hyping some of those stories and providing help to their teammates the stories of them providing helps to their teammates or anything else that makes for a good storytelling session for upper management or whoever the stakeholders are hype them up in your slack channels if you have one because in our quest to build an effective security Champions program keeping track of these metrics that represent actual progress is

beneficial like I said we need to focus on engagement Champion satisfaction and their significant contributions on a day-to-day basis in conclusion I want you all to solve andv vision a future where every corner of our organization s of resonates with that ethics of security where our security Champions become the Catalyst and the driving force behind proactive rather than reactive security measures while we strive to Define and focus our program let's set expectations but we make these expectations realistic and flexible appreciate that every security Champion is a key C in the wheel of our cyber security function and we would have an amazing security Champions program some last minute tips though keep every recording and saving of your

group sessions for future onboarding and uh training future sessions in the future use this to onboard new and potential Champions but also keep in mind mind that this isn't about a team or specific individual but it's more about weaving security into the fabric of our organization literally one champion at a time just before I leave you all as always I have a couple of resources not too much I always have to shout out Tanya janker um I can't ever give a talk without mentioning her I I have a running joke that if application security was a religion it would be Jesus Christ and her book would be my gospel she kindled my interest in absec

and all things cyber security to be fair and I have found all her resources to be very useful and insightful I suggest you give her a follow if You' like to learn more OAS needs no introduction they they provide free resources sort of like a library of safety manuals to help anyone interested in improving web application security the objective of is to make the digital City our digital City a safer place for everyone to live work and interact I've also found using them very very useful and I hope you will too thank you all for your time sorry I've run over a little bit but I'm confident that together we can harness the power of our internal talents and

Foster a robust security culture I'd love to hear from you guys what are your thoughts experiences or any questions you have on building and empowering security champions in our organizations thank you so much for giving me this time I appreciate you

all any questions or can you hear from the other side there by the way I can does anybody have any questions they want to ask or once twice sold the man the right t-shirt thank you so much for your time so there's no questions on this side but it was a fantastic talk thank you so much I appreciate you for having me thank you