It’s crunch time in the cybersecurity industry. For too long, many companies have remained unmoved by the increasing threat of cyberattacks, despite increased digitization of their products and services. Customer data is the new gold, and some organizations are leaving the door to their vault wide open.
In saying that, secure development is complex and not without its challenges, especially at scale. In my experience, it is an uphill battle to win over developers on secure coding and best practices. In the mind of a busy programmer working to achieve strict delivery deadlines, security is not a priority over feature development and function—it is instead seen as a tedious task that interrupts their creative flow. However, if we are going to ready ourselves in the battle against those who seek to do harm, this culture needs to change.
Marilyn Barrios is the senior cybersecurity training manager at Motorola Solutions, running the security training program for its team of more than 6,000 developers across the globe. Her goal is to ensure that those on the front lines of the company’s extensive software development are equipped with the knowledge, tools and ongoing training required to combat the growing global cybersecurity threat.
To accomplish this, Barrios created an impressive internal security culture, one that thrived not only from a core skills perspective, but also in understanding its paramount importance in overall software quality. Her people-first, positive approach engaged the development team, created excitement about security and morphed into something far more powerful than a simple compliance exercise.
“Ensuring that our products are secure is our highest priority. That’s why we’re working to create a culture of security-first thinking across the company—so people not only understand cybersecurity and why it is vital to maintaining a high standard of software quality, but are also excited to learn more,” she said.
With such a large development team covering multiple facets of the business, insight into each individual’s security knowledge and current skill level could be elusive and difficult to collate. Barrios sought to streamline this process, working toward a holistic solution that would deliver key metrics and relevant training in the languages and frameworks that were actively being used in the business while remaining engaging enough to be revisited—even for more senior engineers.
Marilyn and her team worked to implement an immersive, engaging training experience for their developers. Starting with a boot camp run by security superstar Jim Manico, the developers learned offensive coding techniques before playing in tournaments to test their defensive skills against the attacks they had just seen in action. This setup proved effective and eye-opening for the participants.
“In really diving deep into how cyberattacks can be executed, the team saw how easy it was to do a lot of damage at the application level,” Barrios noted. “By then practicing how they can defend against these attacks, developers’ eyes were opened to how they can help if they keep security a priority in their work. They enjoyed the experience and it was also beneficial for them.”
I was proud to see how well she and her team at Motorola Solutions executed a comprehensive, engaging and fun security training program that not only lifted security awareness IQ overall, but also helped to identify a new group of champions to keep the critical message of cybersecurity best practices thriving long-term within the organization.
It was also interesting to learn that the eventual winner of the tournament did not start the program as the most experienced and security-aware developer. The boot camp was instrumental in rapidly upskilling the individual, and the gamified aspect of the training ensured a high level of engagement and information retention.
“Our eventual tournament winner was so excited with the boot camp, and he was so engaged with the training tool. He practiced so much in a two-month period, improving so significantly, that he ended up winning the tournament,” Barrios said. “From there, he recruited even more champions, piqued their interest in security and helped them along to become advocates in their respective groups.”
Barrios’ broader goal of creating a strong buzz that encourages an organic security culture to grow within the company is certainly on track.
Gamified training, team events driven by tournament initiatives and the incentive to keep engaging with AppSec have resulted in something very positive: Developers not only are working to have a better understanding of security, but also actively seek to uphold company best practice initiatives day to day.
Motorola Solutions saw measurable improvement when using tools and training compatible with the creative, problem-solving mindset of many developers, enjoying a training participation rate of more than 90%, with security accuracy increasing 24% across the global tournament that followed. Its internal security champion program has also seen immense support, growing by more than 1000% in the last 18 months. The company currently boasts 173 champions across its various product lines and will double that again over the next year. It has set a goal of at least one champion per scrum team—an initiative that holds incredible value in continuing momentum and spreading positive security influence across the organization.