Experiences running a cyber security champions network

When the opportunity came to lead the cyber security champions network as a chair and cochairs we grabbed it with open arms. I was pointed to a book called “Cultivating Communities of Practice: A Guide to Managing Knowledge” (Oreilly source) and started reading that to take this job with enthusiasm bagged with some knowledge from the experts. The vision was to build a strong community of practice united by a shared mission: to elevate cybersecurity across the company I worked for. This blog outlines some of the steps I took to bring that vision to life by fostering a network of security-minded practitioners.

Quality is often the defining factor between success and failure—it keeps users engaged when done right, and drives them away when neglected. In cybersecurity, poor code can be exploited, just as misconfigured networks can open doors to attackers. That’s why cultivating a culture of quality is critical.

My goal was to bring together a group of like-minded individuals who champion security best practices and embed security awareness into every stage of product development—creating a ripple effect of quality across the organization.

Driving Engagement

One of the chapters in the book Cultivating Communities of Practice, was to “Invite Different Levels of Participation” which I tried to put to practice. The first thing the group did was find a way to get everyone to participate by having working groups on selected topics that would be of importance to the company we work at. We felt this would be something new and hence decided to implement it. The thinking was that having smaller working groups would mean a way to have more engagement. This also meant it was effective way to drive change or contribute to products which was of the most importance to the community.

Based on this, we thought of the following topics to work in our working groups

1. Secure coding standards

2. Passive Recon

3. Inner-sourcing

4. Centralised Security Pipelines

Some thoughts on the working groups

Engineers in general the less talkative people in any organization. How does one drive engagement with such a group? Though it’s not great to put people in boxes, it’s also good to know your audience based on historical data. Some questions I had as chairs was as below

• In general when we meet in our communities, most of the participants are not asking questions or raising their hands, is it possible that the groups are too big ?

• Are our engineers afraid of failure ?

• Are there a culture difference between the various locations ?

• Or are our engineers having the communities of a way to get off normal work for an hour, and try to learn something, while constantly being pressured to deliver features ?

All of these things were on my mind when we tried to separate into the working group. With trepidation, the journey started. One of the group was on secure coding standards. The group comprised of developers with shared interest in improving the secure coding standards across the company. They used the tool “miro board” to come up with ideas on what a standard should look like. Interestingly most people voted to having the standards points to “links to standards from OWASP” instead of having a static document. Secondly, a common complaint was that was every language is different and the idiomatic expressions/grammar change and thus running a tool that finds these newer variants would be better than a static document.

A lot of the group did not want to end up like what xkcd said below

One of the big challenges in the group was that after the work was done by some enthusiastic champions, the appetite to it being used within the organisation was unknown. As a result the enthusiasm that the group started with fizzled out towards the end. For working groups to work, one needs a shared vision to keep the motivation going on. Some observations from all the working groups was that initially there was excitement to start the work, as the weeks progressed even fewer participated, and quickly we had what we needed for a plan of action, and then it all stopped, no one seemed to want to help on the actual actions. This led us to believe that are our engineers too deep in thought of their own deliverables that it hinders collaborating on shared projects outside their day job. Do you need committed individuals to drive working group culture????

Moving from working groups to topics of interest

After two months of working with working groups, we got some feedback from the community that the working groups were not really “working”. Not having a vision on what next, or how the output of working group would be consumed gave rise to a sense of frustration amongst some members of the community. This made us go for a survey with the community on what they would like us to do next. The results of the survey showed us to switch back to community led talks for greater learning and engagements. Armed with this feedback, the chairs got together to come up with a list of talks and areas of interest to feed to the community. The topics and areas of interest also came from the survey. Though survey showed that the activity or engagement level was average amongst the audience who took the survey, a lot of audience preferred having community led talks instead of working groups. Thus we ended up going back to Champions Series Talks and engagement levels were also seeing upwards movement after the Champions talks series.

Conclusions

The meetup slowly picked up steam and we have a regular meetups every two weeks with more than 30 individuals joining the call. Sometime one does feel happy when champions reach out to us asking us for a recording of a talk or reporting unsafe code or talking about security testing of APIs actively or working on CVEs together or even volunteering on doing passive reconnaissance on assets. This shows that there is success in the drive security best practices and security awareness objective. I would like to end the blog by referring to the OWASP champions guide and the champions manifesto

There will be highs and lows but if you have the patience and keep at it, your champions program will be the secret defense in your cyber arsenal.