How do you build good, secure development practices into the DNA of a company with over 40 different business units, an incredibly diverse set of product lines, and employees distributed around the globe? One of the things you need is a virtual community of sharp, knowledgeable people who understand network security and secure product development (and testing), and who can share and evangelize that knowledge with their peers, their colleagues, and their management.
That virtual community is a reality at Cisco. Today, the Security Advocates program numbers over 100 members from 40 different business units, representing diverse product lines ranging from small SOHO devices to core routers and switches to SaaS applications. Testers, tech leads, developers, and architects learn together, share their knowledge and expertise with one another and with their business unit colleagues, and provide valuable feedback to centralized security teams. In a decentralized environment like Cisco, this is an incredible boost to the time-to-adoption of new secure development tools and processes.
Security doesn’t “just happen.” It takes dedicated voices to get and keep development teams focused on producing more secure products, especially when resources are focused on other, often more marketable customer requirements. Product teams inside Cisco show their commitment to security by designating a security advocate for their business unit. Bringing that message inside the development teams literally brings the information “inside,” with insider credibility from someone who understands the peculiarities, design features, history and market segment for a particular product — a major win when working with widely divergent products, markets and business realities.
So what do we get? We get informed, passionate, security-aware developers and testers throughout our business units, leaving a wake of secure development practices, improved tools and testing, training for their peers, and fewer vulnerabilities in their products. The business units stay in tune with the centralized security teams, and have contacts through which they can go when they need answers or need to raise issues. Similarly, the centralized security teams have contacts within the business units whom they can leverage when they need information about a product or need to provide information about a vulnerability. The Security Advocates get to expand their knowledge and expertise, and gain recognition from their management and peers as well as from executive management. And customers get more secure products and more secure networks. It’s a win/win/win/win situation for all involved.
Like the network itself, the Security Advocates community is a distributed system that permits the flow of knowledge and experience through the company, and leverages expertise in product security for greater impact and scope. The work of the Security Advocates is helping us to build more secure products so that our customers’ networks can be more secure and resilient. At the end of the day, that’s really what we strive for.