The Cisco Security Dojo
Over the past three years, Cisco has invested in the creation of an application security awareness program. The program helps the good citizens of this company understand, apply, and act upon a strategy to build more trustworthy products. We launched the existence of the program to the world at the RSA Conference 2015. I am sharing this with you because we’ve created something unique to the industry, and we want to encourage other companies to pursue the creation of an application security awareness program.
When you think about security awareness, do you envision phishing e-mails, Nigerian princes, and tailgating cyber criminals? Security vulnerabilities are a fact of life, but we can help our organizations develop a greater level of understanding and a desire to put security first in their development efforts. At Cisco, we believe that security awareness training should feature traditional training about crazy links you should not click under any circumstances and how to stop strangers from entering your buildings, as well as application security awareness. Application security awareness, when done well, can drive security culture change to make a company and its products and solutions safer. Moving an organization to focus on security is possible, because we have done it.
Enough talking about it, please take a sneak peek at how we do it here in this video.
So let’s talk about culture. Our principles of trustworthiness, accountability and transparency drive our security culture and we’ve been working hard to train our people about security and build awareness about the basics—and even the more deep technical aspects—of security, and our culture has really started to shift as a result.
The first step towards any culture change is awareness. Starting with the basics is a good place to start. If an engineer is unaware of the definition of the word “exploit,” how could they possibly understand the concept of an “SQL injection?” While we’ve done a great job of building awareness and helping a lot of people inside the company to understand the concepts of cyber security, we are certainly not perfect and we haven’t have eliminated all possible vulnerabilities in our products. Not a chance. But our teams do have a greater understanding and a desire to do what is right for our customers’ safety, our product and solutions security, and the safety of our company.
We see the security culture of an organization like a wave in the ocean. Empowering each team member with knowledge and application for security adds a small amount of wind pushing that wave forward. With enough wind (and enough change), the wave becomes a tidal wave.
We built Cisco’s security training program by wrapping it metaphorically around the concept of martial arts training, where students gain new belt colors as they develop new security skills and knowledge sets. Wise and experienced Cisco subject matter experts with higher-level belt colors guide the developing students in applying their new knowledge to real-life product development.
In this program, we first help students build a foundation of security knowledge. When they attain this, they get a Cisco Security White Belt. Next, we help them layer role-specific knowledge on top of that to achieve the Cisco Security Green Belt. The final step in culture change is guiding them to apply their skills and to act by positively changing the state of security in a product, solution, or service. At these higher levels, users become Cisco Security Blue, Brown, and Black Belts.
The four core tenets of this program are content, recognition, metaphor, and fun.
Any awareness program is defined by the quality of content. If content is bad, nothing else about the program matters. Our approach was to create engaging content using an interview / talk show format. We have a small group of experts and a host, and we discuss security topics. There are no scripts and there is limited editing. We are real people talking about real security and sharing our experience.
The second tenet is recognition. People like to be recognized for their success. This program, as we just mentioned, uses the belt system to provide learners with continuous improvement targets. They see the journey from white belt to black belt, and the desire to attain the next belt drives them forward.
We use metaphor to make these training sessions funny and engaging. The use of humor lightens up discussion security topics. We spoof different movies and commercials with a security twist and we even add animation and cartoons to vary the medium and keep users anticipating and waiting to see what might come next. All of these things contribute to making security fun.
Fun is the last tenet, and it is part of everything we do in this program. We figure that if we are having fun creating the content, it will be fun to engage employees to learn. We’ve all had boring training before, where we daydream about being somewhere else. Our students love it and we’ve received great reviews. (I must admit that making these training videos was an absolute blast.)
I have a huge passion for using application security awareness to improve how companies build trustworthy products. Share in the comments how you are approaching this problem of making your entire organization aware of application security.