Diana Initiative 2021-Tanya Janca-Building Security Champions

Jul 21, 2021 04:01 · 9455 words · 45 minute read

Building Security Champions Tanya Janca MARGARET: Also known as SheHacksPurple. Tanya is the founder of We Hack Purple, an online academy that creates software that just this week announced working with the application security project to provide free access to the level one course on We Hack Purple for all OSS members. If you’re a member, don’t miss out. She’s the best-selling author of a Alice and Bob Learn Application Security. And a startup founder and pentester, CISO, software developer, speaker, blogger and streamer.

This track is brought you by our sponsors, iNE eLearn Security, Axonius, MongoDB, Juniper Networks, Corelight, Google, We Hack Purple also in the talk, and BridgeCrew by Prisma Cloud. Today we are having Tanya Janca talking Building Security Champions. How do you select chances or how to make best use of them you’re in the right place? This will help you attract people to your program, how to engage them and turn them into security advocates, what to delegate or not delegate, what to communicate and how to create an amazing security champion prom.

Without further ado, here is Tanya Janca. TANYA: Hi, everyone. I’m Tanya. I’m going to assume that you can see my slides. If you can’t, you’ll tell me. Because the way PowerPoint works, it covers up the way we’re streaming.

01:49 - I want to talk about building security champions. The reason we build security champions is because we want to scale our programs. And thank you, Maggie, for introducing me. I forgot to say thank you. So, basically, we’re going to talk about scaling your security team and scaling your program. Because there are just like there’s just not enough people. There’s just not enough people to do all of the jobs. Like who here has enough money and enough people and enough tools to do all the things they wish they could? There’s not gonna be any hands that go up.

Because security teams are vastly outnumbered. GitHub actually GitHub just released a paper I think last month about how security people are outnumbered 500 software developers to one. 500! So, we can’t just work harder, we have to work smarter. And we want to scale that mean like be able to do way more things, but with the same resources and that’s what we’re gonna talk about. We’re also gonna talk about what the heck are security champions? What is Tanya even talking about? And how we can build them up.

So, sometimes I have seen places where they’re like, you were late to the meeting, you have to be the security champion. Guess what? That champion’s probably not going to be very good. So, we want to talk about better ways to do things. So, we’re going to talk about our recipe. So, we’re gonna follow this recipe and break this down one by one throughout the talk. I’m going to repeat it and come back to. And you’re going to be totally sick of the recipe at the end.

The first thing we’re going to do wrong button. Wrong button. Okay.

03:27 - First thing we’re going to do is we’re gonna recruit. Engage them. We’re gonna teach them, talk about what to teach them and how. We’re gonna recognize them amongst their peers, amongst management. And then we’re gonna reward them for their awesome work. And lastly, we’re gonna keep on doing it. We don’t stop. We don’t want your operation to languish and disappear and evaporated. That happens easier. Maggie did a better job of introducing me than that slide.

But the idea of the about me slide is to try to show you that we’re qualified to give our own talk. I’m going to assume, yeah, she seems fine. I’m willing to sit through this. Awesome. So, the problem. Whenever anyone gives a talk, you have to introduce the problem. And some of you probably super acutely feel this problem. And some of you are probably maybe like less aware of the problem. Depending on what job you have and if you’re in management. So, like the previous so, I don’t know if you saw the previous presentation on this.

I was watching and they were great. And they were all leaders.

04:38 - So, all of those amazing women like Ann Johnson, I’m gonna say InfoSec, I follow her online, Tracy, all of them have led lots of teams and people. They’re well aware that there are not enough applications for people to go around. We have tons and tons of software developers constantly just doing amazing things all day. Like building things, creating things, designing, architecting. Debugging, fixing, repairing. Et cetera. Tons of stuff. And then you have, you know, one security person for all 500 of them.

05:15 - Also, hiring a security person is really, really hard. Hiring them and keeping them is hard. All of those people in the previous panel can definitely tell you that first of all the marketplace right now demands tons and tons of money for an app sec professional.

05:32 - They pay very well. But it’s hard to attract them and get them to work with you. Especially if you have legacy applications. Which lots of us do. Lots of everyone, I want to work on the cool, cutting edge new thing. And so, if you have older systems, those probably have more security problems and it’s even harder to attract awesome security people to your team. So, to fix this problem, one way that I am suggesting so, there’s a bunch of ways that you can work on this problem but the way I’m going to dive into in this presentation is specifically building a security champions program where you train up lots of people that aren’t on the security team to do some of the security jobs for you.

And they still do their jobs full time. But on top of their job, they do a bunch of extra things that magically make your job and life way better. So, let’s talk about scaling your team and your program.

06:30 - So, we know there’s not enough people. So, we have to scale. Right? And I thought, like, working out and lifting weights was a good a good the thing about security champions, actually, let me tell you what they are first. So, I’m gonna read a super professional, formal sounding definition. Then I’m going to give you Tanya’s definition. That’s how I am. A security champion and a member of a team that takes on the responsibility of acting as the primary advocate for security within that team and acting as the first line of defense for security issues within that team.

Meh. So, instead, plainly, it is the person that is most excited about security. It’s the person that reads the book, that fixing the bug.

07:15 - That asks all the questions every time. That’s your champion. And so, like what is what do they do? What if people are like a security champion, that’s a nice word, what does it mean? So, this person is your communicator. They deliver security messages to each Dev team. They teach, they share knowledge, and they help. This person is your point of contact.

07:39 - So, they are your representative on the team. They deliver messages about security. Like they deliver messages back to the security team. They keep you up to date on what matters from a security perspective. So, that you are ready. And they are your advocate. So, they perform security work for their Dev team. And they help like they use help from your team. But they also advocate for security. So, they are that person that’s in the meeting that like you can’t make every meeting that’s happening across your entire organization.

08:08 - So, they are your voice. They are the person saying, you know what? I don’t know about this from a security perspective. Like, I think we need to invite a security person to this meeting. Or I learned about threat modeling and I’m seeing this threat and I want to tell you about it. So, a security champion does a lot of stuff that’s, in my opinion, very, very valuable. So, let’s talk about building security champions.

08:35 - Because so, they’re talking in the last session about like are leaders built or are they born? Well, security champions are definitely built. No one comes out of the womb and they’re like, I already know application security. That’s not a thing. Just the same as no one can come out of the womb and be like, I know how to code. But that’s okay. Because we can build up someone to be able to do this. Especially if they’re interested. So, again, this is the recipe.

And we’re gonna go just through this over and over again. So, we want to find people that are interested and then build them up. Build up their skills, build up their confidence, their engagement, their interest. And then and then keep doing it. And they will just magically you know like how bees just go around like gardens, and they just magically pollinate everything? But you can help the bees by planting like certain flowers or certain things that make bees show up and do their awesome bee magic.

It’s kind of like that. I guard an lot. Okay. So, back to the recipe. We’re gonna start out recruiting your champions. So, we want to talk about recruiting people. And so, the number one rule in recruiting is, please don’t voluntell someone to be a security champion.

09:49 - So, like you’re late to the meeting. Or you’re our weakest Dev. Or we want to punish this person. Or or we just give it to the senior tech who is super, super busy. Who feels that this is just another responsibility day don’t have time for? That’s not gonna work very well. We’re not gonna get the results we want. Whenever possible, you want to attract the right people instead. So, I have a number two rule in recruiting and then we’re going to talk about how to recruit them.

So, number two is managers have to be on board. So, if managers are like, you’re wasting my team’s time. They’re not gonna give them time to do the work. And that’s going to be conflict. And you want your manager to be happy. So, you need approval from top down. I have done it without approval from top down. And like, slowly it just went a lot slower and some teams I couldn’t get a champion. And when I had eventually got approval from the top down, it was like off to the races.

Life is a lot better. You definitely want managers to be on board. And the people aren’t secretly doing the work without their manager’s knowledge. It’s much better that it’s all legit and aboveboard.

11:04 - Okay. So, let’s recruit some people. Like I said, we want to ask for volunteers instead of appointing people without consent. Consent is really important in all parts of life.

11:16 - We want to provide opportunities for them to reveal themselves. And so, this might sound weird. So, some people, they don’t know they want to be a security champion. Like, and some people it turns out, you can strike this passion within them that they didn’t know they had. And spark this interest. And so, ways you can do this, it sounds so silly.

11:36 - But one of my clients, they just changed their email signature to say that they were looking for security champions. They’re like, I’m looking for security champions. Is this you? Ask me how. And they found two champions that way.

11:51 - And so, I have been advising lots of other people to do it. It’s very interesting results.

11:55 - People reply to your email, ask questions. Other ways we can attract volunteers are having lunch and learns or trainings. Anyone that asks questions or attends almost all the events, that person is an awesome potential champion. We want to use interesting titles for anything we can to attract more people. I remember the first presentation I ever did at work, I emailed everyone, and I said, I’m gonna break into a bank at lunch. Who wants to watch? And a bunch of people are like, what? And then I I showed them a vulnerable web app that was a banking web app.

And I explained it wasn’t a real bank. And then I showed them how I got in. And then with that information, showed them how we could protect our apps.

12:39 - And it just got a lot of people kind of curious. And then I got more people at the next presentation.

12:45 - So, and another thing, having my mantra, it’s my job to serve you. Devs are the customers.

12:54 - The security team, it’s our job to serve you. When you kind of flip it on its head like that. A lot of security teams are like, you have to do what I say.

13:04 - That doesn’t first of all, like we’re all adults. And we’re like, I don’t want to be told what to do. I don’t someone to just boss me around. Instead if question say, listen, it’s my job to help you do your job securely. I serve your team. I serve all of the Dev teams and I do this by giving you tools, I do this by writing documents, I do this by answering questions and giving the best advice I possibly can by researching things for you.

13:32 - And when you change that wording and your mantra and the way that you talk to Devs, that will help you recruit a lot. So, now that we have some people that are interested, we’re gonna start engaging them. And just so you know, when you start engaging people, that’s gonna help you recruit more people. It’s kind of awesome. It’s like a circular sort of thing where you just keep feeding and finding more people, the more awesome your program is. So, let’s engage some people.

So, the word “engage” can mean to occupy, to attract or involve. We want to do that with the Devs for our, like, around security activities. But we also want to do it the other way. So, we want to participate or become involved with what they are doing. So, if they’re doing a project, you know, we want to say, like, do you need help with that? Like can I come and do a threat model on your architecture design? Or, you know, do you can I scan your code? You want to be involved with what they’re doing as well.

So, to engage. I have I cut this to only two slides because I’ll just be like, ah… all day. And there are other presentations. So, one thing you can do is bring them on a software related security incident. Assuming that you don’t work in a top secret government environment or something like that, you can probably bring them on an accident that has to do with software. Especially if it’s their software. And show them the fire that you are fighting. I went on a security incident.

And after that I became an incident responder and was totally obsessed with IR.

15:08 - Share appropriate secrets. I once, with my boss, this was my boss’ idea and I was dead set against it. He was like, we have to do this. He was right. I was wrong. And we brought a bunch of Devs in. We had this one Dev team. They didn’t want to do anything with security.

15:25 - They were like, you’re wasting our time. We got to deputize them. Raise your right hand and not tell anybody outside of the room. We explained the concept of need to know and about a huge, awful security incident to do with one of their apps. And another security incident that was leaking employee data by accident. Not leaking it. We had some malware, and it might have and we told them and how it affected the employees in their personal lives. Well, not specifics.

But generalization. And so, from that day on, they were they were our warriors, they were amazing. They were leading the charge. They were so awesome.

16:12 - We want to let all your champions see everything first. If there’s a policy, if there’s a new tool, if there’s changes or information or anything that you’re planning, always tell them first. It makes them feel engaged and special because they are special. Create a mailing list to tell them about new security stuff. Or if you listen to a podcast and it’s actually really, really good and you’re like, oh, this is like a security podcast, but it’s totally about Node.

js and there’s these three teams doing that, send them an email, tell them about it. All those things make them feel engaged and they matter to you. And it’s really important they feel like they matter to you. Because otherwise you will lose them.

16:53 - I want to meet with them once a month and have like a list of questions. So, like, what are you working on? What are you planning on working on? Do you need any help? You want to brace yourself for bad news and play it cool. So, I have had people tell me about security things. And then I freak out. And that does not give me the results that I want.

17:14 - And so, I’ve learned to remain calm. And when, you know, a Dev says, if we encode something twice with Base64, is that the same as encryption or is that kind of different? Be cool. And it will go better. Be cool and calm. So, team building events. And letting your security champions know each other. That’s super cool. A lot of them really appreciate the chance to talk to each other so they can talk about security things with each other.

17:44 - Yes! Win! And I like to always invite them to join local security communities. So, I used to live in Ottawa, and we had an amazing huge vibrant chapter. I would invite them, we’re having a CTF next week. Do you want to come? We lived walking distance from where the meetings would be. A group of us would actually walk together and that was awesome.

18:11 - Whatever you can do to make them feel engaged. So, now teaching. What are we gonna teach our champions? There is a lot to teach them. Okay. So, I feel it’s very important to only teach them what they need to know and not teach them more. Oh, my gosh. So many companies that I can consult with, they’re like, oh, well we’re gonna give them these advanced network penetration testing course. Oh, yeah. Why? Do they write advanced network security tools? No, they just write web apps.

Why are you teaching them that? That is a bunch of crap they don’t need to know, and they’ll never, ever practice it as part of that are jobs. Which means they’ll lose the skills almost immediately. Well, it’s cool. Did you think it’s cool? They’re Devs. They might think Dev stuff is cool and not hacking stuff.

19:04 - I’m not saying none of them will think that’s awesome. Some places they like to. But I feel that it’s really important that if you are going to teach them stuff, teach them what they need to know. Software developers have to know a bunch of different programming languages, frameworks, one or more database, they have to know servers, deployment, all this stuff.

19:25 - There’s so much stuff they have to know, don’t fill their brains with extra stuff. So, what you need from them, what you expect from them and what you want from them as champions is the core to what you need to teach them. So, anything they need to know in order to do the things you want them to do you got to teach it to them. So, I’m gonna give you three topics. And then we’re gonna drill down on each of those topics of things I think you should teach champions.

So, secure coding and secure architecture. Your policies that affect them. So, not like general things like, you know, don’t bring your home laptop to work and plug it into our network. But things that specifically involve the Devs. And tooling.

20:06 - So, any tool use expect them to know or see the results of, you want to teach them.

20:10 - So, for secure coding and architecture. So, you can give them formal training on secure coding with labs. You want them to have some hands on action there. You want them to teach them threat modeling. And eventually, you want them to be able to do threat modeling themselves. Every time you do a threat model, you want to have one of your champions there if at all possible. Security architecture. So, like whiteboarding out what the architecture looks like for the system.

Asking questions. Invite them every time that you can. Code review. So, you want them to be able to review their you want them to be able to review their peer’s code for a potential problem. So, maybe they’re the person that approves pull requests.

20:53 - Or maybe they just approve some of them. But if you have at least one person on the team being able to spot security problems, that is A plus awesome.

21:03 - How to fix security bugs that they find. Or that you send them. So, anything you can do to teach them the common bugs and what to do, that’s awesome. And I suggest repeating at least secure coding every single year. Things change. People forget. Just it’s a lot of information. And so, every year and if you happen to be a company that handles credit card information, you actually, to be PCI compliant, have to repeat secure coding every year. I realize that’s one of the things that I teach.

But as someone what was a Dev 17 years before she worked in security, trust me. Refreshers are good.

21:41 - Okay. So, your policies. So, you want them to know which policy standards or guidelines apply to them and you want them to know them. Because they’re gonna talk to other people on their team. And you want them to be able to answer questions. And it’s like, well, do I really have to use parameterized queries? Yeah. You do. And so, if you have them saying that, then you won’t have to repeat it 400 times a day like I do.

22:09 - You want to help them create missing guidelines. So, let’s say you work at a company and they’re just starting to do serverless. So, one of my clients they consult for, they have like one or two serverless apps. Awesome! So, we wrote a best practicing document for serverless to share with the Devs to try to help. We would really like to see this, we would like to see that. Please, please let us come to a meeting with you for architecture review.

22:35 - Let us do this, let us do that. And so, helping them create any guidelines that are missing.

22:40 - So, like, first of all, secure coding guidelines. Secure design concepts that you want them to implement. API best practices, et cetera. So, like, we expect if you’re using APIs that if they’re external facing, they will only be available via an API Gateway. This is the API Gateway we use. This is what we want. That’s less mistakes to clean up later. Teach them how to be compliant with your policies. Give them a workshop and give them hands on things.

I’ve had a lot of people say, well, you’re a professional trainer. So, you’re good at making training. But I sucked. I was awful when I started. It took a long time to get good at it. But the Devs still came and learned. You don’t have to be an amazing presenter. Just try your best and be honest and open with them. And always be open to questions. And if you don’t know the answer, just say: I don’t know. But I will get back you on that. And write it down and get back to them.

23:46 - And like just those things. People will be engaged. Like people want to learn. Devs want to make awesome software and awesome software is secure software. So, like, they trust me you don’t have to be a great presenter. I was really crappy presenter. So, you want them to know what their role is during a security incident. This is super important. I want all the Devs to know. But if you can’t get time with all the Devs, just telling the security champions, like, listen, if there’s a security incident going on with your app, please don’t just go home for the day and not tell us partway through.

Or like bring up pager because apparently it’s 1990. But get their cell phone number or something in case you need information from them, et cetera. Don’t run around and tell all your Dev friends, et cetera. What is need to know. I’m a big fan of letting them job shadow them on things they’re interested in. I ask what they want to learn for their jobs, and I let them shadow me.

24:47 - Yeah, I’m going to be using this static application security testing tool all day reviewing code in this really ancient legacy app and it’s going to be a dumpster fire. Do you want to sit with me for four hours? I’m just going to validate results, so they know how to validate their own results. Sure, let’s have a job shadow session. And hold consultations. To help them to let them provide input on policies that will affect them. First of all, you want their super awesome ideas and feedback.

Second of all, you want to make them feel valued and heard. So, it’s always awesome to hold consultations.

25:24 - So, next, tooling. So, custom training on tools that you expect them to use. What does the output mean? How can you validate the results of those tools? Thousand install and configure those tools? Help them select the best tools. If you want to be part of the concept, be involved. Lunch and learns or hackathons. You want them to be the expert on their team about the security tools. So, coaching, a style of teaching. So, I believe this kitty is a Jedi and people just don’t know.

And so, I believe that when people coach or mentor other people, that they’re truly in a class of their own. Giving knowledge.

26:08 - I have a lot of respect for really senior people that just like share that knowledge down to make sure that they will have a successor. I really I have been the beneficiary of that many times in my career. And so, I I personally think like mentoring and coaching is extremely important. So, coaching means enabling individuals and teams to reach their full potential. Okay. So, we want to facilitate them like their needs, their motivations, skills and processes.

But basically, we want them to make real lasting change. And in this case, we want to put the security bug in their brain so that they can’t stop seeing security things. This is what happened with me and then look at me now.

26:51 - Now I do security full time. If we want teams to start practicing a secure system development life cycle, you need to support them in getting there and that is coaching. And if we want our security champions to constantly reinforce the security team’s values and evangelize, we have to coach them and be there for them. And so, how can we coach? So, besides being a kitty and then giving it a light saber, for champions so, we can set up office hours.

27:21 - So, every Friday, 2 to 4 I have a Zoom meeting open. Or if you’re in person, you’re like, I’m gonna be in my office. I’m not going of it meetings. Chat me up. I would love to hear what you have to ask. Set repeat meetings with your champion. Once per month with your champion. Check in with them, ask them what are you working on? What are you planning on working on? Do you need any help? Help them prioritize security activities or bugs.

27:45 - Be available to them whenever you can. Help them set goals and then help them achieve those goals. And it might be a learning goal, a bug fixing goal. It might be my team manages eight apps and I want this tool in all eight pipelines so I can, you know, master this one part of security. Teach them specific skills or tools that they’re interested in.

28:12 - And ask them what they need and then provide it. When you do that, you build trust. And that’s what you want. And that’s what you need. Because a security person’s eyes can’t be everywhere. And our tools can’t pick everything up. And having a Dev that believes in security, that understands its importance and really takes that to heart in every meeting it’s amazing! That person will say, oh. What about if this happens? Or, hey, I heard that this framework’s more secure than that framework.

What about this one? Like, just it’s magic, them asking a question or making a comment. And that Dev is their pierce. It’s not an external person. Like from the security team coming over and being like, ah, security dogma. It’s one of their friends. It’s their colleague. It’s their teammate. That person’s opinion really matters to them. And so, us being able to do anything to coach them and help them succeed and be knowledgeable and know the answers, is leads to them doing those activities that we need them to do so much.

29:20 - So, I want to have a special note on delegation. So, some things should not be the responsibility of the AppSec team. When I moved to AppSec, I did a lot of things that I shouldn’t do.

29:32 - There’s not enough of me. Not people. I was a developer for a long time, I would fix security bugs. Don’t do that. Don’t update frameworks, plan releases. That’s their business. Run every single scan, implementer. The list is endless. And not all the security work is your work. And first of all, don’t step on the Dev’s toes. Especially like the Dev manager in assigning who does what bug. Be very cognizant that you’re not stepping on their toes or making them feel like they’re a parent telling them what to do.

30:15 - Another thing, there’s some things we should not delegate. So, I am a firm believer that we should not make them validate static application security tool results. Until we’ve given them training on it. It’s really important. I have just seen this in so many places. And the Devs will just disable the SAST tool because they have crap to get done and there’s lots of false positives and they’re like, it’s written in another language that I don’t speak.

30:41 - It’s really important you give them training before you expect them to do anything like that. Giving security approval on anything. Only your team can give approval. Using new tools without proper training. Training new champions.

30:56 - We want a partnership. We do not want replacements for our team. So, it’s really important to give them a limited list of things you expect them to do. And then pump them up, train them, give them everything they need to be awesome at those things. And, you know, these other things are in the AppSec team’s realm and that’s what we do. It can be a slippery slope sometimes. So, next we want to recognize our champions.

31:22 - It is important to recognize them. We want them to know that they’re doing a really good job. And we don’t want them to feel like they’re trapped doing two jobs and only receiving one paycheck. We do not want them to feel like to kitty. So, this is so, I only have two kitties in this presentation. I felt like that was okay. But it’s really important that they feel good about their efforts. That they feel like we notice, feel like we value them.

31:51 - Not only the security team, but the management team that manages them. And so, we don’t want them to feel like this kitty. So, things that we can do. So, some of these things you might think, well, they’re not in kindergarten, Tanya. They’re not gonna, you know, they’re not gonna like this. Well, actually, all these things definitely work on me and I’m definitely an adult by now. Creating a certificate and putting it on their wall is that says I’m a security champion.

This is something their peers will see and recognize. Oh, cool. That guy’s the security guy. I can ask him stuff. Oh, yeah, she’s our champ! Awesome I’m going to see if she can look at my design. Yes! You want that person to have their peers know who they are. You want to recognize them in front of their peers. So, a lot of stuff is virtual right now. So, you can actually make a custom virtual background that says, I am a security champion. It can have a bunch of arrows or stars or whatever you want.

You can put a star next to their in Teams or Slack, whatever you use for chat. There’s lots of different ways. Another thing that’s important is put a note in their performance review that says how valuable their input was and their participation was. Because you want a permanent record that they are awesome. This makes them feel good.

33:11 - It helps them when they’re if, you know, you work at a place where there’s bonuses or promotions, et cetera. You definitely, definitely want to put a note in their performance review.

33:21 - You want to tell their boss every time they do something that specifically is awesome, write the quickest email ever to their boss to say, you know what? Janet was awesome.

33:30 - She told me how her team was doing this thing and she was concerned and so, she invited me to a meeting so I could give them a bunch of different options that were less risky.

33:39 - If she hadn’t brought that to my attention, it could have been 6 or 8 months before we noticed that. I wanted to let you know that Janet totally rules. Send them an email when they did something. Make sure they know you noticed and you value what they’re doing.

33:58 - Make the role on their team clear to them and their peers. Again, that could be just acknowledging them in a meeting. Oh, and this. I don’t always think about cybersecurity.

34:09 - But when I do, it’s usually too late. The most interesting man in the world should think about cybersecurity more often. So, let’s talk about rewarding people. What can we do to reward our champions? I’m a big fan of reinforcing good behavior instead of punishing bad behavior. And so, I’ve heard people say like, Pavlov’s dog. Like they would ring a bell, they would get a treat. And, you know, it sounds weird. But if we constantly reinforce like good things and recognize good things they do and reward them, they’re more likely to keep doing those things.

And so, not everyone has a budget. So, I worked in the Canadian government for a long time, and I was not allowed a budget to buy things for people. But I kid you not, I would bake cookies and cakes. I kind of like baking. I’m gluten free. So, I often do gluten free baking. But that still tastes good. I’m pretty good at it now. And so, I would I would just bake cookies and be like, hey, I’m going bring these to the lunch and learn. If y’all come to the meeting.

It sounds weird, but that really did it. Another thing I used to do I had security champions and it was their job to scan their app and fix all the criticals and highs before they sent it to QA and then eventually it got to me. I was like, listen, if you send it to me and there’s highs and criticals in the automated scan in Zap, I will come to your desk and make fun of you. Which I never really did. Hey, we have some they were like, I ran out of time.

We came up with a reward. This is going to sound really silly, but my reward was a high five. We worked in an Office 2. 0. I hate Office 2. 0 for the record. It’s so distracting. For this, it was great. There was this senior executive that was talking to my boss, and I got an email. Oh, okay. I saw that the scan came up and it was good.

36:10 - And so, I was like, just one sec. And I ran across the floor and Stefan, you passed the zap! Really high and loud, high five. All the other Devs saw that he passed his test.

36:27 - I trotted back to my desk. My boss said, what are you doing? AppSec. It sounds silly, but that public recognition, Stefan passed every Zap. He became our secure code librarian.

36:47 - Positive reinforcement really helps. Things you can do besides high fives. Security related gifts, books, videos, training, CTFs, subscriptions, community subscriptions, all those things. Awesome. So, I, like if, you know, they program in Java, hey, here’s like five different books that I thought you might like. Would you like to pick one and I’ll buy it for you? Because I would like to say thank you for the big efforts that you’ve done. Giving them your time and attention as a reward.

Took me a long time to realize that. But you’re giving them your undivided attention. Coming to your desk, turn your body, face them, stop whatever else you are doing. It sounds weird, but doing that is a reward. Help them with more than just security. I was a Dev forever. Hey, you want me to help you squash bugs because you have this deadline? It sounds weird, but help them with whatever you can help them with. Let them see everything first, let them help you make decisions.

Anything you can think of just to make them feel valued.

37:55 - It doesn’t have to be a monetary thing. But whatever you do. I remember I got to go to a security conference once. And I I got to travel for the first time ever. And I had submitted, and I thought for sure my boss was gonna say no. And he said, because we worked in the Canadian public service. He’s like, I can’t give you a bonus. But you’re above and beyond everyone else. Like you just you never stop. You do so many things. And so, I can approve your travel to go to this conference that I know you really want to go to, and this can be your bonus.

I was like over the moon. I was way excited. That was better than 500 bucks for me. Next, don’t stop. Please don’t stop! So many companies that succeed, they explode with their champions program. We’re going to do this, that, we’re amazing! They have like three meetings the first month, two the next month, then none for a few months and then one and they stop and they’re exhausted. So, don’t stop. It’s really important. Paste yourselves. This is a marathon, this is not a sprint.

39:04 - First of all, whenever in doubt, overcommunicate. If you do not communicate regularly, your program will disappear. Even if you just send out an email. Hey, it’s December. There are a lot of different events happening in December. There’s a lot of people taking holidays because there’s a bunch of really cool religious things happening and we are not going to have, you know, a security champions event this month. But we want to say happy holidays to all y’all.

39:30 - And here is a blog article that I read recently that I thought was really cool and I thought I would share with you. And that’s it. And then you wait until January for your next event. But you touched base and that is important. Your program, it will disappear quickly. I kid you not. I’ve seen so many programs disappear quickly. So, don’t threat slip. Consistency is key. Even if you just meet with them once a month to check in with them and that’s all you do, keep doing it.

Some security champions are gonna need a lot more of your time than others. And some will have better performance than others. Some of them will be okay. One of my friends I remember telling me, yeah, I have like 45 security champions and two of them are total deads. They do the bare minimum every time. But you know what? Like 20 are amazing and the other 18 are good. And so, my program’s awesome. So, be aware of that. If you accidently dropped your schedule, pick it up as soon as you can.

Let’s say you’re sick and you take a month off. When you come back, try to do something even if it’s just sending an email right away to make sure that your champions know you exist. You’re there.

40:43 - And they still matter to you. Culture is a practice. It must be repeated over and over again. So, if you meditation or you do yoga or you’re like you work out, you go to the gym. You don’t just go one time. I remember seeing this meme where somebody said, I ate a salad once. I didn’t lose any weight. I’m never eating a salad again. It’s so obvious when someone words it that way. But it’s the same with security champions.

41:08 - It is a practice. You must choose every day to continue doing. It doesn’t mean you have to talk to them every day, but you have to continue this practice regularly or it will evaporate. And it evaporates faster than you think. And I’m stressing this just because I’ve seen it so many times. So, this is the recipe. And we did it. And we’re basically awesome. So, I’m gonna do a conclusion now. Then I’m gonna give you a bunch of resources and then I’m gonna take questions.

We see high five. That’s right. I love high fives. Okay. So, conclusion. So, what we learned. So, we learned how to attract people to your program. And if you’ve attracted them, that is the right person. We learned a bunch of things about what to teach them and how to teach them. How to engage and turn them into advocates for security. What to delegate. What we should not delegate.

42:02 - How to motivate them. And basically, like, in my opinion, how to build an amazing security champion program. Yes! So, this was our recipe. Recruit, engage, teach, recognize, reward and please don’t stop. And so, I’m pretty sure that a recording of this is gonna be available via The Diana Initiative YouTube page because every year they do that. And so, my slides should be on my website in a couple weeks because I’m redoing my SheHacksPurple website. And I’m going to put a link to videos for everything because I get asked that a lot.

And I was like, why don’t I just put it in one place for everyone? Brain! So, some resources. So, awesome books. So, spoiler alert. I wrote Alice and Bob Learn Application Security. And me and my mom think it’s the best book ever. But I also believe that you can’t do security right if you are not doing IT right. And so, there’s the DevOps handbooks, The Phoenix Project, Accelerate and the Unicorn Project are books that I recommend, and I think are really good.

They’re not free. This is free. I have a podcast. So, the We Hack Purple Podcast. We talk about different careers within security and meet with guests to ask them questions. How did you get to where you are today and how can I do it too? And so, that’s every Thursday live at 6 p. m. Pacific standard time. On YouTube.

43:33 - Or you can listen to it later. So, there’s every podcast platform and then also we save them YouTube. So, resources? Me! I have a YouTube channel. If you want to meet. So, like once per month for all of 2021, Alice and Bob Learn. So, we’re having sessions online.

43:52 - Live streams and then recordings after of Alice and Bob. And basically, like people can learn for free about more than just what’s in the book. And I have a newsletter, blah, blah, blah. We Hack Purple is sponsoring Diana Initiative. I love Diana Initiative. We have giving away three free courses until 4 p. m. today. You can go to the newsletter. wehackpurple. com/diana initiative giveaway. Or just go to the We Hack Purple booth and they’ll sign you up there.

They know what they’re doing. And I want to wish all of you, that you spend your life doing strange things with weird people. Because that’s what makes me happy. And I want to thank all of you for your time and attention today. Thank you so very much for having me at this amazing community event. I appreciate the entire volunteer team. I appreciate all the organizers who work on this so hard for so long. I appreciate Maggie introducing me. I really appreciate all of you showing up.

Because if you didn’t show up, there would be no point in having this event. So, thank you all. Hi, Maggie.

45:03 - MARGARET: Hi, thank you, Tanya. Thank you also again to the audience for coming and joining us for the talk and the sponsors. Tanya, you mentioned that you are willing to take questions now and we do have a little bit of time. Do we have any questions in the chat? I’m seeing effusive things, a lot of love. Everyone are huge fans of the We Hack Purple training materials as well. We got a lot of positive comments about those throughout.

45:31 - TANYA: Awesome. Would it be okay if we like I don’t know if you have the power, if we like flashed the address to sign up for the free courses? Because I want everyone to have a chance. I just put it in the private chat. So, I think if you like click a button you can make it show up or something. MARGARET: We don’t have a good way to flash it on screen. But it’s in the chat for everyone else.

45:54 - TANYA: Perfect. MARGARET: That’s the link to sign up for the We Hack Purple giveaway. Hey! Thanks to the backstage team for hooking us up with the link. TANYA: I want everyone to have a chance. My talk is later in the day. I don’t want people to miss it. Yeah, we are giving away a lot of stuff. MARGARET: That is until 4 p. m. , right? TANYA: Yeah. Then we’re gonna close it. And then announce it at the end of Diana Initiative day one. MARGARET: Four hours and 12 minutes left to sign up, everybody.

TANYA: Awesome. Any questions, or is everyone like, I’m gonna form a champions program starting right now? I’m assuming no questions means you’re all going to form one starting Monday. MARGARET: I’m not seeing questions from the audience. They’re feeling confident. Do you mind if I ask a question of questions? TANYA: I would love. MARGARET: As you were talking about different kinds of rewards, you mentioned high fives being really good because they’re super public.

46:58 - Do you have a digital high five equivalent that you like for Slack? TANYA: So, sometimes things I do in Slack, I have a certain emoticon for the champions.

47:10 - I do a lot of the flexing arm muscle thing. I’m not sure why. But that’s like one of my favorite things. But yeah. Like publicly acknowledging in the team’s channel. So, send a message directly for sure to the champion who did the thing. But then put it in their team chat.

47:28 - I just to want to thank this person because they’re so awesome and they did this for me.

47:33 - I also so, this is gonna sound really silly. But my friend Sean Hooper who speaks a lot at WordPress conferences. I remember him sending me this once because we were having a virtual meeting. It’s an image that he full screened and it said, virtual high five, place hand on monitor here. And then we both put our hand on the screen like this. He said it’s the best thing I can get when you’re so far away. Oh, I love it. Sometimes I share that in meetings.

I’m like, virtual high five. And it’s cheesy. But I am cheesy and I’m like that all the time. So, it fits. You have to find the thing that’s your style if that makes sense. If someone is a really high, introverted person, they’re not go going to run up and give high fives. It can be painful for someone to do something against their personality.

48:27 - It’s finding that thing that works for you. I’m wearing a bright red and blue dress. I’m loud as a personality type. But I know a lot of people are not that way.

48:41 - And that’s cool. There’s lots of ways that you can recognize people. And you can do things in I don’t want to say subversive ways, but ways that are more introverted. So, for instance, like sending a direct email to their boss, commending them and CCing them on it. That doesn’t have to be a big public thing. But I don’t know if you have had someone do that.

49:05 - But I have had people do that and definitely it made me turn a hundred shades of red, but in the best way. Oh, my gosh, oh my gosh. When I worked at Microsoft I remember I traveled to another one of our offices and the head that have office sent this wonderful letter to my boss’ boss about how my visit across the ocean was totally worth it because of the all the things we achieved to believe. And I was like, oh, my thank you! And then they put in my performance review and then I got a bigger bonus, which is really awesome too.

And not expected. That was just like extra awesome, right? Yeah. There’s ways that you can do thing it is you’re very extroverted or if you’re not extroverted. But showing people in front of their peers, like recognizing them in front of their peers. That feels good for everyone. Yeah. Okay. MARGARET: Yeah. Thank you. Well, you were answering my question, a couple of audience members submitted questions as well. First up, a question from Angelica, how can we help our security team be a bit friendlier? Most of their engage suspect from a compliance standpoint and it scares a lot of nontechnical staff.

TANYA: Angelica, you speak my language. How can you help the security team be friendlier? Depends on if you are on the security team or the Dev team. When I was a Dev, the security team, the last place where I just wrote code full time, they the security team, we called them the department of no. They would come to meetings and just say no all the time. And so, when they started coming to meetings so, they would always say, no, you can’t do that. And I would be like, what can I do? You’re a Dev, figure it out.

If you were good at it, you would know. So, I told my manager and their manager, they’re not fun to work with. You can say no to me. That’s not a safe way to do it. But can’t say no and give you zero options that work. I’m just gonna like crap on your baby. Because these apps are my babies. All apps that may team make, they’re my babies too and they’re telling me my baby is ugly in every meeting. I don’t want them speaking to the staff. I would say, hi Dr.

No. They would say that’s rude. Do you think your behavior is not rude? You need an attitude adjustment. Their boss gave them a big talk about attitude adjustments, and they weren’t allowed to say no. I’m not allowed to just say no. I can say no you can’t do that, but and I have to give you solutions. And sometimes I don’t know the answers. So, we started having brainstorming sessions. And sometimes it would just mean I remember one gave me the Microsoft SDLC book DHS thick.

They dropped it on my desk. It was heavy and there was a boom sound. There, you can know security. It took a while to warm them up of just saying, you want me to get this work done? You have to work with me. And so, tell them, if they’re just gonna say no, that that’s not good enough. Like, their job is security. Help me figure out the security thing. And so, at first, like, they would start with shaming me. Well, if you were a good Dev, you would know. But by that three and a half years, by the time I quit, they’re like, okay, Tanya, so, your team is doing this thing and we don’t like it.

Okay. What are we gonna to do instead? He was like, I have some options. And it was so much better. And stopped calling them Dr.

52:47 - No and started calling them by their names. And relations got better and better and better.

52:51 - When I moved to the next company again, I had to build that bridge and that’s why I became the AppSec person. Because I am the bridge now. But yeah. It’s a lot of telling them that their behavior, how it made me feel. And they’re just like and it’s weird also being like usually the only woman on every team. Right? And so, they’re like, the woman wants to talk about her feelings. Yeah, and you’re going to sit down and listen because I’m the tech lead.

You’re making my Devs feel bad. My Devs don’t want to come to meetings with you. That’s not acceptable for me. You cannot be mean to my team. I am their mama bear. I will protect them. MARGARET: That is a great answer, and you covered the other question in the chat. Which is extra great because we are at time.

53:39 - TANYA: Okay. MARGARET: Thank you again, Tanya, for this excellent advice and inspiration on building security champions programs for all of our companies. Hopefully everybody is ready to go out and do that. Don’t forget to sign up for the Diana Initiative giveaway on We Hack Purple. com. That’s in the expo booth and our other sponsors. Visit them in person if you have some free time. Thank you, everyone, and enjoy the rest of the conference. TANYA: Thank you, Maggie.

So nice to see you again. MARGARET: Nice to see you again too!.