Oh, hi there, it’s us again! As Cybersecurity Awareness Month rumbles on, we’re thrilled to dive into the second part of our ongoing Q&A series. In case you missed the first entry or just want to read it again (we wouldn’t blame you), click here. The term “evangelist” pops up a lot in the security industry, and those that have this title bestowed upon them carry many different responsibilities. What many don’t realize is just how critical the evangelist role is, bridging the gap between their respective companies, customers, the media, general public, and much more. To better understand everything that’s required of someone in this position, and in this case, how these individuals foster a culture of software security in today’s organizations, we sat down with Susan St. Clair, evangelist and subject matter expert here at Checkmarx. Thanks for joining me, Susan! The evangelist role seems like it’s quite hectic, but also very rewarding. So, can you walk us through what a normal day looks like for you? It really varies on a day-to-day basis, but in general, I’m really focused on spreading AppSec awareness and connecting Checkmarx with end users, current and potential customers, and the broader security community. I’m lucky in that I spend a lot of time with very smart people learning about their challenges related to AppSec, security testing, and more. I consider myself and others in the evangelist role to be consultants of sorts. Our job is to get organizations and security teams thinking about existing gaps in their systems and to serve as trusted partners that help set realistic and transparent expectations about what’s needed to optimize their security processes and tools. While sales is certainly a component of being an evangelist, spreading awareness and driving real change is the ultimate goal. Given that you work closely with many different groups, how have conversations around software security evolved as of late? Over the past few months in particular, we’re seeing this digital-first shift. And with this, all organizations – no matter the maturity of their AppSec infrastructure – are wanting to know how they can operate online in a secure manner. Simply, “how do we become more secure? From education to government organizations, COVID has really placed this question at the forefront of everyone’s mind – whether they’re developers or on the Board. Another interesting shift that’s taken place simultaneously is security teams’ understanding of emerging tools. When I first started in this position a few years ago, I spent the majority of my time educating people about what IAST was. Now, it’s more about how IAST, and other emerging tools, integrate with existing AppSec technologies to address software risk more holistically. What creates the best interaction with organizations? Developers? It depends on who I’m speaking with, but the best and most productive conversations are exactly that – conversational. I like to start things off by simply asking what they would like to have in an ideal world. Assuming cost, resources – any sort of limitations – aren’t factors, what do they envision security to look like? This leads down some very interesting roads and opens doors to paths they likely haven’t yet explored. From there, we can work on prioritizing what’s most important and creating a comprehensive action plan that fits their specific needs and requirements. This year’s Cybersecurity Awareness Month theme is “Do Your Part.” What role do evangelists play in advancing security practices across the industry? First and foremost, it’s about spreading awareness and education. It’s about opening people’s eyes and ears to new concepts and technologies that they may not have previously heard of or considered. It’s about helping organizations think about different ways to approach persistent problems. This is accomplished in a variety of ways. It can be through 1:1 conversations with AppSec and security teams or through larger trade shows and webinars where I’m able to reach bigger and more diverse audiences. These events in particular are really where awareness spreads like wildfire because it gets many people with many different viewpoints conversing and sharing ideas. As an evangelist, I want to put security teams, DevOps leaders, developers – you name it – in a position to do their jobs as effectively and efficiently as possible. Narrowing it down, what are the top trends impacting the state of software security most right now? Automation is a big one, especially in terms of automated tools that fit into the way developers and DevOps operate to streamline workflows. The growing voice and authority of the developer is another. Developers are now a force to be reckoned with, and they’re largely influential over where security budgets are allocated. As developers increasingly play a bigger role in owning security, they’re being granted more control over what’s needed to achieve DevSecOps. What does success or a job well done feel/look like to you? It’s really exciting to see awareness turn to action and shifting traditional views into modern ways of thinking. Speaking with a customer, looking back a year or two ago, and seeing just how far they’ve come in terms of shoring up their security posture is incredibly rewarding. Any advice for aspiring evangelists? Open your mind. Regardless of your background, whether you come from security or not, your past experiences will give you a unique perspective that can change the way people think about things. Read up on industry trends, talk to customers and thought leaders. Always stay curious! Catch Susan on our webinar to learn more about the biggest trends impacting today’s software landscape, reasons why organizations need to be prioritizing software security, and best practices for getting a running start on the road to DevSecOps. And, if you haven’t already, download our new eBook to help raise your AppSec awareness.