We’re back again with the third installment of our Cybersecurity Awareness Month Q&A series! In case you’re just tuning in, in light of this year’s theme – “Do Your Part, Be Cyber Smart” – we’re speaking with a variety of Checkmarx experts to learn all about their roles and how they’re contributing to a more secure software landscape. Catch up on our first and second interviews here and here. In the security industry, enough can’t be said about the need for spreading awareness. It’s the first, and most critical, step in spurring action and turning the tides from being reactive to proactive. Kurt Risley, Checkmarx’s AppSec education director, knows a thing or two about generating awareness, working hand-in-hand with today’s organizations to help them install AppSec awareness and training programs. Read on and learn about the critical role he plays in informing and influencing organizations’ and developers’ software security and secure coding practices. Welcome, Kurt! I hope you’ve been enjoying Cybersecurity Awareness Month so far. Can you walk me through what a typical day looks like for you? It varies, but a typical day involves spending a considerable amount of time understanding organizations’ desire to incorporate more of a formal AppSec Education Awareness Program. This can take the conversation in many ways depending on the culture, but I help to provide base-level best practice guidance and then build on that accordingly based on the organization’s specific needs and my past experience on what’s been successful for similar businesses I’ve worked with in the past. In light of this year’s Cybersecurity Awareness Month theme, what role do AppSec educators like yourself play in advancing software security practices across the industry? The reality is that today, most organizations want to increase security awareness amongst their developers, DevOps teams, executive leadership – all employees, really – but many don’t where to start. That’s where I, and people with similar roles, come in, helping to provide strategic guidance to build a comprehensive and effective approach from the ground up. A big part of this effort is getting organizations and its leaders to ask themselves thought-provoking questions. Why do they want to have an AppSec program? Is it to check a box and say that one exists? Or is it to truly drive change in the way their developers and DevOps teams think about security? What are the KPIs they’re hoping to achieve with this type of program? Are they willing to commit to this effort on an ongoing basis vs. approaching it as a “one-and-done” solution? It’s essentially as if we’re spreading awareness about the need for awareness. Changing behavior is never easy. How does education and awareness serve as a first step in this effort, especially when it comes to security? That’s very true, but you would be amazed at how achievable this is. A common misconception is that security isn’t top-of-mind for the board. That’s usually not the case. It’s more that many (top down) don’t know the best place to begin or who should be the primary owner of security. The fact of the matter is that security requires everyone’s buy-in, not just the CISO or developer or AppSec team. Security isn’t effective when done in a silo. Everyone needs to hold themselves and each other accountable and play their role in contributing to “the greater good.” Cybersecurity Awareness Month’s theme of “Do Your Part” is a perfect summation for the current state of cybersecurity and software security. Given the pandemic and shift to remote work, how have conversations evolved with the organizations and developers you’re speaking to? I am seeing more customers looking to enable their engineers and developers to operate remotely. AppSec awareness fits nicely into their plan to empower and train developers to code more securely wherever they’re working from. What are current AppSec training programs doing right? Where are they falling short? Communication, communication, communication. If things are communicated properly, it is not looked at as required or mandatory (although that still is the best way). They are also leveraging events like Cybersecurity Awareness Month to promote better security across the board. I see a lot of customers conducting monthly events to spread security awareness internally with creative banners, challenges / tournaments, prizes, and more, all in the spirit of friendly competition. Where gaps still exist:
- Organizations don’t know how to implement a formal program (this is the easy fix).
- The maturity of organizations. If security is not a topic of discussion or priority, then it’s hard culturally to get the right people engaged to succeed with a formal program (the more challenging fix).