Cybersecurity Awareness Month Week 3: Day in the Life, AppSec Educator

In the security industry, enough can’t be said about the need for spreading awareness. It’s the first, and most critical, step in spurring action and turning the tides from being reactive to proactive.

We’re back again with the third installment of our Cybersecurity Awareness Month Q&A series! In case you’re just tuning in, in light of this year’s theme – “Do Your Part, Be Cyber Smart” – we’re speaking with a variety of Checkmarx experts to learn all about their roles and how they’re contributing to a more secure software landscape. Catch up on our first and second interviews here and here.

Welcome, Kurt! I hope you’ve been enjoying Cybersecurity Awareness Month so far. Can you walk me through what a typical day looks like for you?

Kurt Risley, Checkmarx’s AppSec education director, knows a thing or two about generating awareness, working hand-in-hand with today’s organizations to help them install AppSec awareness and training programs. Read on and learn about the critical role he plays in informing and influencing organizations’ and developers’ software security and secure coding practices.

In light of this year’s Cybersecurity Awareness Month theme, what role do AppSec educators like yourself play in advancing software security practices across the industry?

It varies, but a typical day involves spending a considerable amount of time understanding organizations’ desire to incorporate more of a formal AppSec Education Awareness Program. This can take the conversation in many ways depending on the culture, but I help to provide base-level best practice guidance and then build on that accordingly based on the organization’s specific needs and my past experience on what’s been successful for similar businesses I’ve worked with in the past.

A big part of this effort is getting organizations and its leaders to ask themselves thought-provoking questions. Why do they want to have an AppSec program? Is it to check a box and say that one exists? Or is it to truly drive change in the way their developers and DevOps teams think about security? What are the KPIs they’re hoping to achieve with this type of program? Are they willing to commit to this effort on an ongoing basis vs. approaching it as a “one-and-done” solution?

The reality is that today, most organizations want to increase security awareness amongst their developers, DevOps teams, executive leadership – all employees, really – but many don’t where to start. That’s where I, and people with similar roles, come in, helping to provide strategic guidance to build a comprehensive and effective approach from the ground up.

Changing behavior is never easy. How does education and awareness serve as a first step in this effort, especially when it comes to security?

It’s essentially as if we’re spreading awareness about the need for awareness.

The fact of the matter is that security requires everyone’s buy-in, not just the CISO or developer or AppSec team. Security isn’t effective when done in a silo. Everyone needs to hold themselves and each other accountable and play their role in contributing to “the greater good.”

That’s very true, but you would be amazed at how achievable this is. A common misconception is that security isn’t top-of-mind for the board. That’s usually not the case. It’s more that many (top down) don’t know the best place to begin or who should be the primary owner of security.

Given the pandemic and shift to remote work, how have conversations evolved with the organizations and developers you’re speaking to?

Cybersecurity Awareness Month’s theme of “Do Your Part” is a perfect summation for the current state of cybersecurity and software security.

What are current AppSec training programs doing right? Where are they falling short?

I am seeing more customers looking to enable their engineers and developers to operate remotely. AppSec awareness fits nicely into their plan to empower and train developers to code more securely wherever they’re working from.

Where gaps still exist:

Communication, communication, communication. If things are communicated properly, it is not looked at as required or mandatory (although that still is the best way). They are also leveraging events like Cybersecurity Awareness Month to promote better security across the board. I see a lot of customers conducting monthly events to spread security awareness internally with creative banners, challenges / tournaments, prizes, and more, all in the spirit of friendly competition.

Helping organizations understand the long-term value of an AppSec Awareness Program and helping them map it out. The final piece is when they conduct a “challenge” or tournament to really spark up friendly competition amongst developers and DevOps teams. The reception from this is always positive and they start to ask for more of these types of events. When this happens and developers actually start to ask for more security training, that’s when you know you’ve made an impact.

  • Organizations don’t know how to implement a formal program (this is the easy fix).
  • The maturity of organizations. If security is not a topic of discussion or priority, then it’s hard culturally to get the right people engaged to succeed with a formal program (the more challenging fix).

What does success or a job well done feel/look like to you?

Executive sponsorship and continuous communication is critical. It’s also important to engage your target audience regularly in a fun, interactive manner based on your specific culture that doesn’t get boring and stagnant over time.

How can organizations and developers keep security top of mind beyond Cybersecurity Awareness Month?

Ready to raise your AppSec awareness? Don’t forget to check out our Cybersecurity Awareness Month toolkit packed with eBooks, infographics, blogs, webinars, and much more!

I notice a fair amount of organizations have their own internal “security” conferences and these are fantastic venues to keep awareness on the minds of everyone. It’s a great opportunity for gamified, friendly competition as well.