Last updated at Wed, 03 Jan 2024 20:05:23 GMT
In our most recent episode of Security Nation, we had the pleasure of speaking with Mark Geeslin about his work creating an internal Security Mavens program at Asurion, an insurance company focusing on technology and digital life. Here’s what you need to know about Mark, what it took to create (and maintain) this program, and what you can learn from his experience.
Championing embedding security into development practices
As senior director of product security, Mark spends a great deal of time thinking about how to build security into product development, with a strong focus on application security. He’s also very involved in his local security community, launching a Nashville chapter of OWASP, hosting the brand-new Music City Con, and teaching security through the SANS Institute.
Mark launched Security Mavens three years ago with the goal of building better security by design. Most champion programs select developers to be deputized as security advocates for the company, train them, and make them points of contact for the security organization. However, the Security Mavens program moves away from making members “security deputies” and instead transforms them into true security experts so they can take ownership of security within their product team.
Training starts with the foundations of application security, and members later learn how to both attack systems and defend against attacks. While Mavens have gone on to specialize in offensive security, others have gone the security management route or moved into the defensive side. Mark and his team support members through the entire process and let them engage with the community by taking them to conferences such as DEF CON and OWASP.
When Mark and his team started the program, they were sure to sell it from the top-down, starting with the president of the company. They then went through the product development organization, and used their buy-in to launch a substantial internal marketing campaign to get employees excited about it. Those who were interested had to apply and be interviewed for the program to make sure they were qualified and had the right mindset.
At this point, the Security Mavens program has over 50 members globally, which is 4% of Asurion’s total engineering population. According to Mark, the program has been well received and netted benefits he never anticipated. Many members have gone on to be very successful in the industry, and some have even become well-known speakers at security conferences. While Mark said it’s been one of the most difficult jobs he’s undertaken in terms of the amount of work, it has also been the most satisfying.
Creating a culture of security
Mark said his team have been amazed about the wide impact of their program, especially when it comes to the culture of the product development organization. Security is now viewed on the same level as features and recognized as an integral part of the process.
Before the Security Mavens program began, it wasn’t that people were against security—it was that they didn’t own it. By embedding security within those development teams, that has all changed, because employees no longer have to be persuaded that security is important.
Challenges and advice when building a security-minded culture
According to Mark, a big problem many companies face with security advocacy is maintaining momentum. Having built a similar initiative at other organizations, he knew that he could avoid the degeneration of the program by having interested members apply on their own, rather than being appointed.
He also found that it worked better if members saw themselves as teachers and mentors, rather than police. Their job was not to enforce security, per se—it was to be the resident security expert who can help influence security among peers. Because of this, part of the interview process was to determine who were the influencers willing to go beyond themselves.
The other challenge they proactively avoided was getting funding. Since the program was funded centrally, specific departments within the company couldn’t say they didn’t have the budget to send people to a conference or training.
Mark’s biggest piece of advice for anyone looking to build a similar program is to get executive buy-in first. Selling it as a program with broader implications for the company, the advancement of the organization’s reputation, and employee retention is key. It’s a means of achieving the security the company needs, with all of these benefits on the side.