I had the pleasure of hosting Vimalathithan Rajasekaran on episode 2 of my podcast, Champions of Security.
Vimal has a truly fascinating professional background. He spent several years in engineering and developer roles at Visa, Safeway/Albertsons/Kroger, and United Airlines.
Once he started developing cloud and serverless functions in AWS, he began to see how critical security was in the cloud-native world. Currently, Vimal is a Security Architect at PROS and works on SAST, DAST, OWASP, threat modeling, and more.
Throughout his career, he has learned how to be a champion and influence developers in a mentorship capacity.
Communicating Security to Non-Security Folks is Key
It’s difficult to convince anyone to care about something if they have no idea what you’re talking about. A key observation that Vimal brings up in our conversation is the need to simplify cybersecurity for non-security people. Using jargon and acronyms isn’t going to help security win friends and influence people.
Instead, Vimal emphasizes the importance of using plain, simple language when talking about security. This is such a basic step for teams who want to grow their security programs and get executive buy-in, but it’s so commonly overlooked. Another key part of communicating with non-security folk (or actually any person) is using data to your advantage. Always have data to back up your recommendations.
Context is King for Zero Day Vulnerabilities
Vimal has lived through several zero-day fire drills and has some lessons to share. First, understand the vulnerability with full risk context. Security should ask:
- Is it internet-facing?
- Where (and how) is it deployed?
By having the answers to these questions, security will be prepared to communicate the severity of the risk with context to stakeholders.
From there, security can work with stakeholders to establish service-level agreements that specify which issues will be fixed and how quickly.
Furthermore, Vimal advises getting buy-in from the executive level down on how security and engineering/development will work together during zero-day crises.
Amplify Security through Champions
The overall shortage of cybersecurity professionals is now 3.4 million. This global shortage combined with difficulties retaining cyber talent leads to a critical loss of tribal security knowledge that puts organizations at risk. Security champions can help mitigate some of this risk. And Vimal has some ideas that have worked.
First off, involve security champions in development from the beginning. Even when development is thinking about adding a feature, it is helpful to have a security champion on board to help think of potential abuse and misuse cases.
Secondly, embed champions into regularly scheduled meetings with development. Consistency will help form a team mindset.
Thirdly, have more than one or two champions. Depending on the size of your organization and the number of development teams, a single champion could become a single exhausted champion that needs to be benched.
And lastly, recognize and reward champions. Their work is hard. Influencing people without specific authority is probably one of the most difficult skills to hone. Acknowledging and rewarding their efforts is crucial.
3 Key Takeaways
- Talk about cybersecurity in plain language. When you leave out the jargon and acronym soup, you’ll be able to communicate effectively with other teams and people.
- Ease the chaos of zero-day vulnerabilities by:
- examining the context of how the vulnerability impacts your application
- communicating the contextual risk information to all stakeholders, and
- developing service level agreements that will set expectations of what will be fixed and when.
- Build a security champions program the right way by:
- introducing them to developers early in feature development
- fabricating them into the team and including them in regular discussions, and
- acknowledging and rewarding their efforts.
Thank you, Vimal, for being an amazing guest and champion of security.
You can find all available Champions of Security episodes here.