Cisco’s Security Dojo: Raising the Application Security Awareness of 20,000+

Presented at AppSec USA 2015, Sept. 25, 2015, 1 p.m. (55 minutes).

In two years, over twenty thousand Cisco employees and contractors worldwide invested hours over and above their assigned duties to improve their knowledge of application security. Why would they take action voluntarily? What made them care about security? The answer is we made application security awareness personal, professionally valuable, and fun.

In today's chaotic environment, every company desires a more secure product or solution, and their customers demand it. To achieve this, every person involved in the product life cycle must be security aware. The challenge is teaching people in a way that sticks. This is how Cisco did it: how employees and contractors learned to love and own Cisco's security story; and built security into our organizational DNA and our products and solutions.

The Cisco Application Security Awareness Program raises technical security awareness at all levels of the organization through the creative, fun, and humorous use of video. The content ranges from introductory to advanced learning, using belts to measure student achievement and provide recognition. As students progress, they migrate from knowledge acquisition using video into doing things to improve the security of their products. A system of tracking and recognizing achievement-based activities gets people fired up to make security improvements in their products. Sprinkled throughout the talk are examples of the videos and interfaces that draw users into this world. The audience will experience the Cisco Security Awareness Program and visually understand the abstract concepts described.

Approaching crescendo, it is time to address the elephant in the room: "So What". What is the true impact to Cisco? Through the metrics and feedback collected, a case will be made that this program has had a huge positive impact for Cisco.

The grand finale is the "top ten secrets of success". This is a discussion of the actions taken to achieve success, broken down into four categories: content, recognition, system, and marketing.

Content is the lessons learned about video and how to master it for success. Recognition is how to reward participants and lead them to want to grow as security people. System is how to set up for success. Marketing is the intentional causes for the viral nature of the program.

This advice applies to real life; this is how we did it, now how can you learn from us and apply this in your own organization.


Presenters:

  • Chris Romeo - Chief Security Advocate - Cisco Systems
    Chris Romeo is a Senior Technical Leader within the Cisco Secure Development Lifecycle (CSDL) program. He guides the Security Advocate program, encouraging engineers to "build security in" to all products at Cisco. He led the creation of Cisco's product security awareness program (Cisco Security Ninja), which launched in 2012. Romeo has twenty years of experience in information security, holding positions across the security gamut, including secure product development, penetration testing, and incident response. He holds the CISSP and CSSLP certifications and is fond of saying "We are all security people."

Links:

Similar Presentations: