Tempo is a Reykjavik and Montreal based software company developing apps for Jira to track time, manage resources, and track financials. They serve over 13,000 customers from over 100 countries, which means that security is a top priority in order for them to keep customer data safe.
We had the chance to pick the brains of their Trust Manager, Sigurjón Sveinsson, who is in charge of all things security, to get some insight into creating a culture around cybersecurity through making training fun.
Sigurjón says that a big part of getting everyone involved in security was to get them interested in it and also not nervous about it. Sometimes people are reluctant to learn and think about cybersecurity, because they sometimes are worried that if they make a mistake they’ll be in trouble. Sigurjón emphasizes how important it is to put this fear to rest.
“The security guy is sometimes the person you are hesitant to talk to, but I want them to trust me, to come to me with incidents and problems. This is a no blame environment.”
Implementing a training programme using tools that everyone enjoys is extremely important when creating a culture in which security is at the top of everyone's mind. Sigurjón tells us that training will not be effective unless it’s something that the developers want to do. No one wants to be forced to go to a lecture that they can’t stay awake at, it has to be fun and engaging and most people like games.
At Tempo they chose to use Adversary to train their development teams, because it’s made like a game and their "software developers asked us to adopt Adversary.” He goes on to say that,
“The developers use it a lot for security training. This helps us to involve our employees to participate in further evolving our security culture within Tempo in a fun, engaging, and proactive way."
They kicked off the training program with an internal hackathon using the Adversary platform and it was very successful. Not only did the developers have fun, he also found out that Tempo is lucky to have a very security-aware team.
As an addition, they chose to also use Adversary’s add-on for security awareness, powered by AwareGO, to train all of their employees on important security issues so they know how to spot phishing emails, create secure passwords, and dispose of confidential documents properly. This way even those team members who aren’t programming are still part of creating and upholding their security culture.
A critical aspect to having a security culture within the organization is by putting an emphasis on compliance. Not only does it give your brand and company credibility to customers, it sets the stage internally as well.
Tempo is has finished implementing a SOC 2 report type 1, a US standard, since a large portion of their customer base is in the United States. It’s Sigurjon’s job not only to implement compliance, but to make sure that they stay compliant over the years. He says that when auditors come, he needs to be able to prove, for example, that employees receive regular security training and that new hires are legitimate.
Sigurjón is able to use the data from the Adversary platform to show that developers have received security training and can even use it to assess new hires. He can also use this for any other standards they chose to become complaint with in the future.
The main purpose of creating a security culture by putting an emphasis on training and compliance is to reduce the chance of issues coming up at all.
Sigurjón believes that his team is well-equipped with the knowledge and tools needed to avoid security issues. On top of regular hands-on training, they also have good analysis in the production environment and use security specialists for penetration testing. The team members monitor logs over time and are aware of the environment so they know how to spot if something strange happens.
Sigurjón ends by telling us that,
"Security is simply part of the job."