People often think cybersecurity is black magic. They also think that to be good at security, you have to know a lot about everything and be a black-belt computer wizard. This was a problem we encountered and had to tackle early on at Syndis, from which Adversary spun-out.
Iceland is a small rock in the middle of the Atlantic ocean. With a population of roughly 360,000 people, it barely has more residents than Honolulu, Hawaii. Yet it’s a republic, with everything needed to be as self-sustainable as possible. Everything from health care, a power grid, government, financial institutions, you name it. Historically, Iceland has faced few threats, due to its isolated location. You had to sail for a long time to even get to the island. But times have changed. Now all layers of society have to be concerned with security in some way or another.
We had an existential problem on our hands: At that time, we had 4 people on staff, nowhere near enough to meet the demand for our services. But there was no talent pool to hire from. What do you do? Try to compete with big tech firms abroad for talent and pay salaries that far exceed the local ones? That’s very unsustainable and would at best be a short-term fix. Besides, the shortage of security professionals is a global problem. So that’s a no-go.
We had only one option: Put in significant effort short-term to grow and foster a new generation of security engineers.
Through our cooperation with Reykjavik University, we doubled down on our commitment to teach the annual security course through our co-founder Ymir Vigfusson. We then went on to build the early version of Adversary, teaching the fundamentals of the OWASP Top 10 and how to hack.
Despite it not helping in the short-term, a long-term play would be better than simply doing nothing. Luckily, we quickly saw that the course attracted highly talented students who would turn out to be able to go into security straight after school and start to address this societal problem of a lack of security professionals.
As we did this over the years, while also teaching companies that wanted similar training in-house, we made an observation that really changed our core beliefs about “security people”. We thought the people who would end up going into critical security jobs would be people that also identified themselves as “security experts”, or “security enthusiasts” already. You may recognize this as a bit of a chicken and egg problem, given the problem statement.
Instead, we observed that when following up on corporate training sessions, we observed that for a subset of the people we taught, they had then gone onto doing more training and would be on a path to become an internal security employee. That’s cool! We empowered people. But who were they? Here are the traits we recognized them having:
And as we grew the Syndis team from 4 people, to now 10, we’ve seen a disturbingly similar pattern. The people who we would take on and turned out to be our best people, were people who were solid computer science people to begin with. They also exuded eagerness, curiosity, and were excited by the challenges given to them.
The data really spoke for itself every time we dug into it. Talented security engineers are not special by any means. There’s a potential security engineer all around us. For us as “security experts”, it was a lesson in humility. We were not inherently that special.
The predicate for developing into a security professional that can help the community protect against the bad guys, was simply giving good engineers the opportunity to learn this “black magic” (indeed, realizing it’s not black magic), and empower them to pursue it.
Since then, we have been engaging all levels of society with Adversary. From 9th grade school classes, to engineers with more years of professional experience than I have been alive. And every time we see the pattern emerge. People have fun learning and a subset of people can’t get enough of it. The challenge is intoxicating and it makes them realize that there’s a huge opportunity for them to enter the field of security.
For companies this is an untapped resource that is critical to be able to tackle the security challenges they face. By using Adversary, companies are not only able to train their staff on the most common security challenges that the world faces in terms of secure coding. It’s far more profound than that. In a world where security professionals come at a premium and are difficult to retain, it is a losing game to try to outbid the market.
Rather, companies are starting to identify and empower their staff. They are finding the “sleeper” security champions in their midst and they are empowering them to enter the world of magic. These people not only become hugely valuable in terms of the skill-set they develop, but they will, through their curiosity and eagerness, show the world around them just what security is about and shine a light on it. They will go on to show their peers that it’s not black magic and help empower the teams they work on to not be paralyzed by security. Instead, they will tackle it head on, and do their part in growing a culture where security is a core tenant, one that everybody is a party to. Because security is only difficult as a result of the difficulty we (incorrectly) attributed to it.
By recognizing your security champion within your organization you have identified key employees who can play an important role between the development team and the security team.