Rob Cheyne, founder and CEO of Safelight Security Advisors, believes that security is everyone's job. He specializes in education of software developers, but he trains employees of all stripes in everything from security awareness to security fundamentals. Cheyne, a veteran of Symantec, @stake (the famous computer security services company, which he helped found) and Internet Security Advantages, spoke with CSO contributor Kate Walsh about his classroom approach—training sessions run from a couple days to a week—and why he thinks enterprisewide security education is critical.
CSO: What are the major challenges you face when it comes to educating developers on critical security issues?
Cheyne: It's tough to get people to change the way they do things. All of the common attacks we've known about for a very long time are still out there, and people still regularly make mistakes regarding them. Getting the developers to want to be in the room is another challenge. They don't want to be sitting through an eight-hour training class.
Why do we fail to write secure applications? Is it lack of awareness? Complacency? Lack of understanding?
All those things. But companies are not allocating enough time and money for security because they just see it as a line item. They don't understand that it needs to be intricately woven throughout the entire process.
How hard is it to convince companies that fixing bugs in the design phase is cheaper than doing it farther down the lifecycle?
People usually get it. It's a classic IBM study: A $1 bug in design will cost more in development, and so on. That's because in design, you just start over. At the point of development, you've already written code. Now you not only have to change the design, but you have to change the code. If you find a bug even farther down the line, in testing, you basically have to rework the entire system. But there's still that challenge of getting people to do something about it once they get it.
How do you ensure that training is effective once people return to work?
Training needs to be made relevant and real. You need to use examples of things that are specific to what they're doing on a daily basis. But theoretical training is essential too. Many mistakes are theoretical things. Learning about how to build a layered defense, even though it's theoretical, is one of the best defenses. Sanitizing output and validating input: Those are your best defenses. If you're not doing those things properly in the first place, teaching people specific lines of code to add to their applications isn't going to help them. You have to learn the theory to really understand security.
Other than training, how do we improve information security?
Security basically has three legs: technology, people and processes. Ultimately, building a secure system is a process: It involves technology, but it also involves people working on the systems. You have to make appropriate technology choices, but it's how you use that technology that matters. The training is critical so everyone understands specifically what they need to do to maintain security. ##