Conduct recurring security trainings
Videos and online presentations are good, but nothing can really replace quality in-person meetups. Show as many demos as possible and don’t stick do overloaded PowerPoint presentations which put people to sleep.
It’s fine to share raw technical details as a recap materials, but while starting out you must make people excited about the subject, otherwise it’ll be just another corporate training which they’ve attended only because it’s obligatory.
Don’t shy away from showing-off your skills to non-techy people. It makes sense to show some real life exploitation to impress them to build a great human relation and gain their respect for your skills even if they haven’t understood all of the things you’ve showed them.
I personally like to show real life testing including very first steps from setting up Burp through vulnerability assessment, exploitation to data extraction. When you go step by step and show how you find specific type of vulnerability — how you exploit it and how it can be fixed/prevented — people get the big picture perspective and when the understand the business risks, they pay more attention to code quality.
There is plenty of Open Source resources that come handy in such exercises so squeeze max out of them to create enjoyable and valuable security trainings.
Guiding them thru detailed flow is practical because while you’re doing the hacking part, the participants have a chance to directly and comfortably ask you many (un)related questions. Interactive meetings are the greatest as they’re much better memorized than a blunt slide deck and they give you an opportunity to show the human part of yourself.
The same concepts apply to physical and personal security and the key message is that trainings should be engaging and exciting so they don’t become pain in the ass and periodic so people are constantly reminded about the importance of security in day to day work.
Popularize internal Bug Bounties and awareness recognitions
Bug Bounty programs are great and I love but before you jump into spending crazy amounts of money on external BB, you should give it a try internally.
It’s smart to start with internal initiatives first and give your peers an opportunity to learn new skills and get some fancyrewards for their efforts. Consider hackathon-alike efforts where engineers can work on complex security issues they pick themselves or just do some internal bug hunting with you.
While the BB is mostly to create a security culture, there is actually a real chance of finding a few security issues because each person has a different perspective and a developer may find a bug in a place you’ve never thought about.
Make it fun and offer rewards like a few additional PTO days or gift cards for individuals who’ve found security issues in specified timeframe or came up with great security tool during the hackathon. Except of the fact that everyone likes awards and rewards, people get excited when they’ve been publicly recognized as security aware. Don’t forget to properly acknowledge the effort of all those who’ve also tried but weren’t as successful, because you want everyone to feel engaged and appreciated. Beyond all these it’s also a great team building exercise, so you should practice this on regular basis.
You can use the BugBounty concept for non technical people as well to show gratitude e.g. if they report you a physical security incident, and the key is that you need to spread same awareness and culture across the whole organisation because the security is as strong as its weakest link.
Initiatives like this help shaping a culture where being security aware is appreciated and rewarded and after a while it’ll become employees’ habit to take care about company safety.
Tell me and I forget; teach me and I may remember; involve me and I will learn.
Dawid Bałut 