October 19, 2015 at 02:06How did Cisco Security Ninja teach 20,000 employees secure programming?
When you hear the phrase “raising awareness in the field of information security,” what comes to mind first? Teaching users not to open emails from outsiders and not to click on phishing links? Learning how to recognize social engineering? Tracking so that no one else comes into the office, as if he is with you? We also have such a program at Cisco, and we also regularly undergo appropriate training. But today I would like to talk about our other voluntary awareness-raising program, which was created in less than six months by a team of only four people with a budget of less than 50 thousand dollars. Pay attention again. Volunteer program! Created by four people! In less than six months! For only 50 thousand dollars!
History of creation
The idea of creating this initiative came in May 2012, when at the Security Development conference, Adobe spoke about its Adobe's Security Training Program. Then we got the idea why not create such a program in Cisco. Moreover, the problem is long overdue. There was no developer training program as such. The principles of secure programming ( Cisco Secure Development Lifecysle , CSDL) were known to many, but not everyone understood how to apply them in practice to reduce the number of errors and potential vulnerabilities. Moreover, the developers traditionally thought little about how the security world is developing on the other side of the barricades, how the attackers act, what they can and where their aspirations are directed?
The idea is an idea, but we did not want to go along the beaten track with the organization of another safety training. Nevertheless, why hide many training programs, even corporate ones, even free ones, are considered by many employees as punishment and inevitable evil. With such an attitude, it was not worth the wait. Therefore, we decided to combine our practice in safe programming and creating trusted systems, which we have been actively developing in recent years, with the experience of our incident response department in our products ( Cisco Product Security Incident Response Team, PSIRT). And to impose a gaming component on this combination, involving employees of their own free will in an exciting game in which you could earn points, gain recognition from others and, along the way and unobtrusively, gain new knowledge and competencies. As you know, the information obtained in a game form is remembered for a much longer period than the usual theory, even clothed with beautiful presentations and videos.
No sooner said than done. It was based on the idea of training in martial arts, with its combination of studying philosophy and techniques, learning in the hall (the so-called dojo) and in life, going through various degrees (belts), reflecting certain achievements of the learner. Our program members are called Cisco Security Ninja. Why a ninja? Probably because for many decades or even centuries, many legends have developed around these Japanese warriors and their name has grown into many secrets. Introduction to the “secret” CSDL is a hallmark of developers and engineers who have received appropriate training.
The motto of this initiative was the rephrased statement: "Security is the way, not the destination."
Cisco Security Ninja Belts
Unlike the traditional ten belts in martial arts, we decided to limit ourselves to five - white, green, blue, brown and black, the “receipt” of which was to demonstrate the receipt of certain knowledge and skills, as well as passing the corresponding exam.
At the first level, which serves as the basis for further growth, we introduce beginners to the basic concepts of information security, terminology, the basics of secure programming and CSDL. The training at this level consists of 16 modules - introduction, terminology, information security basics, conformity assessment, hackers and attacks, typical security myths, CSDL, input verification, resource overruns, authentication, authorization, secure configuration, information leaks, cryptography ,hardware level security , PSIRT.
The green belt meant gaining advanced knowledge on various security concepts, as well as the practical application of security principles and practices, depending on the role of the trainee. We identified six of them - a product manager, program manager, manager, design engineer, development engineer, and test engineer. To get the green belt, it was already necessary to complete about 50 modules - starting from studying various attacks (XSS, CSRF, SQL Injection, social engineering, attacks at the hardware level) and CSDL (threat modeling, vulnerability search, code analysis, typical programming errors on C) to the basics of Linux protection, learning Secure Boot, SSL, supply chain management, and “managerial” topics.
The following three zones did not imply any study of any theoretical or practical topics, but the promotion of the implementation of secure programming practices in the activities of Cisco. And the higher the belt, the more such actions need to be implemented. In order to eliminate uncertainty in the process of winning the “higher” belts, all the activities that the candidates for receiving the blue / brown / black belt should have been divided into 4 groups - invention (for example, creating a useful tool or process or leading a community), training ( mentoring, conducting or developing courses, presentations), research (analysis of a problem, participation in an internal working group or committee, development of a security function) and implementation (test, feature, CSDL process, etc.).
For each action, certain points are calculated, the amount of which depends on the time costs (1 point = 1 hour) and the scale of activity (only within the team, inter-team activity, external, etc.). Then these points are summed up and, depending on the total amount, this or that degree is assigned. For example, to get a blue belt, it is enough to “earn” only 75 points, and for a black one you need at least 400 points from all four of the above described groups of activities. The black belt is the highest step not only in martial arts, but also in the Cisco Security Ninja program. It means recognition both inside and outside Cisco.
Cisco Security Ninja in numbers
We launched the program in December 2012, asking some colleagues to “try”. After receiving positive feedback, in February 2013, the Cisco Security Ninja program officially started. In December 2013, an extended program (on the “green” belt) was added to the initial training program for the “white” belt, and a few months later, we added role-based training. December 2014 was marked by the launch of the remaining three programs for obtaining blue, brown and black belts.
In 2014, the program received support at the level of the company's management, which began to insistently recommend that all interested parties receive at least a white belt. It should be noted that until today, this program is not mandatory for employees who strictly voluntarily join it. In March 2015, we reached the border of 20,000 employees who received their belt, of which 47 received a black belt, 22 - brown, 72 - blue, 2640 - green (among them I am).
Dojo for training and exams
Dojo is a place where training, competitions and certification in oriental martial arts take place. There is such a dojo (Cisco Security Dojo) and we have. This is a specially designed platform that includes various events and tools with which you could get training in various forms and pass the relevant exams and get a well-deserved belt. Also, with the help of this platform, all security ninjas can track their and colleagues' status, record their activities to achieve higher degrees and perform a number of other tasks.
Gamification
One of the most important elements of the program, which allowed involving more than 20 thousand people in it, is gamification, which was achieved through various elements:
In general, gamification is a very interesting way of conveying information security topics. We often use it in the company. There are information security stands, flash games, games for smartphones, CTFs, and much more.
Recognition
One of the important elements of our program was the recognition of specialists who have been trained and have successfully received one or another belt. We use different options - certificates, logos that you can use in your profile on the corporate portal or in signatures in e-mail messages, the corresponding straps for wearing the corporate badge, financial incentives.
Key success factors
Over the past three years, we have been able to formulate 10 criteria for the success of our program:
As a conclusion,
the Cisco Security Ninja program that we implemented allowed us to solve several problems at once, including not only involving 20 thousand employees in the process of ensuring the information security of our products, but also increasing the level of security of our solutions. Can this program be repeated in another organization? In the same form is unlikely. Still, cultures, maturity levels, and indeed the companies themselves can be very different from each other. But the key success factors will be the same for everyone. The main thing is not to sit still!
And remember: security is movement, not a destination!
History of creation
The idea of creating this initiative came in May 2012, when at the Security Development conference, Adobe spoke about its Adobe's Security Training Program. Then we got the idea why not create such a program in Cisco. Moreover, the problem is long overdue. There was no developer training program as such. The principles of secure programming ( Cisco Secure Development Lifecysle , CSDL) were known to many, but not everyone understood how to apply them in practice to reduce the number of errors and potential vulnerabilities. Moreover, the developers traditionally thought little about how the security world is developing on the other side of the barricades, how the attackers act, what they can and where their aspirations are directed?
The idea is an idea, but we did not want to go along the beaten track with the organization of another safety training. Nevertheless, why hide many training programs, even corporate ones, even free ones, are considered by many employees as punishment and inevitable evil. With such an attitude, it was not worth the wait. Therefore, we decided to combine our practice in safe programming and creating trusted systems, which we have been actively developing in recent years, with the experience of our incident response department in our products ( Cisco Product Security Incident Response Team, PSIRT). And to impose a gaming component on this combination, involving employees of their own free will in an exciting game in which you could earn points, gain recognition from others and, along the way and unobtrusively, gain new knowledge and competencies. As you know, the information obtained in a game form is remembered for a much longer period than the usual theory, even clothed with beautiful presentations and videos.
No sooner said than done. It was based on the idea of training in martial arts, with its combination of studying philosophy and techniques, learning in the hall (the so-called dojo) and in life, going through various degrees (belts), reflecting certain achievements of the learner. Our program members are called Cisco Security Ninja. Why a ninja? Probably because for many decades or even centuries, many legends have developed around these Japanese warriors and their name has grown into many secrets. Introduction to the “secret” CSDL is a hallmark of developers and engineers who have received appropriate training.
The motto of this initiative was the rephrased statement: "Security is the way, not the destination."
Cisco Security Ninja Belts
Unlike the traditional ten belts in martial arts, we decided to limit ourselves to five - white, green, blue, brown and black, the “receipt” of which was to demonstrate the receipt of certain knowledge and skills, as well as passing the corresponding exam.
At the first level, which serves as the basis for further growth, we introduce beginners to the basic concepts of information security, terminology, the basics of secure programming and CSDL. The training at this level consists of 16 modules - introduction, terminology, information security basics, conformity assessment, hackers and attacks, typical security myths, CSDL, input verification, resource overruns, authentication, authorization, secure configuration, information leaks, cryptography ,hardware level security , PSIRT.
The green belt meant gaining advanced knowledge on various security concepts, as well as the practical application of security principles and practices, depending on the role of the trainee. We identified six of them - a product manager, program manager, manager, design engineer, development engineer, and test engineer. To get the green belt, it was already necessary to complete about 50 modules - starting from studying various attacks (XSS, CSRF, SQL Injection, social engineering, attacks at the hardware level) and CSDL (threat modeling, vulnerability search, code analysis, typical programming errors on C) to the basics of Linux protection, learning Secure Boot, SSL, supply chain management, and “managerial” topics.
The following three zones did not imply any study of any theoretical or practical topics, but the promotion of the implementation of secure programming practices in the activities of Cisco. And the higher the belt, the more such actions need to be implemented. In order to eliminate uncertainty in the process of winning the “higher” belts, all the activities that the candidates for receiving the blue / brown / black belt should have been divided into 4 groups - invention (for example, creating a useful tool or process or leading a community), training ( mentoring, conducting or developing courses, presentations), research (analysis of a problem, participation in an internal working group or committee, development of a security function) and implementation (test, feature, CSDL process, etc.).
For each action, certain points are calculated, the amount of which depends on the time costs (1 point = 1 hour) and the scale of activity (only within the team, inter-team activity, external, etc.). Then these points are summed up and, depending on the total amount, this or that degree is assigned. For example, to get a blue belt, it is enough to “earn” only 75 points, and for a black one you need at least 400 points from all four of the above described groups of activities. The black belt is the highest step not only in martial arts, but also in the Cisco Security Ninja program. It means recognition both inside and outside Cisco.
Cisco Security Ninja in numbers
We launched the program in December 2012, asking some colleagues to “try”. After receiving positive feedback, in February 2013, the Cisco Security Ninja program officially started. In December 2013, an extended program (on the “green” belt) was added to the initial training program for the “white” belt, and a few months later, we added role-based training. December 2014 was marked by the launch of the remaining three programs for obtaining blue, brown and black belts.
In 2014, the program received support at the level of the company's management, which began to insistently recommend that all interested parties receive at least a white belt. It should be noted that until today, this program is not mandatory for employees who strictly voluntarily join it. In March 2015, we reached the border of 20,000 employees who received their belt, of which 47 received a black belt, 22 - brown, 72 - blue, 2640 - green (among them I am).
Dojo for training and exams
Dojo is a place where training, competitions and certification in oriental martial arts take place. There is such a dojo (Cisco Security Dojo) and we have. This is a specially designed platform that includes various events and tools with which you could get training in various forms and pass the relevant exams and get a well-deserved belt. Also, with the help of this platform, all security ninjas can track their and colleagues' status, record their activities to achieve higher degrees and perform a number of other tasks.
Gamification
One of the most important elements of the program, which allowed involving more than 20 thousand people in it, is gamification, which was achieved through various elements:
- Information security metaphors with the help of which key concepts and principles of security and safe programming were illustrated in a funny and humorous way.
- Comics “Little Ninja”, consisting of 3 illustrations explaining certain provisions of the training course.
- Funny clips “We are all security ninja” in which our employees in ninja costumes accidentally stumble over daily activities (in a cafe, gym, on vacation, on a phone call, etc.).
- “Pop idol” - people known inside or outside the company who spoke out on certain IS issues
In general, gamification is a very interesting way of conveying information security topics. We often use it in the company. There are information security stands, flash games, games for smartphones, CTFs, and much more.
Recognition
One of the important elements of our program was the recognition of specialists who have been trained and have successfully received one or another belt. We use different options - certificates, logos that you can use in your profile on the corporate portal or in signatures in e-mail messages, the corresponding straps for wearing the corporate badge, financial incentives.
Key success factors
Over the past three years, we have been able to formulate 10 criteria for the success of our program:
- No more than 20 minutes per module; or better yet ten. Long modules are harder to watch than short ones. But creating them is harder. I often record videos for our corporate channel on YouTube and I understand very well how difficult it is to put the right content in a limited time interval.
- Cohort of experts. They should create content, and possibly participate in its recording.
- Confession. There are no universal recipes - it all depends on the particular organization. In our case, we were able to find inexpensive, but effective options, which allowed us to eventually attract a little less than a third of the entire company into the ranks of the security ninja.
- Viral marketing. It allows you to engage in the process of disseminating information about the program the employees themselves, who are happy to share with their friends a “cool trick” and “touching a secret”.
- Designers of training courses. In English, these specialists are called insrtuctional designers and they are engaged in designing not only the course, but also, which is very important, tests and exams.
- Competition. Managers love to compete among themselves - give them such an opportunity by launching a site with statistics on their subordinates; they will motivate their units to be better.
- Break the rules. When we launched the Cisco Security Ninja program, we did not know any rules for conducting classical trainings. We did what we thought was necessary and did it cheerfully, with jokes and jokes. People feel this and are more easily involved in training with elements of the game.
- Creative people. Launching such a program is not a “tick-off” task. It will not help people who do something from under the stick and people who are not interested in the result. Only a creative approach helped us to do what we did with a minimum of resources.
- Management involvement. Well, there is no need for extra explanations.
- Gamification We made an interface that showed movement, helped to achieve more, involved in the game. People enjoyed using the dojo created for them.
As a conclusion,
the Cisco Security Ninja program that we implemented allowed us to solve several problems at once, including not only involving 20 thousand employees in the process of ensuring the information security of our products, but also increasing the level of security of our solutions. Can this program be repeated in another organization? In the same form is unlikely. Still, cultures, maturity levels, and indeed the companies themselves can be very different from each other. But the key success factors will be the same for everyone. The main thing is not to sit still!
And remember: security is movement, not a destination!