Solving cybersecurity issues boil down to a single weakness: personnel. When you don’t know what skills are needed, however, hiring qualified security workers is hard. Building from within with proper tools can overcome that lack of knowledge.
That was the gist of a talk by Peter Gerdenitsch, the information cybersecurity practice leader for the Austrian bank RBI International. Gerdenistch presented the bank’s process for building a security division internally at the ImVision seminar on API security lifecycles.
Identifying champions
RBI reaches countries in Central and Eastern Europe. It employs 45,000 employees including a large community of developers for retail and corporate banking. He explained the development of the security operations team was entirely made up of volunteers within that community. After establishing funding for the group they identified “security champions” to build the group from within and direct acquisition of tools and services.
“We were quite sceptical if this approach was feasible one and whether we find enough volunteers,” he admitted. “We were quite surprised that there are more volunteers than we ever would have thought. We didn’t limit whether it’s an IT employee, or whether it’s a business employee. All we needed was somebody to drive the security topics forward.”
From the volunteer pool, they appointed at least two champions for each development product. That ensured the workload was balanced and covered throughout the development process. These champions were promoted company-wide so everyone knew who to go to with security issues.
Developing leadership
Within product groups are the champions called security chapter leads and security domain experts rounding out each security team.
Monthly “community of practice” meetings allow the security champions the ability to exchange what they are doing within their teams with other champions. Monday bulletins precede the monthly meetings to set agendas and formal training programs help groom replacements for the volunteers.
“We offer training to product owners, as well as to anyone interested in spreading the security awareness company-wide,” he explained. This level is known as “yellow belt” training. As employees develop their security interests, training intensity increases up to the “black belt” level and includes certifications.
This process drives collaboration throughout the company without impeding getting the product to market on schedule.
The RBI program, however, isn’t focused only on technical understanding in product development but also considers a certain level of “soft skills” to negate territorialism.
That brings the HR team to the process to provide the soft-skill training the chapter leads need, often side by side with the product owners. The upside is that HR can, in the process learn more about what is needed for internal and external hiring.
The process brought clarity in what kind of tools and external services would round out the development process. Gerdenitsch explained that when tools don’t clearly fit into the framework, they are not purchased.
To hear the entire case study, follow this link.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.