Make it Big Podcast: How to Guide Internal Teams to be Security Champions with Francis Dong

Welcome to The Make it Big Podcast, a bi-weekly audio series about all things ecommerce by BigCommerce.

October is recognized as National Cybersecurity Awareness Month. It’s a month dedicated to helping individuals protect themselves online as threats to technology and confidential data become more commonplace.

In light of Cybersecurity Awareness Month, BigCommerce Senior Application Security Engineer Francis Dong joins BigCommerce Manager of Product Marketing Airon White on the Make it Big Podcast to explore how businesses can guide their internal and external teams to become security champions.

With this year’s Cybersecurity Awareness Month theme of “See Yourself in Cyber,” this episode focuses on the human aspect of cybersecurity. At the end of the day, it’s ultimately about people.

Read on for a recap of this episode to learn how you, too, can see yourself in cyber — no matter your role.

All episodes of The Make it Big Podcast are available on Spotify, Apple and Google.

The Make it Big Podcast: Episode 26

Airon White: A lot of people might not be familiar with the term ‘security champion’ or ‘security steward’. Could you explain what it is and why it is important to have them within a company’s internal teams?

Francis Dong: “Originally a security champion or steward was a software engineer or developer that is security conscious, or at the least, very interested in security itself. You would train them up to be a point of contact for their team so that other team members would reach out to them if there was anything that was security related. Security champions now can be anyone that is internal within the company.”

AW: If we were to identify security champions within an organization’s internal team, how would we go about doing that?

FD: “There’s three main approaches I go about [when] looking for security champions.

“The first method is what I call a direct approach…It’s really easy to identify if someone is security savvy or if they’re really interested in security from the way they ask questions. If there were any security concerns in the past, you might be like, ‘Oh, that person knows a thing or two about security.’ In this case, I would suggest just reaching out to them directly.

“The second step is a bit more tedious and a bit more technical, but it’s going to be rewarding.

“This requires you to run some sort of security contest or what is known as a ‘Capture the Flag’ event. A CTF, or Capture the Flag, is where you create vulnerable applications or you set out security challenges for people to play. It’s basically like a test. You get points…and you get to see your ranking…

“This could take a month to plan out. But in the end, you get to see who actually has strong security knowledge…Thanks to that, you can definitely recruit really, really strong security champions.”

“Security champions now can be anyone that is internal within the company.”

AW: You can also get people excited about security. If they’re playing these games and trying to capture that flag, you might actually draw the attention of people who never thought about being a security champion before. So I really like that approach.

FD: “Definitely. And it brings out the competitiveness within the company as well.

“The third option is…just write up a form to get an expression of interest. Normally, the people who put the name down for the expression of interest might not know security, but at least if they’re interested, training them up shouldn’t be too hard.”

AW: What about challenges that companies might face if they don’t have anybody that wants to raise their hand?

FD: “Smaller companies normally don’t have the money to invest in an internal team. When it comes down to a new company that doesn’t have an internal team, sometimes it’s worth asking basic security questions within an interview to see if they have any knowledge of security. This way, if you do hire them, it helps quite a bit. In the long term, you save hundreds of hours not running into a lot of problems, right?…

“Another way of going about this is, there’s a lot of platforms online now that teach the basics of security…It might be worth investing in a few licenses.

“There are also some free YouTube videos that are quite worth it. Doing lunch-and-learn sessions. Sitting down with a team and seeing who might be interested.”

“Everyone should take security in a company seriously, because it doesn’t matter how high you rank or how low you rank. If one person gets breached, the whole company is in trouble.”

AW: How do you think ecommerce businesses can help foster that stronger security culture — a culture like we have here at BigCommerce? What can they do to inspire all of their employees?

FD: “I like that question a lot, because it focuses on security in general rather than security champions. There’s a few things that you need before you can even set up a program.

“I believe there’s three things that e-commerce businesses can do that at least can start a security culture or help make it a bit stronger.

“So these three things are:

1. Instilling the concept that security belongs to everyone and not just the security team.

2. Security awareness training.

3. Recognition and rewarding those for doing the right things.

“…A lot of people think that security itself belongs to the security team. And it does, but it doesn’t. For someone to feel like they’re a part of the culture, the whole company has to have that culture. And that same concept applies in security culture. Everyone should take security in a company seriously, because it doesn’t matter how high you rank or how low you rank. If one person gets breached, the whole company is in trouble.”

AW: I know that our VP of Cyber Security would love it if we added, ‘A healthy level of paranoia’ to our company missions and values. It is something that he is really passionate about: making sure all of us are aware of the security possibilities that we can all support and embrace here at BigCommerce.

Want more insights like this?

Explore more cybersecurity resources throughout the month on the BigCommerce Blog, Engineering Blog, YouTube and social channels. Be sure to also check out more episodes of The Make it Big Podcast on Spotify, Apple and Google.