Security is hard. Software development is hard. Adding security objectives to development projects can seem overwhelming and is an often-overlooked aspect of cybersecurity. This talk will give you the tools, techniques and knowledge needed to get traction and bring people on board.
This talk is for the battlers out there — for those trying to move the dial inside of organisations and get people engaged in the quest for secure development. If those around you believe it is all too hard, takes too long, or is simply not their responsibility, how do you change hearts and minds?
There are a few key starting points. Firstly, if you don’t drive this, chances are nobody else will. Secondly, dealing with change means dealing with people. Thirdly, nothing succeeds like success. These things can all be difficult, but the skills you need can be learned and then leveraged. You’ll need both technical and professional skills to bring others along with you.
So what are the skills and knowledge needed, and how are they leveraged?
This talk will go through the following practical strategies:
- Early goals need to be clearly defined, achievable and easy to understand
- Why it’s important to get runs on the board and then leverage them
- Building momentum until the “tipping point” when people “follow success”
- How to find sponsors, champions, advocates and allies
- Effective reporting, storytelling and messaging
These strategies are equally effective regardless of your formal authority in an organisation. Most big things start small, and building on small wins is frequently how change begins. It is often hands-on staff (who are most connected to the actual work) who are best placed to start the ball rolling.
Sometimes the scale of the problem can make the undertaking seem overwhelming, but you may be surprised at what can be achieved through communications and leadership. When you can fully tap into people’s enthusiasm and obtain buy-in, bigger change just might be possible!
Watch 'How to get everyone to get on board with software security: practical tips and suggestions.' on PyCon AU's YouTube account
Tennessee Leeuwenburg is the Head of Cyber Security Engineering at the Bureau of Meteorology. He started his career as a software developer and has since moved into cyber security.
He has worked on securing the software development lifecycle. This included working with teams to adopt development best practises, undertake security assurance activities and develop a strong understanding of how to produce safe and secure systems.
He spent over a decade working on a variety of scientific applications for weather forecasting, and has significant experience working with very large and complex data sets.
Tennessee has a diverse range of technical interests, including quality code, automation, machine learning, artificial intelligence and open source software.
His dream job would be to win a lottery and then spend his time on moon-shot projects, going to conferences and supporting the community.