Secrets of AppSec Champions

In this episode of "Secrets of AppSec Champions" titled "Security Champions," host Chris Lindsey engages with Jigar Shah, an executive global director in the IT identity, access, and application security space, to explore the critical importance of cybersecurity in our increasingly digital and interconnected world. The episode underscores the heightened awareness of security issues among both technical and non-technical individuals. Jigar emphasizes the necessity of ingraining a robust security culture within organizations, stressing the roles of training, resource allocation, and clearly defined responsibilities for security champions. Meanwhile, Chris discusses the initial challenges in launching security programs and highlights the importance of integrating influencers into security teams with transparent communication.
 
The conversation extends to framing security as an investment rather than a cost, aiming to break down silos between security and development teams. Jigar and Chris both emphasize that with the rise of AI technology, there is an increasing need for integration, collaboration, and healthy debate to drive innovation. Effective communication, continuous training, and development support are deemed essential for empowering security champions within a company. They also discuss ways to incentivize security roles through financial rewards, public recognition, and by bringing dispersed teams together, ensuring that security remains a priority even over product releases. Leaders are called upon to educate and hold teams accountable for the risks and business outcomes associated with inadequate security practices.
 
The episode concludes with insights into the framework and governance required to run successful security champion programs, emphasizing the need for clear objectives and monitoring. Jigar advocates for influencing without authority by fostering cross-functional meetings and executive buy-in to elevate cybersecurity awareness. Chris suggests recruiting volunteers with a strong desire to learn for the security champion program and underscores the importance of executive support and selecting champions with good technical and communication skills. The episode wraps up with a call-to-action for listeners to subscribe, leave ratings and reviews, and Chris's closing remarks on cultivating a culture where security is everyone's responsibility.

❇️ Key Topics with Timestamps
00:00 Enabling Business Success through IT Leadership
 
05:34 The Role of Executive Buy-In in Program Success
 
08:46 Effective Strategies for Recruiting Security Champions
 
11:06 Encouraging Cybersecurity Awareness and Engagement in Organizations
 
16:54 Advancing Careers Through Specialized Database Work
 
18:50 Developing Organizational Culture and Empowering Influencers
 
24:02 Maximizing Business Value Through IT Department Management
 
27:07 Incentivizing Dispersed Teams: Building Unity
 
28:57 The Importance of Reward and Recognition for Motivation
 
31:52 Leadership Responsibility in Educating Peers on Risks
 
37:14 Promoting a Culture of Shared Responsibility in Security Leadership
 
38:22 Maximizing Appsec Champions: Subscriptions, Ratings, and Discovery

For more amazing application security information, please visit the following LinkedIn communities:
https://www.linkedin.com/company/appsec-hive

Provided by Mend.io  (https://mend.io)


Creators & Guests

Host
Chris Lindsey
Chris Lindsey is a seasoned speaker who has appeared at conferences, webinars, and private events. Currently building an online community and creating a podcast series, Chris draws on expertise from more than 15 years of direct security experience and over 35 years of experience leading teams in programming and software, solutions, and security architecture. For three years, Chris built and led an entire application security program that includes the implementation of mature AppSec programs, including oversight of security processes and procedures, SAST, DAST, CSA/OSA, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.

What is Secrets of AppSec Champions?

Join host Chris Lindsey as he digs into the world of Application Security with experts from leading enterprises. Each episode is theme based, so it's more conversational and topic based instead of the general interview style. Our focus is growing your knowledge, providing useful tips and advice. With Chris' development background of 35 years, 15+ years of secure coding and 3+ years running an application security program for large enterprise, the conversations will be deep and provide a lot of good takeaway's that you can use almost immediately.

Jigar Shah [00:00:06]:
Always ask the question, what's the cost of not doing it? What's the risk? What's that impact as you tell that story, which they understand, whether it's a developer, whether it's a business leader, whether it's your CFO, or whether it's your CEO. At the end of the day, if I'm a CIO, my job is to develop that value proposition within my peers who are c level or go to the board. So that's one of the things which I really, really do, is I always tell people, I'm not running a technology department. I always say I'm running it as a business. The difference, and this is where I think this statement is so powerful, run your IT department as you're running a true business, how to enabling the business to run better with your IT practices, whether it's for it, whether it's for cybersecurity, how are you keeping your company safe? How are you making sure that all your end users are safe and not attacked by any of the hackers?

Chris Lindsey [00:01:16]:
Hello, and welcome to secrets of Appsec champions. My name is Chris Lindsey, and today we are talking with Jigar Shah. Today's conversation is going to be around security champion programs. Jigar is an executive global director in the IT identity, access and application security space. Jigar, please introduce yourself.

Jigar Shah [00:01:35]:
Hey, Chris, first of all, thank you so much for having me on this. This is super exciting and of course, always a pleasure and honor to chat with you. Really excited about our conversation. So thank you once again for having me. Hello, everyone. I'm Jigar Shah. As Chris mentioned, I am very passionate about technology, business, security, and the things around us which keeps us safe. So really, really, really looking forward to having this amazing conversation with Chris today on building a security champions program in your company and how we can leverage security not just as a separate entity, but as a part of our day to day life.

Jigar Shah [00:02:18]:
So, really looking forward to that.

Chris Lindsey [00:02:20]:
Awesome. All right, so, Jigar, let's talk about building an application security champion program. What does it take to stand one up?

Jigar Shah [00:02:29]:
That's a great question. You know, though, it's simple, it's a complex endeavor to really achieve. So my first thing, Chris, when I talk to anyone in the company, my first question I pose to them is, whose responsibility is to keep the environment, organization safe and secure? That's my first question. I have, in my experience, I have gotten various responses from different people. Now someone says, oh, it's security team. Who has to, who is responsible for security? Sometimes it says security compliance and legal. Sometimes they talk about, oh, yeah, we do bits and pieces of this. So, in short, my first conversation, start with that.

Jigar Shah [00:03:10]:
And then I tell them that security is everyone's responsibility. Absolutely, period. Right. And that's exactly, you know, that's where I think you start building that security culture within any organization you go with. And I always believe technology and business, they're all driven by a culture from a leadership, how you really drive that culture and how it trickles down. And that culture not only reflects your internal organization, but to your external customers and your end users. So I think that's super important. And that's why I think this particular topic today, which we are going to chat about is security champions is more about, it's a philosophy, it's a culture, it's a framework which we really have to build within any company as leaders.

Jigar Shah [00:03:59]:
So my first thing, as you asked, what it takes to build a security champion is, number one, first of all, getting everyone on the same page. The security is everyone's responsibility. And then trying to, trying to get those folks within your site to, who are non security team members, right. Different members within your it cross functional teams, for example, application development team, right. Your infrastructure team, your product team, maybe your marketing, finance and HR, who are corporate business partners, right. Because those are the folks who will be attacked when something bad happens, right. Because they can be vulnerable. Right.

Jigar Shah [00:04:37]:
They don't know, and then they can get into this whole idea of getting sucked into this or a bad actor. So I, for me, it's getting the right stakeholders right to bring them in your inner room and talk about what is the objective and the goal you're trying to achieve of the security champions program. So if you really ask me, you know, and of course we'll talk about the entire thought process, but in one line, I think it's getting the right folks who you think are your spokespeople who are non security. Maybe they are sometimes non technical, but they really are passionate about security in general. Getting them, getting to be their spokesperson and developing them over time to really have your voice out in the company to really create that culture of security. That's what it takes to create a security champions.

Chris Lindsey [00:05:34]:
I love how you talk about culture because so many people that I've talked to about building a program, they're like, all right, the first thing I'm going to do is I'm going to reach out and talk to the developers and we're going to have one. And those are destined to fail. And everything you brought up is absolutely in line when you start looking at making sure the executives are on board, where the executives understand what the program is. Because when you don't have that executive buy in and you're reaching out to the developers saying, hey, you've got you, you've got your security champion and then you have your developers. And when you, when that resource, that security champion is split, some companies are split between developer and running the champion role. Sometimes the executives go, you know what, on the deadline, we need them to be programming. Forget the security. It can go away.

Chris Lindsey [00:06:31]:
And so what you're talking about, right, the culture, making sure everybody's on the same page, making sure that the executives know what this is about. All the way down to the security team, the management champion and the developers is absolutely critical.

Jigar Shah [00:06:50]:
Totally. I think executive, gaining that executive support is the key. I think half the battle is won that way. Right. When your executive or your leaders in your company bought into this whole philosophy, right, the whole idea of creating a security champions, they will themselves become a champion in a way to create a champion within their teams. And I think that's a very, very powerful statement to really make sure that make your executives to be the champion, to create a champion from their team. I think that's where the success lies. That's what the key is.

Jigar Shah [00:07:27]:
But yeah, I think after, once you get that executive support, I think identify and select those security champions. So how do you do that? So I think as a leader, you need to be very clear on defining the criteria, right? Develop a criteria for selecting the security champions, such as someone who is strong technically but still have a great communication skills, understand the security, the importance of security. So those folks who are, and I always tell people, security champions don't have to be a pro in a security. They don't have to be security experts, but they need to understand the importance of security that they can convey that to their respective teams. Right? So you develop those criteria and maybe in some, some cases I've done in past is I've also done a nomination process. Right.

Chris Lindsey [00:08:18]:
Right.

Jigar Shah [00:08:18]:
Now, you know, to my peers or different, you know, leaders, hey, who would you nominate from your team, right. There are different ways people can go about it, but that's how, you know, you, or even you can ask for volunteers. Some people are just interested and they volunteer. Hey, I would love to be the security champion. So at the end of the day, you bring those right folks into your mix. And I think that where, you know, you, you select those security champions to begin with.

Chris Lindsey [00:08:46]:
That's a great point. So one thing that I did that worked pretty well for me when I was setting up a program was I asked for volunteers, and I, because some of the guys who really want to learn and know more about security, how do I get in security? I want to be more secure. I want to learn in volunteering. Those are your really good assets. Because when I ran my program, that was something that worked well for me. When the people said, I want to be part of the champion program, those guys are very vested and really have the drive and desire to be a champion. And with what you suggested, too, asking the leaders, hey, who'd you recommend? A nomination process is also excellent because when you're going to the resource and you're talking to them and you say, hey, you were recommended by multiple peers on your team or within the company. We would love to extend this idea or this offer to you to be a security champion.

Chris Lindsey [00:09:45]:
You know, what do you think that buys the bill? The desire from their side, hey, if someone were to come to me and say, hey, we would love for you to do x, y and z, I'd feel great about doing it. It wouldn't be a, I'm being fallen told, or I'm being pushed into something I don't want to do. It's more of a, hey, that's great. I'm being nominated or recommended by peers who have the trust in me to do this job or this position.

Jigar Shah [00:10:12]:
Yeah, no, absolutely. I think one of the things which really worked for me in the past is if I really have to bring in someone, you know, as a matter of fact, Chris, I read this book which was really, like. Was really good in my career, which really shaped, you know, my thinking was influencing without authority. Right. That's actually a beautiful book. You know, if you get a chance, you know, definitely, you know, I would highly recommend, because most of the time in our careers, you know, sometimes we don't have a specific title, but we are still putting into those leading roles where people don't pretty much report into us, like, from the HR standpoint, but still, you know, you are responsible because you need them to do your work as well as, you know, for the project work. So how do you become more effective? And I think that's where I really took, you know, some of those lessons from that book. And I started influencing without authority.

Jigar Shah [00:11:06]:
Right. And in that case, what I did was first I started having those cross functional meetings with their leaders, bringing those teams in and just, I would say, basically making them socially aware about cybersecurity. So slowly and slowly, I started getting those interests from people who were really just interested in understanding what's happening out here. And cybersecurity is right now such a field which is not foreign to anyone because there are so many things, even people who are not working in the space, they still know what that means, right? At least at a high level. So here you're talking to people who are already in the industry. So the job becomes little bit even easier. The second thing is you need to start bringing the leaders into the fold and telling them that, hey, if you don't do this, what are the implications? How does it impact them? So once you start telling that story and the data points, you give them a line of sight that, hey, even though this is not my job responsibility when I joined the organization, or this is maybe I'm an application developer, but so that is not in my job duties to really go and, you know, become a security champion. But you still, I still want to become a security champion.

Jigar Shah [00:12:17]:
Why? Because indirectly it affects me. Right. So that particular portion, you really have to make sure that you make it clear to, to them in whatever the situation you are there. And the last thing is you bring them into your day to day, maybe even weekly updates and things like that where they really see that, how the security programs are run and what are those things which are affecting the rest of the company. They directly see how things are moving. I think once you give them that line of sight, be transparent, right. And we tell them that, hey, this is what is expected from you and we are there to train you, right? It's not that we are asking you to like be, hey, just come with all the knowledge, you know, here. We just need that, hey, you are the champion.

Jigar Shah [00:13:07]:
You can influence your team. So you're looking for, I always say people in this whole social media world, we need those security influencers, right? Quote unquote. Right. So I think the new name I've come up with is not security champions more than, hey, you are the security influencers. And I really like this term because people can relate to it. And rather than making sure that, hey, I'm the champion of this and I need to know, XYZ, no, you just need to influence people to do this, right. And I think that the whole mindset changes. So that's how I would go, you.

Chris Lindsey [00:13:39]:
Know, you bring up a good point because sometimes, and I've seen this too, where somebody is, hey, I'm the champion. I'm in charge of security for these projects. You're going to listen to me because I'm the utmost authority and they bring down the hammer and they alienate the developers, again with the security team and it becomes problematic. Whereas I love your word influencer, because that's really what they're doing, is they're influencing good security practices down at the development level. Teaching developers, hey, here's what I've learned from the security guys. Here's what I've learned on my journey. Let's take this and help apply it to your code base and make it better as one and make everything much better.

Jigar Shah [00:14:27]:
Totally. I completely agree with you. I think that's where the key is. A lot of people try to enforce things and I think that's where I think it doesn't work. Because once, because ultimately, look how security plays a role, right? Security is something which people see sometimes as a hindrance, their work as an obstacle, right? If you really ask someone as an end user, why would I have to go through these steps when I can just do it, right? So in order for you to be successful, you need to be creative, you need to be a creative thinker. And I always say, being a ciso or being a CIo, you have to have that. Empathy is so important. I think most of us, including sometimes me, we lack that empathy.

Jigar Shah [00:15:10]:
And if you don't understand as a leader what empathy means or how does it work, you are never going to be successful. Whether it's any program in Appsec or as a matter of fact, any it initiative. At the end of the day, it's all about people, right? How are you impacting their lives, right, as an end users and how, what kind of business outcome you're bringing back, how you're making sure the technology is enabling you to do that. So I feel that empathy is so important. Once you understand that, you know how you can make these folks who are non security folks bought into your vision and bought into your strategy, that's when they will really become your true spokespeople person or a true influencer outside security and really build that whole security culture which I talked about earlier.

Chris Lindsey [00:16:02]:
Absolutely. One of the things that I've heard a lot of the security teams say, I don't have a developer on the security team because I can't hire one, I can't find one. And the beautiful thing about having a security champion or influencer program is that now you're actually bringing somebody internally into the fold and you're promoting them into the security area. And so many people who don't understand security, this gives them that opportunity to learn, to grow, to be better. And over the years, of my development writing software, one of the biggest things that I always wanted to do was be better. And early on I saw back in early 2000, databases were the future. Databases is where things were. You're going to need to know databases inside and out.

Chris Lindsey [00:16:54]:
And because of that, I took a job only working in the database area, writing store procedures, writing and creating tables and all things database, which then propelled and just made things better down the road for me in my career. And I was able to take what I learned and apply it and help others and just pay dividends. And that's the same thing you're doing with the security program, the influencer program. You're taking somebody, helping grow this person, be it if they volunteer or through the committee, hey, you've been recommended and taking them to that next level of understanding of security. How many times do we hear, hey, I just got another email, this company x has just been compromised, and my information was in there. Or how many times have you heard, hey, data has been stolen and is on the dark web, and you're asking yourself, how did this happen?

Jigar Shah [00:17:57]:
Yeah, and you bring up a really good point, Chris. I think we are living in this world which is highly digital, which is highly interconnected. Imagine those threat actors or bad actors moving freely, right? Having our personal information, right? They can use it in any way they want. I mean, how would we feel, right, that, hey, someone, we feel that, you know, someone has really come into our house really understanding what's going on. I think that's why I said security is not foreign to most of the people anymore, right? They, everyone, even if you ask, you know, who's a non technical, non security person, even walking off the street, I bet you they would know what identity theft mean. Hey, how. What security is, you know, or they know the world I got hacked kind of thing, right? So I think it's not that foreign anymore. People are becoming very aware.

Jigar Shah [00:18:50]:
And our jobs as leader is to make sure that the companies or the organizations we work for, we develop that culture, you know, for the people. So that it says that it all starts from the home. Once you start, it just starts developing, you know, huge and big. So to that point, I think it brings into my two next steps, which you mentioned, Chris, earlier, was how do you now, once you get the champions or influencers, what do you do with them? And I think the organic step is number two, defining the right roles and responsibilities and then providing them the training and resources. So that whole responsibilities is very important. Sometimes people start a security championship program with a big bang but then they fail to really draw that racy chart, that whole responsibility, hey, I'm a non security person. For example, if I'm coming to your team, what do you really expect me to do? So those things as a leader, we have to make it super clear that, hey, person x, you know, you are a security champion and this is what, you know, we will equip you with the right amount of training or education or resources which you can take it back to your team, right.

Jigar Shah [00:20:03]:
And then, you know, go disseminate that or casket that more information or be that gatekeeper. So for example, developers, right? Let's say we talk an example of application developers. People say, hey, security, we don't do all of this or we don't do this, right? Can we just bring security shift left. Can we bring security in the beginning, right, when they are doing some design session, that's what is called as threat modeling that we really want to bring, make sure that security is involved during that time, that initial design sessions, or maybe even during the initial requirements gathering. We really need that security spokesperson to really bring that security view when the product and the marketing team are coming up with new initiatives. So something I would say as an example, you can use security champions to really be your spokesperson, be out there to really call these things out, those nitty gritties that, hey, this is how we can do. If you're writing a code, let's do another round of review from the security perspective. So even before this further developed and progresses into the whole SDLC cycle, I'm still there to really make sure the security is in, built into that.

Chris Lindsey [00:21:18]:
Right, right. You bring up a good point. I have talked to others who tried to start a security program, an influencer champion program, and the problem was the security team. We're too busy for this. Well, the problem is when you bring somebody in, hey, guess what? You're going to be part of the security thing. Hey, you know what? Go learn it on your own. You're on your own. You're destined for failure.

Chris Lindsey [00:21:41]:
You'll never get off the ground. And what you said, it was spot on. When I bring you into the champion program or into the security group with the dotted line, or however it's done in your environment, you're now one of us. You're going to be invited to our daily stand up or weekly stand up. You're going to know what we're working on. You're going to know that, hey, here's what we're trying to do. We're looking at new tools to do X, Y and z, do you have any thoughts? Now you start bringing them in and when they're actually vested and know and feel like they're part of the team, they know what's going on. They can take that and relay it back down to the developers.

Chris Lindsey [00:22:25]:
Hey, here's what the security team's working on. Here's what they're thinking about. Here's what they're doing. One of the things that I always did, when we ever did any penetration testing internally, we always recorded the results and we did that through a video and we took that information. We sat down with the manager and the software architect and said, here's our finding. Here's how we did it. Here's what happened. When you have that transparency, it goes a long way to making sure that it can be fixed.

Chris Lindsey [00:22:56]:
And having that influencer, that champion, that's what they're doing. They're able to go in there. When they have some downtime, they can be focused on taking a look. Hey, what I'm going to work on this week or this month is going to be SQL injection month or command injection month. And they can pick two or three topics and start really looking through all the findings in the tools or within the code and trying to take the most critical things like a command injection. Is this real? Is this something that can happen? And you can start building that, hey, here's what needs to be attended to. Let's put this in the next sprint or, oh my gosh, we just found something really bad. Let's go ahead and get a hotfix out there.

Chris Lindsey [00:23:40]:
And when they're intertwined that closely with the developers and with the software architects and management, all of a sudden it makes it easy. It's an easy conversation. Hey, here's a finding. It's critical. This is why it's critical. Don't address it either now because it's a hotfix or maybe it's, let's put it in the next release, right?

Jigar Shah [00:24:02]:
Or, you know, definitely. And, you know, just to piggyback on what you said, is always ask the question, what's the cost of not doing it? What's that risk? What's that impact as you tell that story, which they understand, whether it's a developer, whether it's a business leader, whether it's your CFO, or whether it's your CEO. At the end of the day, if I'm a CIO, my job is to develop that value proposition within my peers who are c level or into the board. So that's one of the things which I really, really do is I always tell people, I'm not running a technology department. I always say I'm running it as a business difference. And this is where I think this statement is so powerful. Run your IT department. As you're running a true business, how are you enabling the business to run better with your IT practices, whether it.

Jigar Shah [00:25:01]:
Whether it's your cybersecurity, how are you keeping your company safe? How are you making sure that all your end users are safe and not attacked by any of the hackers?

Chris Lindsey [00:25:11]:
And you bring up several good points. Think about it this way. All right? So people will usually look at security as it's a cost center. It's costing me money. It's not gaming me or growing me any money. And you really, you hit the nail on the head when you said, what is it going to cost if we have a breach or data loss? What is this going to cost if we have Phi that gets released?

Jigar Shah [00:25:37]:
Totally. Absolutely. And, Chris, you hit the nail right there, too. Right? That's when you keep these leaders thinking, because now you're talking their language. Now you're talking a CFO language. Hey, if you don't do this, you're gonna maybe lose x amount of money. The revenues might go down or, you know, the profits might not be there. Instead of being it and cybersecurity as a cost, I would rather.

Jigar Shah [00:26:01]:
So what I did was I turned into an investment investment center. From a cost center to an investment center. And when you do that as a leader, that's when you really see the CNO and how the whole culture changes. Right? You sure that you break down the silos? That's another thing. I really, really, because what happens is security is into one area, development is in another area, and they both are running, and they both have this constant friction. My thing is even physical silos, I don't want. I want developers in security to sit together, right? Break those barriers, break all those silos. As a result, you are a part of one team.

Jigar Shah [00:26:39]:
You're a part of it. At the end of the day, to me, you're a part of the information security or whatever you want to call information technology department or a program. I think that's where you start gaining as a leader that respect which you need from your entire team, that, hey, now you are giving them a line of sight of what is the cost of not doing it. What is the impact of not doing it? What is the risk of not doing it right now?

Chris Lindsey [00:27:07]:
One thing that, and ive worked with a lot of companies helping them build their programs. Through my previous roles, one of the things that I usually talk about is finding a way to incentivize this role. Multiple options, one being if you're dispersed, right, you have multiple locations spread across the United states. Bring everybody together in one location, one room for a week, and that helps take the influencers or champions and make them, hey, you are part of the security team because we're all here together for a week. They look at it as, hey, I get a trip. Because a lot of developers, they never usually get to be invited to go to other locations outside of, hey, I work in Kansas City, I've been in Kansas City. I never get to go to another location, maybe Orlando or wherever. Whereas bringing them together helps build that unity.

Chris Lindsey [00:28:03]:
It gives them a feeling of, hey, I get to travel. Because a lot of developers rarely get to travel.

Jigar Shah [00:28:09]:
Right.

Chris Lindsey [00:28:10]:
The other thing that I've talked with others is create a bonus or incentivize through a slight increase in salary. And a company that I worked with before had 15 to 20 developers that were going to be part of their champion program. I suggested, hey, between this amount and this amount. And the pushback was, well, that's going to add up to x amount of money. And I said, look at it this way. What would it cost to pay a full time employee to do this job?

Jigar Shah [00:28:40]:
And more than that, what will be the cost if you don't do this?

Chris Lindsey [00:28:45]:
Exactly. You were talking less than one FTE and now you have 15 to 20 security guys versus just the one.

Jigar Shah [00:28:54]:
Absolutely.

Chris Lindsey [00:28:56]:
So you have much better reach and everything.

Jigar Shah [00:28:57]:
I think you have a really good point. I think reward and recognition is so important because here you're asking someone who doesn't have that responsibility, but you're still expecting that person to do something out of what they are supposed to do, right. And I think that's the best part, is getting them rewarded. Sometimes a public recognition, sometimes bringing them into your all hands meeting or your town halls where you really, like, felicitate them, right. Really bring them, give them that whole, the grand, whatever feedback you have to give them. That way you were really pushing them to do their best in this program. And that would really go far along because most of the time, sometimes I feel that, you know, different things get people motivated by different things, right. Some are financially motivated, some are appreciation motivated, some are feedback motivated, right? So you really need to understand who is who and accordingly, you need to tailor your rewards and recognition program to bring them and then start measuring and tracking that progress.

Jigar Shah [00:30:01]:
So that's another right. How do you know that? You know your program is working well? How do you really track that? And that's what I think you need to define those metrics, those KPI's where you really see the before and after picture. You see if, for example, code reviews. Hey, code reviews. I had XYZ vulnerabilities when I did my scan or I had this many false positives and things like that. Now with the code review, with the design sessions, I've reduced by x percent. And I think that's what talks about your real progress. Right.

Jigar Shah [00:30:35]:
Your real.

Chris Lindsey [00:30:36]:
Yes. So one thing that's an interesting concept or not an interesting concept, but something that is interesting that I see in some programs. So when you're a larger company, you may have a lot of different teams. Some companies that I've worked with have over 85 plus teams. And what's interesting is you may have a successful security program, but one of the things that you always have is that one team, that one team that will not do the security stuff that, hey, guess what? We have a finding. We don't care. We got to get this out the door. Hey, you have some very critical things.

Chris Lindsey [00:31:14]:
We don't care. We've got to get out the door. How do we work with those teams?

Jigar Shah [00:31:19]:
Yeah, again, going back to again, the fundamentals, right. At the end of the day, you have this many findings, and if you don't paint that right risk picture to them, they never get it right. So as a leader, you have to talk. And sometimes it even talks from the top. It doesn't come from the bottom. Sometimes it has to be coming from the top. And that's why I talked about culture at the very beginning of our discussion. Because if you put a product out in a rush that, hey, I have to put this out without really making sure that it is secure and safe.

Jigar Shah [00:31:52]:
Say no matter what industry you are in, either you will end up recalling that product, you will end up maybe getting into a lawsuit or a legal implications, or you may get end up into a loss of your reputation or loss of finances, any of those things. Right. So most of the people don't understand because, you know, their job is to just, hey, kick their programs out. But then as a leader, if I am a CIO or if I'm a CISO or if I'm an executive leader in a company, my job is to educate my peers, my leaders. Hey, guys, you cannot do this because of XYZ reason. So as long as you do that and then you talk about the whole risk analysis. Right. Hey, how much risk are you willing to accept? And then the conversations come to that point from a leadership that, hey, if you're willing to accept that risk, then, yes, why don't you sign off on this? So you, then you start holding people accountable in a better way, not in a bad way, but in a good way that, hey guys, I think accountability and outcomes are the two main things which I have kept it within my team.

Jigar Shah [00:32:57]:
So you make them accountable not only just within your team, but even cross functionally that, hey, now if you do this, you are accountable for XYZ. If you do this, this is the outcome. So once you start painting that picture, if you're a good storyteller, right, with the right data and facts, and I think everyone understands the gist and if they don't, they know, then you got a problem, then you really have to have honest discussion with your teams. But I think most of the time it's just a matter of bringing that line of sight, talking about in the risk terms, talking about in the business outcome terms, and then telling people what if you don't do this. I think those are some of the key.

Chris Lindsey [00:33:39]:
That's spot on. It's funny how many conversations I've had and it's, hey, there's just one team. And so you're right. Sometimes you just got to elevate and bring it up to the executives and say, look, we've done everything we can your problem and see what they can do. Awesome. Well, there's been a lot of different aspects we've talked about champion or influence or programs. Is there anything else that you would want to throw in there or discuss related to running a program, working on a program? Anything program related?

Jigar Shah [00:34:16]:
Yeah, I think most of the things we discussed. Right. I think you run a program as a program. So even if you treat security champions as a program, you need to have your framework, you need to have your governance structure put in place. Right. So you need to have the clear objectives, goals for this program and you need to track it, you need to monitor it, you need to bring them, have them a part of your team, as you said, daily stand ups or maybe, or in critical meetings where they attend. They understand what your vision is, what your roadmap is, how your vision and roadmap impacts their roadmap. That's also the key.

Jigar Shah [00:34:54]:
So integration and collaboration is super important. That's where you start, start to draw those synergies as well as those healthy debates, which really is very useful. And I think that's when even you take a step, you know, even further. That's when you start innovating. You bring in some innovation technology. Like lately, we've all heard about AI. AI has been a big buzzword in the last nine to ten months. There were days when, as a leader, people were asking me, what's your it strategy? What's your cybersecurity strategy? And I used to use the word called digitalization, digital.

Jigar Shah [00:35:32]:
And now it seems that, you know, AI is kind of replacing digital. So now it's a whole AI game. And you have seen things like chat, GPT and other, like, you know, automated parts and everything. Man, the world is going on in a very different direction in a very faster pace.

Chris Lindsey [00:35:48]:
Oh, absolutely.

Jigar Shah [00:35:50]:
And at that point, if you're not collaborating, if you're not innovating, if you're not really responding to your current situation, you are not going to get successful in any role you are in within your company and in your business. So I feel that, you know, you run the security champions as a program. You really have a dedicated person, you have a methodical approach. You put a framework, you start tracking it, you monitor the progress, you communicate. Communication is the key. So how do you effectively communicate? You provide the training and development to your security champions. You bring them into our fold. You pretty much use them as your spokesperson, outside security.

Jigar Shah [00:36:34]:
Right. And if you help them remove the blockers, if they are getting into that, any blockers or any pushbacks, right. So then at that time, you chip in, you be that, you know, you have their backs, right? So that's how I think if you run that entire program in a very methodical way, in a very structured way, I think, I'm pretty sure it's going to be very, very successful.

Chris Lindsey [00:36:55]:
I fully agree. And the companies that have run programs successfully and treated it properly have all seen success. Jigar, I really appreciate today we are running out of time, so I wanted to give you one last chance. If there's anything additional that you would like to add in before we close.

Jigar Shah [00:37:14]:
I'm very, very honored to be featuring here and talking to you. You yourself are a wealth of experience and knowledge. This is a great forum, great platform where you're bringing leaders, you know, someone like me, to really understand the security as well as it in that detail. And, you know, you're doing great job for the community, especially people who are in a similar job, to really understand and know from my learnings, right. At least I can share my two cent, you know, what went right and what went wrong. So I really appreciate, you know, you bringing me over? This is great. I would just leave it one thought to all the viewers and audience here that make sure as a leader you say to everyone that security is everyone's responsibility and not just one team's responsibility. If you develop that culture, I think no matter whatever you go, you are going to get the success in your organization.

Chris Lindsey [00:38:10]:
Well said. I don't think I can add any more to that. I can't say it any better. Jigar, thank you for today and I appreciate it. Thank you.

Jigar Shah [00:38:18]:
Thank you Chris.

Chris Lindsey [00:38:22]:
Thank you so much for joining me on this episode of Secrets of Appsec Champions. If you found this valuable, hit that subscribe button on Apple Podcasts, Spotify or wherever you get your podcast. And hey, ratings and reviews are like gold Force. So if you're feeling generous, please leave a kind word. It helps others discover our show. Until next time, take care.