Education Is the Best Path To A Stronger Security Posture

EngineeringCategory
5 min read
Diego Amortegui

I remember the days when a company could say having a private data center, some backups, a corporate antivirus solution, a firewall, VPN hardware, a dedicated IPS, and some VLANs were "good enough" to protect their infrastructure and sensitive assets. Throw in some phishing campaigns to unexpected employees and call an external pentester to find out if something missed your radar and you could have a good night's sleep.

The IT landscape has changed. We now have technologies like cloud, microservices, and an increased workforce providing services from their homes due to the COVID-19 pandemic. Additionally, new trends have provided threat actors with new capabilities (like AI services that can take publicly available information to create a digital fake of someone's face or voice and impersonate his or her identity. Now, something as simple as what someone posts on the internet can lead to a security incident. Regardless of how much security hardware or software a company has invested in, it's become increasingly important to update the mindsets of companies and employees to address the constantly changing threat landscape.

So the question is, how can companies protect themselves, their employees, and their customers from these emerging threats?

The simple answer is no company or person is completely safe, but risk mitigation plays an important role, and it starts with education. Relying only on hardware or software will never be enough to stop a risk from materializing, and while they can lessen risks and reduce the surface areas for attack, education provides a vital role in hardening a company's defenses against threat actors.

The Path

Over the years GoDaddy has become one of the most recognizable companies across the internet, not only due to our domain registry service, but also because of the new, easy-to-use offerings that help businesses grow their internet presence. But as a company grows, the need for trained individuals that can quickly identify and manage risks is essential.

Early in 2023, the Security Champions program was introduced to strengthen the security culture at GoDaddy. Employees from different branches of the company could enroll and attend a two-day, training to learn and update their knowledge of security topics that focus on risk identification and mitigation. This program is now available on a continuous basis to our employees and supported by the CISO office and senior leadership.

As with any new training or education program, the trainers had to select relevant topics, define the presentation strategy, prepare the supporting materials and the hands-on labs, and present their knowledge (virtually) to our community. Working through the new program was a constant evolution, each iteration provided more maturity to the program, but preparation was key to providing successful outcomes for trainers and attendees.

When the time came for training, our engineers took a deep dive into how to identify threats. They familiarized themselves not only with threats from the outside, but from the inside as well. They learned techniques to improve their own coding practices from the design stage to avoid introducing vulnerabilities that could be exploited, and learned how an attacker may view infrastructure to check for security flaws. These learnings led our engineers to avoid making common mistakes. They also learned how to use automated tools to check their code and learned to report and act immediately in the event of an incident. We are confident in our security practices and the knowledge our engineers gathered in those two days will further strengthen our security posture.

By the end of 2023, the Security Champions training was already well-received and enrollment for each new seminar was booming. People from all over the globe from many different disciplines attended the training. Not only did they learn and have the time to practice their learnings, but were also able to share their experiences in their respective fields, sometimes creating interesting short debates during the sessions. These debates helped the whole group understand different topics in so many unexpected ways.

The Outcome

Generally, technology companies have spaces where people can ask questions about security topics and get answers on how to deal with potential security risks during the design, set up, or implementation phases. But once a product is released, the discussion of risk can taper off. Cybersecurity requires a continued discussion of risk that doesn't strictly rely on additional tools after a product is released. This means implementing a curriculum to educate employees of ongoing risks before and after a solution is pushed into production and revisiting the curriculum to address new trends in the security domain. It also provides an opportunity for different groups to discuss innovations and challenges they may not otherwise be aware of. Keeping employees aware of an ever-evolving threat environment helps us deliver the best and safest products to our clients.

We can confidently say, that even if the threats evolve, the "is this safe?" question is now top-of-mind for many more employees. By offering the Security Champions program, we've strengthened our security posture for years to come, provided a space for cross-functional teams to learn from each other, and delivered a forum for continual learning.