Rise of the Cyber Jedi – Building a security community of practice

hello everyone my name is gustav lunascord i work for ikea and i'm here to talk about our cyber jedi academy um i live in sweden i've been working with a few different positions in security but the three years ago i joined ikea to start working with software security a bit more in this context for two years i've been leading the software security program at ikea and i'm here to talk about what are the learnings we've had in our security community that the cyber jet academy is and what i think that we all must you know how we must think and work with security in specifically devops today so let's jump in some slides and and let's get cracking shall we

okay software security rise of the cyber jedi a security community of practice and some nice ikea products as well uh so some ikea advertisements in this of course uh that's me i work within cyber security at inca inca is a part of ikea this means that we sell furniture but we do not produce furniture that is a different part of ikea so our security that we do is mainly focused on all our warehouses all our co-workers we are 170 000 employees whereas approximately five six thousand people work with our digital solutions so we're quite a fairly big digital department as well i run software security that is one out of five legs within cyber security and the talk here

it's i give it but i have a whole team within software security so everyone back home uh big thanks to you as well this is not and has never been a one-man show so the biggest revolution since ikea was founded and this is not the pandemic we're in uh this is actually about the mobile phones already in 2017 four years ago it was estimated that five billion people had mobile phones and this has massively changed the way that we interact and how our customers shop not only at ikea but at all retail retailers across the globe and it's also it's been like our data shows us very clearly that in china the homes are super important

for what they're gonna buy even when it comes to furniture whereas in germany many of you guys are thinking these stores are still the most important thing and i hope that you are an ikea customer and if you've been so maybe you've seen that the store experience is usually better than the online one but we're changing that and i think that we've come quite quite a far away i'm going to talk about how we try to work work through the security in this context so three years ago we set out with a new ikea retail direction that we are creating a new ikea and figures bringing digital to the core of everything we do so we changed

almost everything when it comes to digital and this transformation we focus on devops and i think that many people know what devops is but just to clarify when we say devops we mean the culture and and not that we run a lot of pipelines of course we'll run a lot of cicd pipelines but the context that our digital platform teams and digital product teams are working is mainly devops and this means one thing that you build it you run it you operate it and yes you guessed it you must secure it so where would we go and and because this massively changed we've been working with security at ikea for a long time and would have

you know a 24 by seven stock monitoring for over 10 years we have a strong perimeter but what does what does you know devops and us you know in in this we're also going to the cloud quite aggressively well we looked at how do we measure devops and what do our engineering community speak about so our engineering managers as well they started and are still measuring the teams on many of the performance metrics which quantum accelerates the state of devops and if you're working with if you work within security and and you work with specifically software security like i do i recommend you reading this and maybe like if you don't have time don't we you

don't have to read the book read the the service date of devops read the book as well but state of devops is is an awesome survey of dev's transformations across companies and and we stole this code here information security should be integrated into the entire software delivery lifecycle yeah that makes sense what we see is a shift to giving the developers the means to build security in and and this means okay we really want to build security from the start and these are the metrics that they look at and so it's different from the ones that we have in security but we see one there availability and and many people in security works within cia

and if we can do these things right i'm sure that we can do security right as well and in in this i just wanted to highlight one specific thing from the state of devops as well they said the best strategies for scaling devops in organization focus on structural solutions that build community and this this picture here that that i stole um from from laura on the state of devops it shows a clear thing like the communities of practice line in the elite performing teams you have communities of practice and and traditional things such as a center of excellence is not as common so we thought very much about this when we started building out this community

but first how are we going to do cyber security with devops well for us if you are a team that you build it and you run it and you operate it you architecture the solution you are also the most and the only well-equipped team to solve security issues within your team and as such the security work should be centered on that team and that the security engineers that we have and that i also am we must focus on empowering the product teams and make them better in how they deal with security and together with the cyber jedi that i'll go into in just a minute that's how we try to drive security so we started our security champions

program a little bit over a year ago but but and this slide is almost two years so when we set up that we wanted to start to do this and that was to build a security champions program and i think we've all heard about the security champions but we wanted to make security scalable we wanted to increase transparency offering we wanted to raise awareness and empower developers to address security well security champions program but but the talk is about cyber jedi's well we had the opportunity of course to pick any topic we liked and we had a long discussion whether or not to go with star trek or star wars issues so easy choice if you ask me so

we went with star wars help me cyber jedi you are my only hope quote lay up uh i think that this just tells us really well how we can the only way for us to scale up security in the organization we need the cyber jedis to help us in this and the cyber jedi's are critical to our success within cyber security and to make it a bit more fun and and make the star wars theme more obvious we also you know wrote some of these things right so the digital product breach i think you recognize that but yeah let's go into what did we do and where did we start well in march 2020 we had a pilot program with

seven engineers and we had a few modules like the ssdlc secure software development lifecycle secure coding and web security and then we changed feedback on the program and this is super important and i'll get back to why changing on feedback is so important but these modules became too big uh so we had to change so in in september 2020 we made a bigger rollout where we also learned uh learn launched our self-led learning and and the self-led learning utilizes our ikea e-learning platform and this is something that we do in collaboration with learning and development at ikea and learning and development is an organization that is tasked with upscaling all of our people in the in the company and then

they work with the pros at plural site and cosera and these type of learning platforms and that's also how we actually bundled up together with them to run some of our secure warrior platforms as well on the left-hand side of the screen you see a picture of our e-line online learning and you see the curriculum on the first level the way of the cyber jedi and this is an introduction video there's reflection forms and more things in the online platform can be such as links to documents or articles we want them to read videos i said it can be service it can be assignments and these are on the online online learning platform to enable the cyber jedi

to do it at their own pace and this is really important because some weeks you maybe have releases some weeks you have focus in your product teams but with the online learning they can do it when they have their own time and assignments we give them is to do things in the context of their own team and this is this is really important together with the cell flag learning we had four different levels and in the first level the cycle begins you learn some basics you learn what is the ssdlc what is privacy data and some basics this takes usually one month and at the padawan level three to four months you apply learnings within your teams

and this can be a one of the pattern levels or assignments we have is sas scanning like code scanning and to apply that in your team in the night level which is at more advanced level you optimize and lead your teams through very secure activities so at the parallel level we ask them for example to start you selecting sas and they can pick either the things that we offer centrally or open source as well um just the important thing is that they scan and improve on findings from the different types of scanning that we do and at the night level we haven't optimized this starting integrating in there in the flows of the teams in the

processes of the teams and and at the later stage of the night level we also have this hypergenstute threat modeling and this is really awesome because if we have software engineers within their own teams doing threat modeling like that that gives so much benefits to the teams because the whole teams understands the application better when they threat model together and we can have a separate talk on how we do track modeling that's for another another time but we believe that empowering the product teams to do threat modeling themselves and at the master level we only have a future we want them to lead and inspire other teams and then they take part in pocs they help us with a lot of feedbacks to

really improve how we do cyber security in in the company today the open sessions um every week we have an hour which is an open session and here all cyber jailors are invited just to come ask questions get help or hang out and work on cyber jedi stuff some some of the jedi's uses this hour this meeting maybe not to be active in the meeting but to have blocked time to work on their assignments and and we also have occasional topics and we almost nowadays we almost always have a topic which can be something that's um relevant or something that we want them to think extra hard on or work with such as third-party dependencies

and and the optic hygiene when it comes to third-party dependencies and such a thing was when dependency confusion arrives which was a vulnerability or a vulnerability in package managers which could where through security researchers hacked a lot of big organizations such as apple and shopify and microsoft we talked about this on our cyberjet academy and what we need to do to protect us from this so having this every week enable us to discuss topics that's happening right now and that is relevant for them to to keep track on so that's that's that's you know what we did we have the uh the online learning we have the open sessions we have the different level but

like what has this amounted to we've been running this for a year now and yeah what have we learned well at the start we were the learning learners of how to adopt the ssdlc and and that means some naive but you know truth is that i think that many ssdlc's across the country across the world looks fairly similar like in ssdlc you have code scanning dependency analysis pen testing you have hardening uh some have death some have don't have that some have i asked but it was quite theoretical we didn't support our jedis and our developers in easily understanding what this dlc is about so with feedback from the developers we could change the ssdlc and the

communication around the ssdlc quite a lot we also learned that initially getting time commitment was hard for product owners and engineering managers they did not want to give out time without realizing where what this was we also like at the first one part we also understood that the feedback from the jedi's were super important not only to how we needed to do the ssdlc but feedback in general when it comes to security when it comes to compliance id controls they say things we don't want to but that we need to hear and that's that's that's really good and and also and really important learning is that you must spend the cyber jazz time wisely all activities that you do

it must make sense and make the product better and and and i'll elaborate on that in just a minute because what went really well and not only what we learned is that we created a helpful community and this is something that i'm really proud of and looking back that the the state of devops where i talked about the the hype and elite performing devops teams they have communities of practice for things and this community that we've created here is really helpful so the community consists of mainly a big slack thread or a slack channel confluence space our meetings and in the slack channels we have cyber jedi asking questions such as i have this finding where i have this

type of data or i have this problem with authenticating or you know whatever we have other cyber jedis helping them and not not specifically perhaps a security engineer and this is really good because if we have if we have product teams and engineers helping other engineers with challenges they have they have a solution that works in not only theory but in practice and that's really good the learning goes both ways and that this is something that's good as well in the community because we learn as much as much as much from the jedi's as they learn from us within security and that's really good because now we have you know our assurance teams and our cloud

teams and our pen testers they also engage with the cyber jedis and that's really good and the third point here is is is good that supporting the jedi's has gone well because now we have all these different security teams helping the jedi and that makes them feel special and that makes them engaged because within high engagement and that they feel special they also feel like they are a part of why we're doing this and and they can be a part of how we're going to do security tomorrow at ikea and and this also brings me to like believing in the mission the why and and i haven't talked so much about ikea because i think this

community and all of these things is important but the why we're doing this is really important and this is something that we come across them ikea has a vision that we want to create a better everyday life for the many people we want to show that it is good business to do good business and for us to reach these goals that a lot of people in the company really believes in we must have secure software we must have high quality software and we cannot reach this unless we build security and privacy from the start so this message has come across and people believe in what they're doing and and the last point the the teams with the cyber jedi is more

successful in their security activities and that leads me to the to the drawbacks because there are like i know it may sound like gold and green forests as as we say in sweden but there are some some drawbacks we feel that the cyber jedis or the teams that have cyber jedi's are successful in their security security activities but connecting to the big transformation that we're done as a company we have no good baseline of our product teams to measure from so we don't really know the impact that they're actually having so that makes it hard to measure the positive impact but we know that there is an impact because we see a lot of and not

not us but engineering managers asking for us to train more jedis i draw back with this as well now that the the academy has picked up pace and and we see a lot of you know a lot of benefits from that there's a lot of expectations on the jedi that as soon as someone okay here's the jedi and the team security engineers and a lot of people they look to the jedi for the answers and and this is this is a bit dangerous it also comes with a high cost of running this of course but not not it is a low cost connect if you if you ask me in terms of what we get out of it but

it is time consuming we need to create learning materials you need to create documents you need to spend time with them you need to make them feel special and that takes time and energy and the last one here is that there are a possibility as well that we're having software engineers working in in potential activities that does not reduce risk and this is something that's that's really critical for them because they need to provide value otherwise it's a waste of time and and yeah this is something that we thought a lot about so what should what should you do and why why i have why am i so passionate about this and then and well

some tips for your own cyber child academy is that first do a minimal viable product program to test this out and you don't have to be a big organization for this do an mvp program in the context of your company or of your community or wherever you are because i generally believe that the context that we're doing security that's all what it is about because if if it wasn't about the context we could always go to oh wasp and use their checks list and use all of the things that's written there because i mean i mean hands down they're amazing right but do an mvp program and make sure that you improve on feedback don't be too don't have too much pride

because i think that it's impossible for a central security team to sit in an ivory tower and say this is how things must work this is how you must do security i think that improving on feedback and having them see that they can actually impact how securities function at this company they're much more likely to engage with you and make sure that you spend the developers time wisely because if they feel that they are learning something that is useful that is really good and that they're having assignments that improves security or the knowledge or the process of their teams all the teams on all the product owners the engineering managers they're going to say hey this is awesome we are a better team

now than before we had a cyber jedis and if you spend that time wisely you know that's awesome and the last point learning by doing that's that's one of the key things and that's connected right that if you do a thing that help you that helps your product or or teaches you something and you do it and learn by doing that is the best way to learn anything if you ask me and what is our subject academy and what are what are our plans for the future well first we're gonna make more paths than for other roads and software engineers and devops engineers because even though we produce a lot of software we also buy a lot of software we integrate a lot

of software so we need to have paths for platforms engineering system engineers and we're even being asked to do paths for roads such as product owners and um scrum masters to enable them to do security better we also need to do or hire our frequency of onboarding and this is something that we're working on right now to have anyone to be able to join at any time and and and they are possible they are able to do so for now but what we've seen is that if we run it as cohorts meaning that we start with a set of people with a set pace semi-set pace and a schedule they're more likely to engage and do the things that they they

have to do also we also need to make the different levels clearer and that that is mainly due to two things one one is that the cyber challenge themselves can distinguish themselves that they are on a different level and that the these security engineers and their people around the business they understand okay that this jedi is on the padawan or the knight level when they sh then they should know ex-wife said but if we have the levels clearer it also solves the the the next to last point here that if we have a clear communication to managers on the commitment and personal development for the different levels that helps the cyber jedis to get time

and commitment to spend on this because if you're supposed to get the demand to the math to the jedi master level and earn that degree you need to spend time and effort and that should be reflected on on on things such as personal development goals within the managers and this is something that we haven't figured out as good as we should but we're trying to and of course the goal like the end goal of all of this is that we hope that we can have one jedi in each team because now we've successfully integrated security from the inside of the party and that is the best way you know connecting back to the the statement of the team-centric

security if we have security-trained people in each product team that will come a super super long way and that's something that i that i really really believe in because if they work with security within their team they work with you know they work with building up a security knowledge capital within their teams and a security knowledge about their product where they can you know how do how do things really work and i think that if you if you ask developers and think about do they know every piece of their application and and in smaller apps yes but in big enterprises they generally don't and and having cyber jedi work with security from within the product teams

that is really really good and and one of the benefits of that as well is that that enables the security engineers to focus on some of the more complex things wide spreading problem that could be what do you say uh cross-domain or cross-team functional issues or or security issues that they need to focus on yeah uh i can go on for for four hours about this uh reach out if you have questions uh i'm here to discuss more on the event and uh i think this is this is a really cool thing that's you know doing really well for us uh i'd like to thank you for listening and i'd really like to make a big shout out to

to my team back home at ikea with the jennifer beyond philosophy emilianos you're all doing uh an awesome job too to making this happen then yeah thanks for stopping by