This article was written by:
Marina Ciavatta, Social Engineer and CEO at Hekate, Inc.
Danilo Cordeiro, Staff Security Engineer & Cyber Security Specialist at Pipefy.
A few past weeks ago, we had our first Cybersecurity Week at Pipefy. It was quite the challenge. As a startup, Pipefy is also going through budget reviews, and as we approach the end of the year, we are dealing with many projects and team changes. This means that we had very little time, people and resources to organize the Cybersecurity Week.
And this is one of the main reasons why we want to share this experience. Because no matter what your scenario is and what challenges you may be facing: Security is vital for your business, product and teams. We would like to share how we were able to educate and share knowledge with our own Engineers.
It was as simple as we could organize it. We had a readable material with a few pages filled with cybersecurity tips and tricks, explaining a bit of the threats we have around us lately. And of course, how to better protect ourselves. It was titled as our own “Cybersecurity Survival Guide”. We used this material in the opening ceremony, explaining it to all our Engineers, in a fun and accessible way, including real life stories and cases, so it could be relatable. Security has to be realistic and relatable!
Then, everyday of the week, we had at least one mandatory hour of Cybersecurity content, so as not to overload our teams. We had our great friend of Pipefy and CISO of Neoway, Rodrigo Jorge, as a guest speaker, and it was perfect. Not only did he walk us through Cybersecurity culture, but he did in a funny and lighthearted way. This is a golden tip: Make sure you are wisely using your connections, such as partners, clients and friends to help you with great content!
After that, it was time for the Pipefy team to shine, bringing in content that is directly attached to our problems and pain points. Our DPO, Cainã Gomez, gave us a great Data Protection and Privacy workshop, followed by our Security team tech talk the next day. And this tech talk was about hacking our own product, live, with all of our engineers watching and participating with insights and comments as well! We had never seen our Engineers so engaged with security issues before. This only happened because we actively included them in the process, showing the mindset of the attacker and demonstrating it live, as they helped us to find and exploit the weak spots.
We sure had a record of engagement for cybersecurity that week, and we even had new dates already for more content throughout the rest of the year due to popular demand! A few Engineers are now part of a dedicated hacking and cybersecurity internal channel to discuss vulnerabilities and we even had engineers coming to us and questioning about CTFs and more content. Such a success!
There’s just so many reasons why we should talk about cybersecurity to our Engineers, such as:
- Security by design: Building technology that is safe by design is cheaper and smarter, because it will spare you problems ahead of time. It will even increase the value of the product and the company.
- Building and managing technology: Developers are the ones that build the products and manage the technology that is exposed to the public, that the business depends on. Therefore, they are very attractive targets to criminals and attackers.
- DevSecOps: Not only secure development is beneficial to the company, it also qualifies the developers to a whole new level of skill and awareness, making them work ahead of vulnerabilities, threats and attackers.
- Compliance: Of course compliance demands cybersecurity initiatives, training and specific measures taken to better protect the company, the product, its clients and employees.
- Business continuity: Most businesses, especially small and medium enterprises, can not survive the next 6 months after a cyberattack. They either have to freeze projects, cut down losses or even go out of business.
- New contracts: Security nowadays is considered not only an obligation but also a commercial advantage when dealing with new clients and partners!
You can talk about Cybersecurity with your Engineers in many ways, such as Cybersecurity Awareness campaigns, DevSecOps training, involving them on the company’s Privacy and Data Protection initiatives, or even simply by organizing a Security Week like the one we just mentioned. Do not let the challenges of time, team or resources stop you and become an excuse to not prioritize Security.
Remember: Security is not something that we naturally learn from birth and neither through life itself. Instead, we often are reactive about security, and that means that a problem has already happened and a tragedy has already taken place for us to think about how to better protect ourselves and our environments. And that may be too late for a company to survive.
Cybersecurity has to be part of the Engineers’ daily activities, because working with new technologies can be exciting but also overwhelming. The engineers are already busy learning new things, fixing bugs, improving themselves, so they should have help to be reminded of Security and count with continuous support and education.