Innovation Isn’t What You Expect – Our Perspective After 20 Years in Cybersecurity
20 years ago, when Security Innovation first opened, we chose our name to signal what we offered: a new idea and fresh approach to cybersecurity, especially around the nearly taboo topic (at the time) of software security. We tackled issues that other firms ignored, and we built solutions that others considered impossible (or never considered at all). The same spirit of discovery and creativity our company started with has endured for our whole history – but how we understand the meaning of “innovation” looks completely different after two decades.
We, like most people, started out with the idea that innovation means being as different, disruptive, or dynamic as possible. The more radical the idea the better. But, as our own experience has repeatedly taught us, innovation isn’t about reinventing the wheel; it’s about using ingenuity, experience, and expertise to set aside assumptions and establish what really works. To put it another way, innovation is measured by how much security improves, not by how much it changes.
To illustrate our point, consider four anecdotes from Security Innovation’s past where we’ve done things differently and raised the bar for security in the process.
A New Way to Teach Product Security
In the early 2000s, Motorola Solutions asked us to improve their product development process to have a greater emphasis on security. We created a course called “Introduction to Product Security” for a few select students at Motorola HQ. Recognizing the potential, the CISO at Motorola had us deliver the course live and film it. We then copied it onto thousands of DVDs and shipped each one to members of Motorola’s product staff across North America with a bag of popcorn and a personalized noted encouraging everyone to “enjoy the show.” It was a huge hit, and Motorola remains a customer today. So, what was the innovation? Recognizing that security training can often feel mandatory and mundane, so we framed it as something fun (with the popcorn) and flexible (people could watch the DVD whenever.)
A New Way to Assess Product Teams
One of our first clients, HP, came to us several years ago to solve one of their biggest problems: HP printers and other document management systems were getting hacked. The best defense was to harden the underlying software, but that changed so frequently that it was impractical to test and certify each release. Our solution was to ensure that each product team had the requisite security skills and process; however, the existing evaluation tools (like BSIMM or SAMM) were either inaccurate or annoying. We created our own called Secure Development Process Assessment Certification (SD-PAC) that has been used by dozens of teams over the last few years. The solution is based on activities, skills, and procedures used – aimed at the practitioners, not managers or executives (who frankly, are often disconnected from what really happens in product development teams.) Our innovation, in this case, was correctly identifying and solving the underlying problem (poor evaluation tools) instead of trying to pioneer an entirely new approach.
A New Way to Stop Aggressive Hackers
In 2009, after repeatedly falling victim to a persistent group of “Hactivists,” the U.S. District Courts contacted us on the recommendation of Cisco. We did an initial security code review that revealed a number of vulnerabilities – one of which the hacktivists exploited shortly thereafter. Our role suddenly shifted from consultant to emergency response as we sprinted to put out the fires and restore things to normal while, simultaneously, rebuilding the attacked system so this couldn’t happen again. Today all US Courts locations use a locked-down Linux system supported by a full-time team of 11 Security Innovation staff. Tamper-resistant and self-defending, that system was quite innovative. But so was our service offering, where we rose to the occasion at a moment’s notice and adapted to support our client’s long-term needs by whatever means necessary. It’s rare to get “solutions” when most providers sell just “services.”
A New Way to Frame Software Security
Perhaps our greatest innovation emerged from one of our most popular courses, “Attacker Techniques Exposed.” To illustrate some of those techniques, we created a fake online banking site with dozens of intentional security flaws. Course students were invited to find the flaws, just like a hacker would, so they could understand the mentality and tactics of their opponent. Several of our clients started using the bank training tool as well, until one hired us to expand the platform to train hundreds of developers at once via a 2-day course. We expanded the content. For example, participants could find information on dummy social media sites to use for social engineering. We also made the format more engaging with things like an interactive scoreboard to add a competitive element. The first event was a huge success – people found it interesting and informative in ways that training exercises aren’t known for. That initial platform expanded into our one-of-a-kind CMD-CTRL cyber range, which now has 10 unique experiences, hundreds of hands-on challenges, and thousands of enthusiastic attendees. That success prompted us to add over 100 interactive labs to our library of 200+ online training courses, evolving into our flagship product CMD-CTRL Base Camp: an unparalleled resource for security training in terms of depth and breadth, but also in terms of hands-on learning opportunities for all software stakeholders – from developers to cloud engineers. It’s an impressive achievement and a major innovation in security training. For us, however, it was simply a pragmatic solution delivered in a creative way that developed organically thanks to the trust between our clients and our team. That formula, refined throughout our 20-year history, makes eureka moments all but inevitable.
We believe our greatest innovations are yet to come. And while we have some predictions about what they might look like, we know by now not to force the issue. Persistent problems will always need clever solutions – the kind Security Innovation has spent two decades learning how to cultivate and catalyze.