The Secret to Software Security Starts with Attitude

Most of the conversation in cybersecurity obsesses over why the newest tools will change the game or why an older vendor has lost its edge. And when we’re not talking about tools, we’re discussing tactics and techniques. It’s all about the here and now and never about the mentality. We think that’s backwards.
After 20 years at the forefront of software security, we here at Security Innovation have come to a counter conclusion: to advance software security you the right mindset first – and the solutions will follow.

Back in 2002, our founder, James Whittaker, was both a leading software security expert and a one-of-a-kind individual. Inspiring, infectious, and innovative, Dr. Whittaker brought a passion and vision to his work that made an impression on everyone around him. He was an evangelist as much as an expert, and he could proselytize about software security in ways that could captivate any audience. Out-of-the-box thinking was required before any ‘box’ could be formed.

It wasn’t just his enthusiasm that stood out, though. It was his commitment to education, engagement, and improvement. He knew 20 years ago that software security was a big problem – but he was optimistic that we could solve it and fully committed to finding what worked. He was never a pessimist; he never stopped being curious; and he believed that every aspect of cybersecurity could get better with enough effort. Unlike so many others, he wasn’t a defeatist, and he didn’t believe in silver bullets, either. He believed that progress came from collaboration, experimentation, and (most importantly) determination.

Dr. Whittaker has departed the company, but his attitude and example continue to guide everything we do. And it’s that attitude, just as much as our aptitude, that explains why Security Innovation has made such great strides forward for the software security world.

The Attitude to Make an Impact

At the core of what makes the Security Innovation attitude different is the mission that guides us. It has always been our mission to not just succeed as a company but to make a meaningful impact on software security in the process. Acquiring clients and generating revenue was never our only aspiration. We wanted every person, team, and company that worked with Security Innovation to see sweeping improvements as a result of our engagement.

That attitude affects how we serve clients. We don’t just expose flaws in software security; we meticulously explain where they are, why they happened, and how to fix them. We also don’t rely entirely on the security team to stop cyber attacks; our training platform has already been utilized by 3.5 million people who are all better equipped to secure software as a result. We start every engagement from the belief that software security can, will, and must improve, then we make the biggest impact possible, both via state-of-the-art training for skills development and in-depth services.

Sure, we have countless testimonials to prove our impact on individual clients and individuals. But after 20 years, Security Innovation has impacted the industry as a whole, pushing it in positive new directions. When we started, for example, software security was very much a “tool-driven” endeavor (when it was even considered at all!) Securing software, the thinking went, was simply a matter of installing the right tool to fix flaws or find attacks. But after two decades of worsening cyber incidents, that approach is giving way to something different: the realization that cybersecurity starts with knowledge and gets driven by people. Cybersecurity tools, meanwhile, are just that: things to help along the way.

This attitude barely existed 20 years ago. Yet now it’s taking hold across the cybersecurity community. Security Innovation can’t take sole credit, of course. But we can’t deny our influence either.

The Security Innovation Attitude in Action

The Security Innovation attitude drives us to be impactful and insightful, but what does that look like in terms of actual results in the trenches? Consider our engagement with Microsoft: one of our first, biggest, and most loyal clients. Over the years, Microsoft has become a believer in the Security Innovation attitude and adopted many of our methods as their own.

It was apparent from our first engagement that Microsoft thought differently about software security. When they hired us in 2008 to build Microsoft SDL online training courses, Microsoft went so far as to suspend software production until the developers completed the courses. The knowledge was that important. And without it, their engineers couldn’t do their job successfully. No tool could fix this problem – only the right information, education, and developer engagement could, which we provided.
Microsoft picked up the Security Innovation attitude and ran with it, which was clear in our most recent collaboration. As Microsoft’s Azure cloud platform continues its impressive growth, security is becoming a bigger issue – but Microsoft is addressing the problem early, extensively, and effectively using the best resource available: education and training. Microsoft asked us to build a custom training tool to show every supplier in the Azure ecosystem how to build a secure and resilient architecture. Instead of allowing the architecture to be misunderstood or neglected, Microsoft took smart steps to make the knowledge stick.

Microsoft is just one of many clients we’ve helped turn knowledge into power, make people the centerpiece of cybersecurity, and, in the long run, help to prevent more attacks. For 20 years now, our attitude has been the same: Nurture skills and cultivate expertise and you will be more secure than what tools alone could ever accomplish.
Time has validated that attitude, verified our approach, and revealed countless ways to improve our methods. Our company has grown and evolved tremendously, but our fundamental attitude hasn’t changed, and it will continue to define us through the decades to come. And, hopefully, continue pushing software security to a higher standard too.