“The Security Culture Secrets You’re Not Supposed To Know”

Today we’re publishing our first interview with a Security expert. Collin Geisser is a Solution Security Architect at Swisscom, the incumbent Telecommunications Provider in Switzerland. As you can imagine, it takes a lot of engineering effort to operate, maintain, and improve telecommunications systems that provide services to Millions of consumers and businesses. Making sure that security standards are kept high and people are keeping this top of mind can be a daunting task. Security Champions across the organization are the ambassadors and sensors of a well-functioning Security program. We asked Collin a few questions about his work.

Collin Geisser: Introduction

Collin Geisser is a CISSP-certified Solution Security Architect with a profound expertise in application security at Swisscom. With over 17 years of experience in IT and cybersecurity, he excels in risk assessment, Secure Software Development Lifecycle and compliance.

1. PYB: Collin, can you tell us about your role as a Solution Security Architect at Swisscom and what a typical day looks like for you?
   
   

   C: Fortunately, there is no typical daily routine, except that I am involved in many meetings. We have over 90 applications, so there's always one or another request that the System Security Architects cannot resolve. Mostly, I deal with issues that an Agile Release Train cannot solve by itself. For example, currently, with the Postman update, whether we are allowed to continue using this tool since it synchronizes with the Google Cloud.

2. PYB: How do you approach creating and fostering a culture of security awareness among the engineering teams you work with?
   
   C: Actually, this is one of the main issues that occupy me. Predominantly, I'm responsible for the 60 Security Champions in our organization. They spend 30% of their time in a security role, and the remaining time as DevOps Engineers. Our Security Awareness Manager from Group Security certainly contributes a lot to maintaining a Security Community. However, we in the 1st Line of Defense are closer to the people and topics and know what concerns them. I mainly try to make the job as a Security Champion more exciting. That means eliminating manual processes, providing interesting offers like security training, security town halls, CTFs (Capture the flag excercises), and more.

3. PYB: Can you share specific strategies or initiatives you have implemented at Swisscom to help your peers prioritize security in their daily tasks?
   
   C: Our implementation with the Security Champions in the teams helped to make the topic of security present. The champions are in regular exchange with the Product Owner and discuss risks and vulnerabilities to prioritize them. In addition, we have created transparency within the organization and shown the risks of different areas. This also promotes synergies between the various Agile Release Trains.

4. PYB: Security is often seen as a hindrance to development speed. How do you balance the need for security with the engineering teams' desire to build and release quickly?
   
   C: I usually highlight two aspects here. First, security is an enabler. It allows me, for example, to make it easier for customers to log in, but this requires a preliminary effort. This work is part of a feature, just like any other function. Second, if standard solutions are used, standard security solutions can also be implemented. This facilitates the implementation and prevents a patchwork of technical solutions that only individual people can maintain.

5. PYB: What are some of the most effective ways you have found to engage non-security-focused engineers in security practices?
   
   C: Bug bounties, data breaches, or vulnerabilities are demonstrated live. Often, such incidents remain behind closed doors, and people remain silent about them. But silence does not lead to learning. When new findings are shown to the engineers and they see how easily, for example, XSS can be used in their own environment—not a simulation or fictitious exercise, but in their own test system—it opens their eyes and ears. They will certainly participate in the next security training with more enthusiasm, and they will not forget what was demonstrated so quickly.

6. PYB: Conversely, can you provide examples of approaches that did not work as well as you hoped in terms of promoting security within the teams?
   
   C: Unfortunately, I can confirm that, yes. Security training must be tailored to the target audience. Our first training was for the entire team, whether Scrum Master, Product Owner, or developer. This only led to dissatisfaction among those who were overwhelmed and those who were underwhelmed. A one-size-fits-all solution is quickly made and scales well but it misses the goal of learning. With our new target group-specific training and even programming language-dependent training, we achieved much better results.

7. PYB: How do you measure the success of the security culture within Swisscom? Are there any particular metrics or feedback mechanisms you rely on?

   C: I can only speak for my organization here. However, we measure the security posture based on compliance reports, bug bounties, vulnerabilities, and risks. We check these every 10 weeks and take appropriate measures if a negative trend develops. We also survey the Security Champions annually about their well-being and determine how satisfied they are with the role, looking especially at the referral rate.

8. PYB: In your experience, what are some common misconceptions engineers might have about security, and how do you address them?
   

   C: With today's frameworks, you don't have to worry about security anymore. Security is already built in. Unfortunately, it is often the case that the baseline of most tools is designed to enable the fastest onboarding possible, rather than the most secure solution. This must be continuously pointed out to the engineers. And even if a technology already has a good configuration in the security area, we do not want to rely only on one measure but implement the Zero Trust approach.

9. PYB: Switzerland is known for its emphasis on stability and safety. How do you think this national mindset translates into the way security is perceived and implemented in Swisscom compared to your international peers?
   
   C: Because of the legal situation, we already have a better focus on security and data privacy compared to countries like the USA, especially in the banking sector where much has been done, the security standard is very high, and there are hardly any incidents. At least those that became known 🙂 However, we also struggle with the same problems as others, such as the war for talent, for example. That's why I'm glad to see that Swisscom, as well as the state, helps to offer training that is not only offered through universities. This way, we can ensure that we will find more well-trained personnel in the security field in the future.

10. PYB: Finally, can you share a particular success story where the security culture you’ve helped cultivate within an engineering team made a significant impact on a project or the company as a whole?
    
    C: It is mainly the recurring improvements that go beyond our organizational boundaries. Because our engineers have been well-trained, they often think one step ahead and discover risks in other areas of teams outside our influence, but with whom we have a technical dependency. They either address these problems directly with the responsible teams and improve the situation together, or I get involved to look at the problem with the responsible security offices. This is how we manage to optimize the entire company bit by bit, not just our area.

Do you find this inspiring? Feel free to share your thoughts with us on our social media handles.