Building and Nurturing a Cybersecurity Culture in Iceland and Beyond

People often think cybersecurity is black magic. They also think that to be good at security, you have to know a lot about everything and be a black-belt computer wizard. This is simply not true and was a problem that our sister company, Syndis, had to tackle early on in their business and one of the reasons they originally developed Adversary, a security training platform for development teams.

An international problem, on an Icelandic scale

Iceland is a small rock in the middle of the Atlantic ocean. With a population of roughly 360,000 people, it barely has more residents than Honolulu, Hawaii. Yet it’s a republic, with everything needed to be as self-sustainable as possible. Everything from health care, a power grid, government, financial institutions, you name it. Historically, Iceland has faced few threats, due to its isolated location. You had to sail for a long time to even get to the island. But times have changed. Now all layers of society have to be concerned with security in some way or another. 

Syndis had an existential problem on their hands, however, when it came to finding security experts. At that time they had 4 people on staff, nowhere near enough to meet the growing demand for Syndis’ security consulting services. But there was no security talent pool in Iceland to hire from. They could try to compete with big tech firms abroad for talent and pay salaries that far exceed the local ones. That is, however, very unsustainable and would be a short-term fix at best. Besides, the shortage of security professionals is a global problem and most students who complete a computer science degree are not required to complete even one security course. So that was a no-go. 

That left them with only one option: To put in significant short-term effort to grow and foster a new generation of security engineers in Iceland.

Here’s how they did it.

Growing a new generation of security engineers

Through their cooperation with Reykjavik University, Syndis doubled down on their commitment to teach the annual security course through our co-founder Ymir Vigfusson. That led to them building the early version of Adversary to teach the fundamentals of the OWASP Top 10 software vulnerabilities by essentially teaching upcoming developers how to exploit those vulnerabilities. In simple terms, they wanted to teach programmers to hack, because only by understanding your offence, can you effectively play defense. 

Here’s a great Ted talk from Tedx Reykjavik where Ýmir explains why he teaches his students to hack.

Short term effort for long term results 

Despite it not helping in the short-term, a long-term play would be better than simply doing nothing. Luckily, they quickly saw that Ymir’s course attracted highly talented students who would turn out to be able to go into security straight after finishing University. And with that, Syndis began to not only solve their own problems of dealing with a limited security talent pool, but with their involvement in academia and the development of the Adversary security training platform, were also able to address this societal problem of a lack of security professionals.

Not security ninjas, but hungry engineers

As they worked on this over the years, while also teaching companies that wanted in-house training, we made an observation that really changed their core beliefs about “security people”. They thought the people who would end up going into critical security jobs would be people that also identified themselves as “security experts”, or “security enthusiasts” already. 

Charlie Erikssen, co-founder of Adversary and Syndis says they instead “observed that when following up on corporate training sessions, we observed that for a subset of the people we taught, they had then gone onto doing more training and would be on a path to become an internal security employee. That’s cool! We empowered people.” But who were they? Here are the traits Charlie and the team recognized them having. They were:

-Eager
-Curious
-Hungry
-Quick learners
-Already good engineers

• 

And as the Syndis team grew from 4 people to now 10, the pattern has continued. The people who they would take on and turned out to be the best security engineers were people who were solid computer science people to begin with. They also exuded eagerness, curiosity, and were excited by the challenges given to them.

The data really spoke for itself. Talented security engineers are not special by any means. There’s a potential security engineer all around us. For the existing “security experts” at Syndis, it was a lesson in humility to learn they weren’t inherently that special.

The prerequisite for developing into a security professional that can help the community protect against the bad guys was to simply give good engineers the opportunity to learn this “black magic” (indeed, realizing it’s not black magic), and empower them to pursue it. 

And thus Adversary was born

Since then, we have been engaging all levels of society with the Adversary platform. From 9th grade school classes to engineers with more years of professional experience than I have been alive. And every time we see the same pattern emerge. People have fun learning security and a subset of people can’t get enough of it. The challenge of learning to break into websites in order to understand how to protect them is intoxicating and it makes people realize that there’s a huge opportunity for them to enter the field of security or become a security champion in their own organization. 

For companies this is an untapped resource that is critical to be able to tackle the security challenges they face. By using Adversary, companies are not only able to train their staff on the most common security challenges that the world faces in terms of secure coding. It’s far more profound than that. In a world where security professionals come at a premium and are difficult to retain, it is a losing game to try to outbid the market.

Companies are starting to realize the fact that being hacked is a question of when and not if. They’re also increasingly recognizing even that most of them have experienced some type of data breach, often without ever knowing.

Because of this, the smart ones are starting to identify and empower their employees. They are finding the “sleeper” security champions in their midst and they are encouraging them to enter the world of magic. These people not only become hugely valuable in terms of the skill-set they develop, but they will, through their curiosity and eagerness, show the world around them just what security is about and shine a light on it. They will go on to show their peers that it’s not black magic and help empower the teams they work on to not be paralyzed by security. Instead, they will tackle it head on and do their part in growing a culture where security is a core tenant and one that everybody is a party to. Because security is only difficult as a result of the difficulty we incorrectly attributed to it. 

By recognizing your security champions within your organization, you have identified key employees who can play an important role between the development team and the security team.

About Adversary
Adversary, headquartered in Reykjavik, Iceland, builds an online, hands-on cybersecurity training platform for development teams. Adversary helps companies minimize the risk of being hacked by equipping them with the knowledge needed to avoid costly attacks before they happen. The platform puts trainees in the shoes of the hacker as they complete training missions, earn points, and advance to harder missions. This hands-on approach to training teaches IT professionals about why vulnerabilities such as OWASP top 10 arise and how to avoid them from occurring at all.