Security Nation, Episode 9

How to Create a Security Champion Program Within Your Organization

November 01, 2019

 

In this episode of Security Nation, we sit down with Mark Geeslin, senior director of product security at Asurion, to talk about his success in building the organization’s Security Mavens program to create a culture of security. Learn about the program, how his unique approach to bringing on members has kept momentum going, and why he thinks getting buy-in from the top early was a key component to Security Mavens’ success. Also, in this episode’s Rapid Rundown, Tod talks about the various VPN breaches that were reported in mid-October and muses on why people use VPNs to begin with.

If you like what you hear, please subscribe below! We release episodes every two weeks, each featuring a new guest who is doing something positive to help advance security. Our next episode will be released Friday, Nov. 15.

Appears on This Episode

Jen Ellis
Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

Mark Geeslin
Mark Geeslin
Senior Director of Product Security, Asurion

Mark Geeslin is currently Senior Principal Security Engineer and Senior Director of Product Security at Asurion. Mark has been working in the software development and security industries for over 25 years in diverse environments ranging from high-tech security startups to Fortune 100 companies. Over the past decade, he has directed application and product security programs for various leading technology firms in Silicon Valley. Besides his extensive experience as a software engineer, Mark's expertise includes all the usual appsec suspects, such as penetration testing, threat modeling, software security analysis, and security automation. Mark is also an instructor for the SANS Institute, where he teaches Cloud Security and DevOps Automation as well as Web Application Penetration Testing. Most recently, Mark has been spending a good deal of time with his friends at SAASSY, transforming the cultures of large corporations into those that enthusiastically embrace and profit from the philosophy, principles, and practices of DevSecOps. Mark has degrees in computer science and theology, and holds numerous security industry certifications.

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 


View all Security Nation episodes

Podcast Transcript

Jen Ellis: Hi, and welcome to this episode of Security Nation, the podcast where we chat with cool people doing interesting things to advance security. I'm Jen Ellis. I'm Rapid7's VP of Community and Public Affairs, and as usual, I'm joined by my co-host, Tod Beardsley. Hey, Tod! How you doing?

Show more Show less

Tod Beardsley: Hi, Jen. Pretty awful. But I'll pull through. I've had a cold.

Jen Ellis: You have a cold?

Tod Beardsley: Yeah. I have the German plague or whatever.

Jen Ellis: Did you get a computer virus?

Tod Beardsley: Lololol. No, I got an airplane, 11-hour exposure virus.

Jen Ellis: That's actually much worse. That's sucky. I'm sorry.

Tod Beardsley: But we will soldier on, Jen.

Jen Ellis: Yeah, because we have a great episode today. We are going to be talking to Mark Geeslin. He's going to talk to us about building security champions, which is really cool. But first, we're going to talk about what's happening in security. Hooray! So, what's happening in the Rapid Rundown, Tod?

Tod Beardsley: For the Rapid Rundown this week, I wanted to touch on the various VPN breaches that were reported mid-October. There was some follow-up reporting on that by Lawrence Abrams of Bleeping Computer about what Nord VPN in particular is doing to shore up their security after their breach. It all sounds great. They're doing things like instituting pen tests and instituting top-to-bottom code reviews and infrastructure reviews.

Jen Ellis: Wow, that sounds crazy.

Tod Beardsley: I know.

Jen Ellis: Imagine!

Tod Beardsley: They are basically doing the things everyone should be doing anyway all the time. But I also wanted to talk about in light of these breaches, it's really interesting to me that there was a handful of VPNs that get breached. I think we're due for a good Tor bug now. It’s been a while for one.

Jen Ellis: We've only had bad ones recently.

Tod Beardsley: And I just wanted to, I guess, muse on why people use VPNs to begin with.

Jen Ellis: Oh, I sense that I'm about to get lit up in some way. Please continue!

Tod Beardsley: So yeah, VPNs have been in the news. VPN clients were famously ripped up pretty good by Orange Tsai over the summer. He released a whole pile of bugs affecting a whole lot of VPNs. So, if you're the sort that uses VPNs, first off, please make sure that you have updated your stuff or ask your IT department to make sure that you've updated your stuff. Because the thing with VPNs is that I do feel like, I don't know, right? I don't know if people need them as much as they used to?

Jen Ellis: I like how you're very hesitant in saying that.

Tod Beardsley: I am because like it's really weird for security people to talk like that. But the fact is that-

Jen Ellis: You're going to get angry letters from security people.

Tod Beardsley: I am, I'm going to-

Jen Ellis: Angry tweets.

Tod Beardsley: I'm going against the security dogma of use VPNs.

Jen Ellis: Brave.

Tod Beardsley: Yeah. Because honestly today, we live in a world that is largely encrypted by default. About the only thing left that's not encrypted, that's over the internet, is DNS and that's starting to go away. We're talking about DNS over HTTPS these days. Some people have opinions about that, too, but that's not this rant. But like when you're-

Jen Ellis: You'll save that for the next rant?

Tod Beardsley: I'll save it for the next one, when there's a good something noteworthy and that happens and I'll talk about that. But I think that these days, if you're going to do any kind of webby things, you're almost always on HTTPS for anything good anymore. VPNs are useful for like work situations where you have an infrastructure that has this notion of internal and external, which itself is getting a little antiquated. I mean, we all talk about zero trust and we kind of are gunning for that. You should treat every network as a hostile network. And so I'm not super sure what VPNs bring to you.

Tod Beardsley: So anyway, good on Nord VPN for leveling up its security in the wake of their breach. But also, I don't know, think about if you need VPN at all to do the thing that you do because what are you protecting against, really? Because this is the thing that the VPN services are selling. They sell it as like, "Oh, you need this to be secure and private" and it does do that. It basically moves your privacy from one network to another. And so as people found, turns out when your VPN provider gets pwned now, now you're super-duper pwned, right? And if you are opting in to these virtual private and these kind of general virtual private networks that’s not for like a business reason. I have to actually cross the network barrier, which is what they were originally invented for. It is the virtual private network into, because it implies you are on a private network.

Jen Ellis: It's almost like that's what VPN stands for.

Tod Beardsley: It is exactly what it stands for and what it's, but you have a lot of companies now that are offering VPN services specifically so you can hide from your ISP, so you can hide from "The Man," you know?

Jen Ellis: Right. So you can watch TV in the U.K.

Tod Beardsley: Right. So you can skip through, skip over region controls and so basically for piracy. But so if you're not needing it for those particular things like the feature of VPN that puts you in another place or the feature of VPN that puts you in the same network as other things that you wouldn't normally be able to get to, I question the value of VPNing at all given that most of the time you do have application-layer encryption. The network is hostile all the time anyway.

Jen Ellis: So I hear what you're saying. I do have a couple questions. I feel like this thing that you're saying about like, okay, this is good, provided you trust that you're placing your VPN is appropriate and if they get pwned, then you're super pwned. You could also take out like the letters "VPN" and apply that to, I don't know, a password manager or any other thing. There are lots of these things that people make that argument for where I think we'd still be like, "No, but like yes, but the good outweighs the bad with this." "Oh yeah. You're right." And so I think is this not a thing that you have to consider what your risk, what it looks like and yeah, it's a really important reminder to like check on the security practices of any provider or partner that you're working with.

Tod Beardsley: Somebody that's providing security solutions.

Jen Ellis: For sure. 100%.

Tod Beardsley: They should themselves be pretty secure.

Jen Ellis: Yeah. That makes perfect sense. I agree.

Tod Beardsley: I get what you're saying. I do think they're a little bit different, password managers vs. VPNs. I think they both are providing a solution that is squarely in security.

Jen Ellis: Yeah.

Tod Beardsley: I mean, we use password managers because passwords are awful and it's like the worst around and it's all we got.

Jen Ellis: Right.

Tod Beardsley: Right?

Jen Ellis: So what you're saying is we're doubling down on an already flawed approach in technology?

Tod Beardsley: A little bit, yeah. With VPNs though, it's like, I feel the market is super weird from being a person who knows about security, I have shopped VPNs before because I've had people ask me like, "Oh, what do you recommend?" I'm like, "Well, I don't know. Let's take a look. Oh, look at that. Nobody has public audits. So they're all garbage." And I'm sure they're not all garbage, but it sure looks like that, right? And so I'm not super convinced of the security value of these private VPN companies, especially when it comes to like, what are you using them for? It's like, I use a password manager cause I have to use passwords.

Jen Ellis: Right, right.

Tod Beardsley: And I have to use hundreds of passwords.

Jen Ellis: Right.

Tod Beardsley: I use a VPN because it's more, I guess, it's more of a privacy thing than a security thing, almost? I don't know. I question the utility of VPNs in an internet where the endpoint is not like the least secure hop here. There are far more insecure hops on the internet then usually your endpoint or the endpoint of whatever you're going to.

Jen Ellis: Yeah. I mean, I do, I think actually VPN providers are pretty aware of this role that they play and the level of trust and everything. And so I do think some of the smaller or perhaps less-established players are looking at how they can do sort of independent audits and that kind of stuff, which in and of itself can be challenging, right?

Tod Beardsley: Right.

Jen Ellis: You kind of get into that slippery slope of sort of you're already as good as your last check and what does that mean and how do you make that work? What was it that made you particularly hit on this topic, Tod?

Tod Beardsley: Well, dear listeners, last night I was out with Jen and our colleague, Harley Geiger, at a bar for pub trivia. And by the way, we came in second place. We do not suck at trivia.

Jen Ellis: I will just clarify by saying that I had almost nothing to do with that, which will shock no one.

Tod Beardsley: Well, that is not true in the slightest, but for whatever reason, the carriers that Harley and Jen were using just didn't have decent signal in the venue. There were at no service levels of signal. And I said, "Well, just get on the WiFi. I'm on the WiFi right now." And they both looked at me like I was insane.

Jen Ellis: What I think is interesting about this is like at no point did the topic of VPNs come up. Well, I don't, actually can't speak for Harley, but I certainly don't run a VPN on my phone. I just don't also-

Tod Beardsley: That's the thing. I do run a VPN on my phone and I'm pretty happy with it.

Jen Ellis: Now it comes out!

Tod Beardsley: But I'm questioning why do I do this to begin with? Other than region skipping.

Jen Ellis: Which, what was the word you used for that earlier?

Tod Beardsley: Piracy? Yeah.

Jen Ellis: Yeah, yeah.

Tod Beardsley: Mm-hmm. Yeah, for sure. Because I'm an American. I want my American TV when I'm in Europe.

Jen Ellis: I was going to say people were assuming that was me watching the British TV, but no. That would involve me getting a VPN, which I don't have.

Tod Beardsley: So anyway, that's the news.

Jen Ellis: That's the Rapid Rundown.

Tod Beardsley: That's the Rapid Rundown on VPNs. And also, by the way, this week as you hear this, it will be just after the one of the 50th anniversaries of the internet.

Jen Ellis: One of the many of the 50th anniversaries of the internet.

Tod Beardsley: Yes. Where it-

Jen Ellis: Happy birthday.

Tod Beardsley: Happy, happy birthday, internet. I just wanted to give a delighted shout-out to Sean Gallagher, of ARS Technica, who wrote that, correctly, that the first three letters that were transmitted over the internet were L-O-L because it was supposed to be the word “login,” but the first try failed at the O and so they tried it again for login again. So it was L-O, oops. L-O-G-I-N. But it was LOL.

Jen Ellis: Which is even better. It was LOL, which seems almost sort of prophetic. And Sean generally is awesome, and we love him. So hi, Sean, if you're listening.

Tod Beardsley: Yep.

Jen Ellis: Special shout-out to you. Cool. I feel like I have been appropriately run down. So now we get to meet our exciting guest, Mark Geeslin, who works at Asurion. Asurion is an insurance company focusing on technology and digital life. And Mark is the senior director of product security and he sort of spends a lot of time thinking about how you build security into product development. Strong focus on AppSec, and when he's not doing these things, Mark is super involved in the security community around him. In the past year, he's started a local Nashville chapter of OWASP. He's also hosted a first-time security conference focused on product security called Music City Con. I'm sure he'll happily tell us a little bit about these things. So welcome, Mark. Hi! Thanks for joining us.

Mark Geeslin: Hi. Thank you. I'm really excited to be here.

Jen Ellis: You sound like a busy chap. You sound like you do a lot in the local community.

Mark Geeslin: Yeah. Yeah, I'm a little too busy. Yeah, but it's a ton of fun. Yeah, with starting the conference this year was a ton of work. I've never done that before, so learned a lot in the process and we did the full-blown... We wanted to do a full-blown, really first-rate security conference for Nashville. And thereby really nurture the security community here and stimulate more activity and interest in the security world. So it was a ton of work, but it was really rewarding. We had a real successful event and some interesting speakers from all around the country.

Tod Beardsley: Did Taylor Swift come to your Nashville conference?

Mark Geeslin: She did not. We tried to get her but she just didn't have the time.

Tod Beardsley: I mean she's really good at Windows.

Jen Ellis: Yeah. I hear she's big into security. Obviously, she's also a massive listener to Security Nation.

Tod Beardsley: Yeah, hey, Tay!

Jen Ellis: So okay. So congratulations on what sounds like a really successful first-year event and congratulations on setting up the OWASP chapter as well. What do you do when you're not doing all of these cool security things, if such a thing as possible?

Mark Geeslin: Yeah, I have to figure out a way to sort of balance that better. Because I also, on the side, teach security through the SANS Institute and that consumes a lot of time as well. So it's just my regular job and then all of the "extracurricular" activities involved in the community and the teaching. So it's pretty busy. But outside of work, I'm actually trying to kind of stay away from the tech world somewhat. I'm an introvert by nature and my job requires me to be extrovert. So when I'm not doing my job, I just love spending time with my family, I have four kids and we're very close. And love music, love classical music, opera music, and reading. Reading literature and classical literature, I really love doing where I can get away with myself.

Jen Ellis: Any book recommendations you want to share?

Mark Geeslin: Well, I'm a huge Dickens fan, so I mean, I've read all of his books. I just love particularly his later books, the books later in his career, "Our Mutual Friend" and of course, the famous "A Tale of Two Cities."

Jen Ellis: With the best beginning of any book ever.

Tod Beardsley: I mean, next to “Neuromancer,” of course.

Mark Geeslin: Yes.

Jen Ellis: What's the beginning of “Neuromancer?” I don't remember it.

Tod Beardsley: "The sky was the color of gray, of a TV tuned to a dead channel." Something like that.

Jen Ellis: Oh that is a pretty good start. I like that. That's pretty nice. Yeah. Yeah. I feel like Mr. Gibson's been getting a lot of play on this podcast recently.

Tod Beardsley: Yes. I'm very happy that we've balanced it with some Dickens. Especially because Jen basically is a Dickens character

Jen Ellis: Hey! I tell you, just because you call me governor. … Awesome. Okay, great. And is Dickens himself like a, a source of personal inspiration, his characters? Who have you been inspired by in your life?

Mark Geeslin: When the kind of literary world moved into the realist space with George Elliott and all, Dickens was criticized a lot as being unrealistic because a lot of his characters they would say are caricatures, and fairly unrealistic, but I don't really completely agree with that. They are of course caricatures, but they embody traits that are actually in people in real life. And he was of course trying to be funny with a lot of that. So I just find myself quite often just laughing out loud when I'm reading him. So it's comic relief, but he also, almost every one of his novels has a twist to it. So it's somewhat of a mystery-

Jen Ellis: An Oliver Twist?

Mark Geeslin: Yeah, there's always some surprise and that was sort one of the things he did. So they're almost mystery novels in that sense, which is fun. So I would always recommend, read the books before you watch any movies, otherwise it will all be spoiled. So yeah, but his books generally end with a happy ending. So they're fairly cheerful books even though they may entail a great deal of suffering throughout the story. So in the sense of inspiration, in terms of just for life. Yes. I'd say he's provided that.

Jen Ellis: Awesome. I love it. Okay. It's nice to get to talk about something that's not just security all the time, but we should probably get back to the security stuff. It sounds like you've been a huge champion for embedding security into development practices, looking at how you can amplify and build better secure by design. These are all things that we're huge fans of and so very excited to talk to people who are doing work in this area. And I believe one of the ways that you've done this has been to sort of build a "security champions" program. That's not what you call it though, is it?

Mark Geeslin: No, I decided to call it something that would be a little cooler, if you will, from the rest of the world. So we called them “Security Mavens” and the word "maven" just means really expert. So we call them that, sounded cooler than security champion.

Jen Ellis: I mean, it does sound like what Dickens would call an expert. Yes.

Mark Geeslin: Yeah!

Jen Ellis: Awesome. So tell us about the program. What does it entail?

Mark Geeslin: In a certain sense, it's not rocket science. We're not doing anything particularly revolutionary. It is in essence of security champions program. But we made some fairly minor, but I think really significant tweaks to what has typically been done with security champions programs that has made it widely successful at Asurion. And the main, I think, difference is just a matter of philosophy and focus. And most security champion programs, and I've done those at Intuit and I've done those at Citrix before coming to Asurion, but most of them, what they try to do, right, is to build up a certain level of expertise in development engineers. They'll select or appoint engineers in the development world that are going to basically be deputized as kind of security light in a sense. They’ll give them some training, there'll be the evangelists and the contact points for the security organization into that world, and they'll help you extend the security organization, if you will, out into that world. But rather than us making them these deputies of security or an extension of security, security light, if you will, our focus was really to make them into appsec security experts in their own right so that they could honestly, I mean, essentially take ownership of security within their product teams and do it competently with adequate training. So what we've done is we've invested heavily in training them rather extensively in  security, and in some ways they get more security training than our centralized security organization, even. But the focal point was to build these individuals into application security experts in that they could go on and carry the torch independently, if you will, from the centralized security organization.

Jen Ellis: Cool. So to make sure that I understand this, so the program is for developers working at Asurion on applications, on developing applications. And they are brought into the Security Maven Program, they're given training specifically on appsec elements and best practices. Is that right?

Mark Geeslin: Yeah, that's essentially it. We start them with a good foundation of application security, but we don't limit them to that. We let them, as long as they're actually engaged with the program and having influence and impact and being successful at it, we let them expand beyond that. So we will train them on both offensive and defensive. Part of the basic training is offensive and defensive. So not only do they know how to defend against the attacks, but they know how to attack the systems as well, which is of course always a lot more fun. So, they love that side. And then we let them, after they've gone through all of the basic stuff... Of course we would coach them, I coach them and mentor them, and kind of give them the direction to go. But a number of them have just decided to really specialize in offensive security. Some have gone more of a management security direction, some are just purely on the defense side. Some go and specialize in mobile security, for instance, or whatever it may be. And we support them. We fund it fully for them both. Their training, their travel, take them off to conferences. We go to DEF CON every year, we go to OWASP conferences as well. And just what you would do with if you were in the security world and you were very engaged in the security world, how would you participate in that community? We want them to participate fully in the same way.

Tod Beardsley: So wait, that was a lot of categories. How many people are actually in this program?

Mark Geeslin: Well, we started out with 12, three years ago, and we weren't actually sure how well this was going to work out because I never done anything quite this ambitious with a security champions program. But we sold it from the top down, starting with the president of the company, got him to buy into it. And then we just went down from there through the product development organization. And then once we got all their buy-in, we launched a pretty substantial internal marketing campaign to make it appealing and to get folks excited about it. And then we had them apply to the program and that's one of the key differences from what I've done in the past. We didn't have people appointed to be in the program, we had them apply and then we interviewed them, made sure they were well qualified, they had the right mental...The mindset is the key piece because they didn't have any security experience at that point. So it was really, did they have the aptitude to really succeed as a security engineer? And at this point we've got well over 50 members globally and six nations. And all across the U.S. as well.

Tod Beardsley: So just for scale, that's 50 out of... Roughly, how many tech engineer or developer folks do you think you have in your organization? Is it 10%, is it 1%, that's what I'm wondering.

Mark Geeslin: It's more than 1%, but it's about 4% of total engineering population. The thing is it just keeps growing and the leaders of the company have loved it. Development leaders have loved it. It's had all kinds of benefits that were not necessarily our initial focus, but it ended up... It's a great retention program because people love it so much. Some of these folks have gone on to be very successful in the field. One of our inaugural group of 12 is Omer Levi Hevroni, he's based in Tel Aviv. Works in... It's not really a subsidiary, technically, but they use a different name than Asurion, they use the name Saludo. And it is part of the Asurion company and he actually has gone off to become pretty well-known in his own right. He's speaks regularly at security conferences and he has actually authored and open sourced a secrets management tool called Kamus, for Kubernetes, which has been embraced by Google.

Tod Beardsley: Yeah. Kubernetes is so hot right now.

Jen Ellis: It is! I was going to say that. So in right now.

Mark Geeslin: Yeah so it's... That's awesome. Three years ago, he didn't have any security knowledge, essentially and wasn't sure if he really wanted to do this and now he's loving it. I've had number of them have told me this is the best career choice they ever made is joining the program.

Jen Ellis: I mean, that's got to feel really good, right? That's got to make you feel very-

Mark Geeslin: It does. It's been the most difficult job I've done in terms of the amount of work, overall working here, but it's been the most satisfying because we've honestly... I mean, this term is thrown around a lot, but we've honestly transformed the culture of the product development organization where security ... I'm not just saying this, I'm amazed how widely the impact has been filled in that they truly do put security now at that same level as features. So they recognize security as an integral part of what we do.

Mark Geeslin: And it's not like they were before, were just against security, of course. It's just that it's security was like, "Yes, that's something we have to do but we don't really own it. The security organization owns it and we need to get their approval, et cetera, et cetera." But with the whole move to the DevOps culture, you need to embed security expertise at least to some degree in those DevOps teams.

Jen Ellis: Could not agree more.

Mark Geeslin: And they can take full ownership of it. That's crucial. And so they can move quickly, and that's what we've done here. And in the process they've actually seen on their own right without us having to persuade them how important security is and they're doing stuff that we could've never done on our own from our centralized organization.

Jen Ellis: I think this is an incredibly powerful story and I really take my hat off to you guys and what you've achieved with it. It sounds like one of the things you've benefited from is that you early on got good support from leadership and that they themselves are very switched on to the importance and role of security, which is great, and congratulations on that. I'm sure that you played a huge role in getting them there. And congratulations to your leadership on that because I think that's very forward-leaning that they have that point of view. What have been some of the challenges that you faced?

Mark Geeslin: Yes. So a lot of them we headed off, I think, with good planning initially, which again, was somewhat experimental so we weren't sure how it was going to play out, but it played out very well. Because I've done this before, like I mentioned, in other companies and one of the problems you'll typically face is maintaining momentum. You'll start out fine, you'll get some folks appointed to the program and what'll happen is the momentum won't keep there. You won't keep their interest and it'll kind of degenerate over time and where you're constantly having to reach out to them and pull them in and drive it still from the central org. That's not what we wanted to do. We wanted it to be self-driving. But we headed that off proactively by a couple of things. One was, again, the application. Apply, don't appoint folks.

Mark Geeslin: The other one was fund it centrally so that their orgs don't have to pay anything. So they've never had an excuse of saying, "Hey, we've got tight budgets, we can't send them to that conference or we can't send them that training." We're funding it for them. So it's actually looks like, "Hey, security is helping us out here because they're actually giving us retraining," and so just keeping it fun. Because engineers love to continue to learn. So they're voracious learners and if you show them the real fascination of this tech security from a tech side, they will embrace it by and large. And if you keep it fun and exciting and interesting, they'll continue to be engaged. So one of the other key things we did is focus on security, not compliance. And then focus on education and not on enforcement. So we don't task these people and say, "You're now the enforcers. You're now the policeman in your groups." We just tell them, "You are the security resident expert and you need to influence your peers with that."

Tod Beardsley: Right. Yeah. And you've turned them into teachers and mentors, not like cops and executioners.

Mark Geeslin: Yeah, exactly. But naturally, it wasn't perfect. And we did face some challenges. And one of the challenges, the way I would put it is you can get the excessively self-focused engineer.

Tod Beardsley: Wait, what?!

Jen Ellis: I don't know what you're talking about. I have never...

Mark Geeslin: So really they're interested in is their own world-

Tod Beardsley: You mean there's a downside for hiring "rockstars" and "ninjas" and all these other very solitary folks as engineers?

Mark Geeslin: Yeah. But to really have impact you've got to be an influencer, you have to go beyond yourself. So we knew that that was an attribute we would require of the members to accept them. But still you can't gauge that perfectly, not knowing these people. So that was one of the course corrections we had to make, but we built in a way to do that. We've told them, "This is a two-year assignment and after two years, we basically can move you out of the program if you're not doing super well. And you can voluntarily leave if you go, I've done my time and I really don't want to do this anymore." So we built that in, and we also require them to pass certain exams and obtain certain certifications. And if they weren't achieving those, then the predefined agreement was that they would move out of the program as well. And we made it clear they need to be influencers. They need to have impact, they need to be doing lunch-and-learns or their own internal webcast or whatever it is so they continue to educate and influence and impact. And a vast majority of them have done extremely well. I'd say 80+ percent of them have done extremely well, but there have been some that we've had to remove from the program just because it wasn't working out. So that's been one of the challenges.

Jen Ellis: It sounds like you’ve done a really good job of managing expectations going into it and very clearly laying out expectations. So when you have removed people from the program, has there been blowback on that?

Mark Geeslin: Yeah, they've been understanding and we've worked hard not to shame anybody or anything like that. And we worked with their management and so it’s a fairly graceful exit. We've made it path for graceful exit of the program where it won't embarrass them. And at the same time we don't have to continue the relationship. And their management, universally, have understood when we've had to do that and supported it. And they've actually grown in understanding of the program as it's continued on over the course of the last three years, and appreciate it more what we're trying to do and they've bought into it more. And so what's happened generally is they've actually come back with recommendations of other people in their team that were more suitable. And when we've gone through the interview process and all and made sure that they were doing this because they wanted to and not because their manager asked them to, we've been able to correct the situations pretty well.

Jen Ellis: It sounds like an absolutely fantastic program, Mark. Congratulations on it. It really does sound like it's been hugely impactful at Asurion and for the individuals involved. And I'm sure that lots of other people could emulate your example. As a very last question, for somebody else who did want to emulate this, what would be the No. 1 thing that you would tell them?

Mark Geeslin: Well, you hinted at it initially, which is you do have to get executive support first. So you would work hard and put the time in to sell the program to the executives first. And sell it not as just a security program but as a program with broader implications for the company, for the advancement of the company's reputation, for employee retention, and as a means of achieving the security that the company needs anyway, but also having all these side benefits from it as well. So I'd say work hard on planning that and selling that first and getting their buy-in, and getting their buy-in on that it's going to be funded from the security organization. That's critical. Either funding from the security organization or some central org so that the burden is not placed on the member engineers and their organizations because otherwise you’ll have a hard time keeping the momentum behind it.

Jen Ellis: That's great. That's great advice. Thank you very much. Thank you for joining us. I hope that you will come back at some point in the future and talk to us more about the exciting stuff you're working on. As ever, thank you to my co-host, Tod Beardsley, and thank you to our amazing producer, Bri, who makes everything actually happen.

Tod Beardsley: Thanks, Bri, you're the best!

Jen Ellis: Until next episode, have a fab time.