Last week, I attended my first in-studio yoga class in 18+ months. Pre-pandemic, I went to yoga daily and always had the same spot (first row, all the way on the right, right in front of the mirrors so I could keep an eye on my form). With limited studio space, and only six people per class, by the time I arrived, my usual spot was taken. I had to take class across the room from my usual spot. It was strange at first but it was a good reminder of how important it is to change perspectives.
The latest Reimagining Cyber podcast guest, Brett Harris, Product and Solution Security Officer with Siemens Healthineers, brings a different perspective to cyber, from his career path to how he has changed the culture within Siemens. “New Perspectives in Cyber” dives into how Harris has leveraged his unique skill set to build out Siemens Healthineers and changed the culture to put product security first.
Use the Skills You Have
Harris didn’t start out in cyber. In fact, he initially turned down his first cyber role, having studied Computer Science in undergrad and thinking he’d become a developer. He quickly realized that wasn’t the right path for him, instead leaning towards IT and DevSecOps.
“I didn't see myself as a security person. I did not think that I wanted to move into security, actually, when I was asked to take on a role in security,” he said.
“Basically, we were starting up this new digital health organization within Siemens Healthineers, where we were bringing all of our software platforms and our cloud platforms under one umbrella, and also planning to start up a bunch of new and innovative cloud and software platforms. And they needed someone with like a very specific skill set to help drive the creation of that product security organization.”
By leveraging his past experience and skills, he has been able to bring a unique perspective to his security roles.
“Very few people really feel like they've got the security chops,” he counsels. Harris accredits his growth mindset to his success.
Shift in customer priorities causes shift in organizational development
Long gone are the days of customers focusing on the product with the best features and functions. Yes, they’re still important. But Harris has seen an increasing shift in customer needs. Customers are only allowing products to go through purchasing that have the best security.
“The mindset is changing overall,” he says.
“So when building that digital health, product security organization, I took a couple of different approaches.”
Harris embedded security into the product teams. Instead of having a central resource, he integrated security into the product teams throughout the entire development cycle, from architects to testers, that could influence the development and design of each product, every step of the way.
Building a product security first culture
Changing the culture within Siemens started with building out a core team of Security Engineers and Security Project Managers called Product and Solution Security Engineers. Next, Harris appointed Security Champions, or architects, that leveraged their product security expertise.
“My personal management style is around servant leadership,” he explains.
“I feel that it's really important that I'm helping my team give the best that they can get.”
By creating a service-oriented central team, focused on the servant leadership methodology, helped support product teams when they needed help the most (so the security team wasn’t seen as just a governing body).
Harris also leveraged his DevOps expertise by automating and streamlining parts of the process, reducing internal team friction.
WannaCry makes Siemens want to cry
In 2017, the WannaCry ransomware attack targeted Microsoft Windows computers by encrypting data and demanding Bitcoin ransom. By this point, Harris had been in his Product Security Officer role already, and there were various other Product Security Officers in place. After the WannaCry attack, Siemens realized it needed to make some improvements.
“In 2017, we created this cyber health program, where the goal of that program, and it's still running today, is to raise up our company's capabilities around product security, in every…function, strategy, training, market, and, you know, everything you could possibly think of,” he explains.
“It's done so much to streamline and improve all of everything that we're doing around product security. So using that example, WannaCry took a week or two to get a holding statement out. The last one we had to do we had a holding statement out next day.”
By taking a step back and looking at things from a different perspective, using the skills he already has, has helped Brett, and Siemens, achieve success. How have you taken a step back in how you look at things this week? How has that helped your success in security? Share in the comments below!
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com.