Insider: The world of security evangelism
For some, when you think of evangelism, you imagine sales and thinly veiled product placements. For those used to dealing with evangelists, such as the media, there is far more to the position than sales. We recently got a chance to speak to HP’s new security evangelist, Rafal Los, to talk about his new position and security evangelism as a whole.
At The Tech Herald, we have tapped Los for Web Application Security commentary on more than one occasion. The reason is simple; he offers information in easy to follow segments and is blunt in his delivery. While he is a known employee of HP, he always avoids pitching products to us when we ask him for information. To be honest, we have to actually mention HP before he will explain their take on things.
Still, there are plenty of misconceptions in the IT industry when it comes to evangelism. Most of this is due to the close ties that evangelists have to the sales and marketing teams within a company. At the same time, the bad reputation that some evangelists have is due to how they are utilized by their bosses.
Take for example Ryan Naraine and Dennis Fisher, who are Security Evangelists for Kaspersky Labs. They are respected reporters, and never once have they blatantly pitched Kaspersky, despite countless articles written between the two of them on anti-Malware related topics.
Other examples of positive evangelistic usage, based on our experiences with them, come from Sean-Paul Correll, who is with Panda Labs, and David Perry from Trend Micro. There are some bad examples as well, but we will avoid naming them here. They know who they are.
While in Las Vegas for BlackHat last month, we caught up with Los to talk with him about his new position. We asked about his initial thoughts when he was tasked with the job, as well as some of the drawbacks to his position and common misconceptions.
Overall, he was pleased and excited with the new position, but then again, he has been a vocal supporter of Web Application Security for years.
“There is a ton of opportunity, and I think I’ve got my work cut out for me. There’s a lot of work to do, industry awareness, internal awareness, and just evangelism in general,” Los said.
So what are the drawbacks to his new job?
“The biggest personal drawback is the travel and that it keeps me away from home and my routines. On a professional level, the responsibility of being an "evangelist" (essentially the public-facing entity for an entire organization's message) isn't simple either,” he explained.
His role means that he has to mesh HP’s business strategy and industry trends, all while balancing it “…against what really helps our customers succeed through a message that makes sense, and isn't perceived as pushing an agenda. That is certainly not trivial.”
“Being an evangelist means breaking through the agenda-based forces that divide the security industry along vendor lines, create confusion for businesses, and act as a barrier to their success, and it's tough.”
So is this selling out? Los doesn’t see it that way at all.
“I think that this is the exact opposite of selling out. Selling out would be doing the everyday thing, right? Being the sales guy,” he said. “This is something I’m passionate about, something we’re [HP] passionate about, and to us it’s a big deal.”
Two of the most common misconceptions are that security evangelist is just another name for a sales role, used to further the HP agenda, as one person put it to him, and that a company as big as HP just won't take this seriously.
“Both couldn't be further from the truth,” he said. “It's amazing how many people have already rushed to provide assistance, support, and opened doors internally and externally for me to get the message out. Frankly, I can't wait to prove the doubters wrong.”
HP will give Los a lot of latitude to talk about what is relevant and what’s important over what sells he told us. While HP sells Web Application security appliances and software, “it’s more important to us, as an organization, that our customers and the industry realize that Web Application Security is a big deal.”
The first thing he wants to tackle is breaking security out of the security silo.
“I know, it's been said before but no one's doing anything about it! We scan, test, and collect vulnerability metrics and no one cares outside the security organization. The risk level doesn't actually drop, yet we pat ourselves on the back as we fail the business. Becoming an integral part of the 'business of IT' is something security must learn to do, and it's more than just tools (products). It requires a level of thinking most organizations are afraid of.”
To Los, this means that security must become a sub-topic of quality testing.
"Think about that. Overall software quality should have three components or three questions it answers: Does it work? Does it perform? Is it secure? If any of those three fail it's a loggable, traceable, reportable and fixable defect."
Essentially, Los told us, the process is one of Application Lifecycle Management, and security swallowing its pride and becoming a component of software quality "rather than trying to continue to fail on its own."
Los has blogged and spoken publically about security topics that range from Web Applications to common IT mistakes. This new role at HP is in reality positive recognition for the advice and insight he has offered to the community for years in an unofficial capacity.
It won’t be easy. It will be a serious challenge, and that’s something he lives for.