Infusing a Culture of Cybersecurity Within Cerner Engineering

With October being Cybersecurity Awareness month, we thought it would be a good time to reflect on some of the things we do in engineering to educate our associates and infuse security into our culture. We have over 28,000 associates worldwide supporting hundreds of solutions with millions of lines of code. Each associate has a specialization, such as software development, system support, and consulting. Keeping everyone up to date on the latest in security is a difficult task.

So how do we do it? We have teams dedicated to security that work directly within engineering. These teams have various responsibilities such as ownership of scanning tools and vulnerability tracking. My team’s goal is to bridge the gap by injecting security as a first-class citizen in the software development lifecycle. When working with developers, you have to make the right thing to do the easy thing to do. This is no different when it comes to security. In order to make security easy, we scan, assess, and create a plan for our developers to remediate their vulnerabilities. We promote the tools for scanning, help teams understand the results, and identify fixes for vulnerabilities. We run a monthly cybersecurity meetup which we use as a venue for associates to speak and learn about varying security topics.

Andy Nelson opening the September edition of the Cybersecurity meetup and Sebastian Brown presenting at the July edition.

We also take advantage of opportunities like Cybersecurity Awareness month. We bridge organizational gaps to host a variety of security focused events, engaging associates in development, security, and operations to facilitate better relationships and collaboration. Events like these lower the barrier to entry for our developers to learn more secure practices, and embrace and celebrate the progress we are making in our security journey. We kicked off the activities this month with an external tech talk from Britney Hommertzheim. Britney, the Director of Information Security at AMC Theatres, presented on how we can better integrate security teams and developers. It was a great talk and you can watch the talk on our YouTube channel. We invited another external speaker for our Cybersecurity meetup a few weeks ago too. Caleb Christopher, a Technical Business Adviser at Allegiant Technology, gave a great talk titled “Defeating Email Fraud with DMARC”. Along side those 2 events, we have held lunch and learns throughout the month, and are wrapping it all up with an hour of security focused lightning talks tomorrow.

Britney Hommertzheim giving an external tech talk about integrating security across organizations

Security is not easy and we always have to strive to get better. Our development, operations, and security teams must work together, so we are doing our best to provide a forum for collaboration and sharing.