D&D in Real Life: Security Skills
Security is big and has a reputation for being exclusionary and condescending. The expectation is that, regardless of your role, you should know everything about security and if you don't you're not a very smart person. Instead, think about security like a skill equipped on a character that we build over time that fits the profile for each character appropriately. A magician or wizard doesn't need high levels of strength just like an app developer doesn't need to understand every facet of every CVE in depth.
Book Club Model
A strategy I've used in the past that has worked well is the Security Book Club. The premise is the structure of a book club - regular cadence (e.g. 30 minutes once a month) to meet and discuss in a round table and informal fashion - but instead of reading a whole book we read a single article.
Just like role-playing games, you don't get all 100 charisma points on the first roll. You get 2 points or 10 points. You fight low level minion after low level minion that matches where you are. You don't skip right to the last boss while you still have basic armor you found discarded outside the starter village and, hopefully, you have a team with different skills and abilities from you to work with.
This strategy isn't just some random thing I made up though. It's supported by learning science.
Cognitive Apprenticeship
Cognitive apprenticeship (CA) is a theory that treats learning the same way one would a skill like woodworking or plumbing - through modeling, coaching, scaffolding, articulation, reflection, and exploration. CA stresses situated cognition or learning in context and the community of practice - learning is a collaborative undertaking.
In the book club model, we take an article - which we rarely read because they're boring and hard to understand - and we allow time to read, reflect, take notes, and then come to a space where, if you're a novice, you have the benefit of someone who is more skilled than you, who can model, coach, and scaffold the concepts and vocabulary for you. In that same space you can articulate what you know. We don't truly test our knowledge and understanding of something until we start articulating what we know either in writing or by speaking to another person. Finally, reflect on what you learn then reach out to the connections you've built to explore the topic more.
Starter Articles and Considerations
Here are some articles you can start with and some considerations if you're facilitating a book club session.
Post Morten on Log4J
Mobile App Sec
Cloud Security Best Practices
Are there any vocabulary words I'm not familiar with?
It's important for a book club to be psychologically secure for all levels - psychological security is a quality of high performing teams. If you're leading the book club, choose some vocabulary even if you're familiar with it that people brand new to the topic might be unfamiliar with. By doing this you model your expectations which is part of cognitive apprenticeship.
Give people a space to write thoughts, questions, or observations
This could be Miro or Trello. Open that space up before you meet so that people have ample time to note and process; this is especially key for people who process more slowly or might be working in a second language.
How does what we learned apply to our work? Are there other people in the organization that would benefit from what we've learned?
What takeaways do we have that apply directly to the work we do at Acme Corp or Startup Co? One of the important elements of cognitive apprenticeship is that it is situated learning. The article you choose should be related to the work your group does.
Is there other information we'd like to acquire to expand our knowledge of the topic?
As mentioned before, the final phase of CA is exploration. Just like in an RPG, you go out and explore the map once you get familiar with the enemies you're fighting and the landmarks that exist in your current space.
This is just one lightweight strategy that you can use to level up your own and your team's skills. This same framework can be used with observability or accessibility. If you want to know more about strategies we use at Studio W on W in our High Performance Team Coaching, give us a shout!