Allan McGuy earned his bachelor’s degree in Mechanical Engineering and his master’s degree in Quality Systems Management. He began working at Cengage, a global education technology company, in 2017. He was initially hired as an IT Security Project Manager where he was responsible for assessing, planning, and organizing IT security initiatives, programs, and activities. His role was focused on all aspects of IT including infrastructure and platform leadership. His responsibilities included creating the security program roadmap, driving security best practices, producing meaningful project reports, co-leading the Incident Response Team, and many other duties that positively impacted the company’s security program. In 2019, Allan transitioned to Director of Product Security. His philosophy from the beginning was to become true partners with the application owners.
For Allan, educating application owners is key to forming a strong symbiotic relationship to positively impact the business and drive growth. This also gives security an opportunity to expand into SAST, DAST and penetration testing. According to Allan, “By partnering with application teams, walls are broken down and security has an opportunity to expand throughout applications. I recommend starting with senior leadership and educating them in a proactive way. After getting the buy-in from senior leadership it is important to build trust. Being part of the team with our development partners enabled us to execute testing adoption thus improving the security posture of out applications.”
TYING SECURITY METRICS TO BUSINESS OBJECTIVES
Allan feels it is important to tie security metrics to business objectives. He comments, “The biggest challenge for product security is providing the business an accurate account of the security posture of each application.” His team has created a security maturity rating that takes into consideration the adoption of targeted security practices for each application and the mean time to remediate security vulnerabilities. This allows the business to measure the security profile of each application. Allan publishes quarterly metrics for each business unit who takes the data and builds initiatives for their next quarterly planning process to address the security posture. When building the application security posture Allan says, “We use the OWASP SAMM model as a guide for the security practices such as testing, vulnerability management, training and guidance.”
Allan believes in empowering his team to grow and evolve. He explains, “I like to plant seeds with my team members, I don’t necessarily give them precise direction. I do not like to come across as a know it all and I always rely on team members to brainstorm together.”
Allan has had an opportunity to hire staff through Apprenti, a non-profit nationally registered tech apprenticeship program. He says, “I like working with Apprenti because it often includes people who want to re-career themselves. Once we select someone, they go into a six-to-nine-week training program and have opportunities to obtain applicable industry certifications. After this initial training program, the employee joins our team, and we provide additional training for approximately one year. After the first year, an evaluation is performed to determine if the employee will stay within our group, or move on to other areas of the organization to learn new skills. Currently, there are three people on my team that are from the Apprenti program.”
To continue to grow and learn, Allan believes in attending conferences and participating in educational courses provided by the organization.
He comments, “At Cengage, we are a learning institution, and our goal is to help the learner, period. We put together courses like Skill Up where members of the technical organization were educated on all customer facing applications. We also have had design challenges (hypothetical business solution), where different people across the organization get together. I participated on a team of five and didn’t know anyone on my team beforehand. We did a design challenge for one hour per day for five days and it was a great opportunity. We offer so many courses to our external customers through our Work for Skills business including security courses with Infosec and all those courses are for our team members as well. There are constantly opportunities for my team and I to learn.”
Allan believes his team’s success is based on many things. He says, “We have chosen some very good testing tool partners; we have an excellent Chief Information Security Officer who believes in the product security vision, and we have an amazing product security team who is highly skilled in security and partnering with the application business owners and development teams.” Allan trusts and provides coaching support to his team which has enabled them to be a catalyst to all applications thus lowering Cengage security risk.
Stay up to date with cyber security trends and more