Rise of the IKEA Cyber Jedis — Building a Security Community of Practice (Europe 2021)

Amidst the digital revolution and the change that affects human behavior, IKEA have had to rapidly change the way we do IT and software development. Two years ago, we set out to change (almost) everything we do and how we look at software security. In this presentation, we will focus on our Cyber Jedi Academy, a community, created to empower software developers within IKEA to address and work with security. The presentation will cover what we’ve learnt from running the academy for a year, and how we have come to change many things, such as why we must adopt team-centric security and how this optimizes the security work within teams. This session is presented by Synopsys.


Gustav Lundsgård

Technology Capability Product Owner, IKEA Group


Michael Dahl

Regional Sales Manager, Synopsys



Hello, and welcome to this session focused on the process of introducing and scaling the software security initiative within the world's largest furniture company. It KKR. My name is Michael doll. I'm with synopsis. And with me today, I have coastal launch call, who is the Ikea technology capability product owner. And of course, there's going to be sharing with us some very important insights from the journey that Kia has ventured on transforming from a traditional retail outlet to a digitally driven interior experience provider. And with that introduction goes down. Please let us know a bit more about yourself and more importantly about the journey that you've been going through these past couple of years.


Thank you very much, Michael. Uh, very excited to be here, um, to talk about the software security and cyber yet. I, um, cyber jeopardizes, our security community of practice. And, um, I'm going to talk about the, the security context of Ikea and what I am in case and how we have successfully create a security communities of practice to defeat, um, security challenges in our business. So good stumbling scored. I'm a technical capability product owner in cybersecurity. I represent the software security team, which is one out of five pillars in cybersecurity, uh, Ikea and I represent in a group. And in case of part of the bigger Akia brand, we are actually a franchise. See that sends Ikea furniture. And we are the biggest Francesi of Ikea furniture, where we are operating in over 30 countries. We are 170,000 people roughly, and we are mainly focused on retailing.


So we does, we do not produce any software. We only sell it. And of course the logistics behind it all, or just from, from shipping here and there. And of course, shipping to our customers, um, um, a few years ago, um, we transform many things that we do. And this is because the biggest revolution since Ikea was founded and Ikea is over 70 years old and I'm not talking about the pandemic we're in right now, I'm talking about the mobile phone and the behavioral change in retail shopping. This has inferred. We need to change and we teach and interact with our customers everywhere and in every channel. And this is usually what we try to do everywhere. I Kia has traditionally been a big blue books on the outskirts of bigger cities. Where do you go to buy furniture? But the regular customer today, they expect to buy stuff on their phone and get it delivered as cheap as possible to the door.


And we have, of course seeing these behaviors in our customers as well. And we see that this is very different from market to market as well in China, everything is through phone. Whereas in Germany, people still go to the store, um, more than buying on the phone and this is something that needed to change. So almost three years ago, we went out and said that we are creating a new Ikea in three years, bringing digital to the core of everything we do. And this is the Ikea retail direction changing not only how we sell furniture, but how we operate as an it company. We went from being a traditional retail company with of course an it department into become a digital company. And in the digital transformation that we did, when nothing had changed of, you know, how we were set up, we also changed how we producing software.


We went from being dependent on big software firms, delivering big complex monolithic platforms to our infrastructure, to developing ourselves. And of course we're currently in a mix of both, right? But we are now hiring a lot of software developers and dev ops people because the, the operational model that we have made for our software engineering teams is dev ops and dev ops means not a, you know, a process of CACD, right? It means a culture that you, as a team, you build it, you run it, you operate it, you deploy it. And these things is, this requires a completely different company than something that only runs monolithic platforms in the data centers.


So with that, obviously an enormous change, but James, is that from the top or do they, they also need to be filled out from the bottom.


Exactly. And like where, where security you're going to go in this because security today, uh, or, or security, the traditionally it's different for how we need to work with security in a dev ops team. And we looked at some books and some metrics like state of dev ops and Google and or, uh, which talk about what is a successful dev ops transformation and how can we fit into this? And I still have this quote information security should be integrated into the entire software delivery life cycle. What we see is a shift to give him the developers the means to build security. And, and I think that we've all heard, you know, shift security at the left or shift security everywhere, which been maybe more, more recent years. So what is actually that about, and how do we empower the product teams to do this from day one to really build security.


And for us, that means something we call team centric cybersecurity. And that means that if the product team they do develop it, deploy it, monitor it, support it. They are the most, um, best when equipped team to address the security of this product. They are the ones who know it's in and out and how come that, you know, then it doesn't work with the security engineering coming in assessment. And that is what I'm trying to visualize with this slide here, that the product team is important by cyber engineer. And I will deep dive into cyber engineers and guest a minute, but both decided by engineers and the product teams. They enables the teams to work with security because traditionally we've seen and we've done so ourself, as well as the chaos will come to do an assessment like at pump test. And we give them, we give our team a report, what you need to fix X Y said, we'd go back and whatever cadence you have for your test, you do an assessment again. And it's the same thing and stuff pop up. And we've all seen that over and over again. So we are not having the teams learning from the assessment that we're doing and this needs to change. So what we're trying to do now is having the security engineers empower the teams to work with security and make sure that when we find something, we addressed the root costumes,


Um, the, the question and the answer to what we were trying to do here, like the cyber Jetta or secure the champions program, um, that many calls, this is that we created a set of objectives, and this was over one and a half years ago when we created the decide and we set out what we wanted to do, we wanted to make secure, scalable, because we can never scale the security engineers or pen test or whatever assessments we're talking about. As we can scale software development, we need to increase the transparency of offering. And then this is something that we, we, that we were wrong about. And, and, you know, we learn as we're going on. That's, that's what we're going to talk about here. We wanted to raise awareness and we wanted to empower developers to address security.


So how do you get these guys onboarded and motivated to go with this? What kind of framework, what kind of, um, structure do build?


Well, uh, as I was in a position to decide how it's, what's going to look like together with my team it's what's of course the star wars, I am a star wars fan, and a stash towers is a theme of my life. So help me cyber Jetta. You're my only hope. And this is a quote from the fourth episode of, of star wars. And if you haven't seen it shame on you, but nice. Now you get to see it from the first time again. Um, this just has the song message. Like if we're doing demos, if we're doing team centered security, it is the cyber jeopardize within the teams that would need to train because they are our only hope. Where do we start then? Like, how did we come to this? Well, a year ago, a little bit over a year in March, 2020, we create a pilot program.


So we had only seven engineers from, I think it was six different teams that joined us because they wanted to learn more about security. And we wanted to try things out and we've built out a few modules, like the SST exceeds the secure software development life cycle seeker, coding, web security. And we then after the pilot program changed a lot on the feedback on the things we got from this, we made the modules too big and too complicated to understand. So during the summer, after we had run the pilot program during the spring, we launched a new initiative. So in fall 2020 September, we launched the new cyber Jana academy with over 30 jet ice in one go and there, we went with self-love training and we teamed up with the learning and development department at India. They are the ones who host our with e-learning platform and they work with upscaling of their company.


So they work with fellows at Coursera and, and courses in anything really that helps us become better at what we do. And a selfless training, like the left-hand side of the picture here. This shows a curriculum for the first level in the cyber Jedi academy. This enables the cyber jet eyes to do with them at their own pace. And the online learning system has things such as videos. In this example, we'll also have links to documents and reading materials. We had service and forums and assignments, and this is something I want to stress. We made assignments to do in context of their own team. And we did this together with four different levels. And this is to increase a sense of that. You progress in your career as a cyber DNI. And at the first level, the saga begins. You learn some basic, what is a wasp?


What is different types of data? Like what, why do we classify data, privacy, data NPI? And at the pattern one level, you try to, you, you start applying what you learned in your teams, and this can be anything. One example of an assignment is that we ask them to look at, oh, what cheat sheet and people whose worked with application security at the, I know I, for one, I love the cheat sheets. I mean, there are loads of information there and low, so things that they can read upon and apply in their teams. There's also some other activities that are more traditional security, as well as such as SAS and the CA start doing this in their teams. And at the night level, you lead your team through security activities that is more centered around the whole team, such as how do re threat modeling.


And this is really, really great when we have cyber jellies doing this. And, and I love the fact that we've actually having cyber Jetta is doing the threat modeling on their own, because it all boils down to that within the teams themselves, without a security professional involved, or we do support them in the background, but they have a team asking themselves what can possibly go wrong. And that is for me, what threat modeling is about. And, and at the master level, we only have one or two at the mass level. We hope that it will lead and inspire other teams to work with this,


Of course, the, the, the, the videos there that you showed. So, uh, they look very professional. Is that something to do with Mr. Lucas himself? Or is this a made in house?


You know, I, I wish, but some of, some of the guys that we have in the security team and generally, you know, maybe they shouldn't be hired by Mr. Luke, that sort of it's being burned because it's not hard. It's just about being creative and NMR with that out of the reasonable Mike and our webcam can start recording videos that we have used. And we have videos from our privacy team, from our cloud security team, from the cyber security team, discussing principles and learning our jetties about things. And it doesn't have to be a two hour complex script with flashy effects, two minutes talking about something that's important to, you know, trying to highlight important things. That's an exited question, Michael. And of course we had, like I mentioned, the cell flip training and these different levels, but it's hard to, you know, keep the engagement up.


So together with this, we also had open sessions. So every week we have an hour work where cyber Jettas can come and hang out, ask questions and get help. So sometimes this just serves as a blocker for them to work on cyber daily stuff. And more and more lately we've also have topics. And we've had topics with cyber jetties, percenting things they have done and challenges. They have seen insecurity that auditors can work with and help with. And one example of this is for example, a team that developed a nice way to decorate their pool requests and get tub with SAS results and whether or not they should go live with or merge this pull request. And they kind of presented like we do star SAS too, like this and other teams gets expired and, you know, they see, okay, they did like that. We also want to do it like that. And the open sessions are great in that regard.


Did you understand all, always sessions also where they, in which channels, where they conveyed in? So I guess people are not seeing each other face to face these days. So how did you,


The idea was of course, to have this physically from beginning, but I think that we, we overcome and it became easier to do this due to the pandemic, to be honest, because we can have an hour slot in the week in teams that anybody can jump into and listen and learn something about. And we have this every week where we sometimes invite people from various organizations, or we have a cyber Jetpack percent something, um, you know, spreading and spreading and sharing the burden of this is important. So like, that's what we did. And that's what we have done in the past year. How did it go? And then did we, did we really hit the target? Well, what we learned is that at the start it's specifically in the pilot program, we learned as much as the Jedi, because we had a, you know, a massive SS doc with a lot of activities that we wanted them to partake in, but we didn't understand how difficult was from teams to teams with different contexts, different techniques to implement the things that we had in the DMC.


And we don't have the secure software development life cycle. This, as you will see, isn't, you know, anything fancy or particular for many other companies, as you'll see, we're talking about code scanning, dependency analysis, teleconference monitoring, logging monitor that, no, that's not what we're going to talk about here. What we also learned is that time commitment was hard to get from product owners and engineering management, because they didn't, they didn't understand why would I give up a person in my teams 20% of the time, because that's what we asked for 20% of the time, and they didn't understand why they would lose feature development or tech development to focus this much on security. We also found that the feedback from the jet ice were really valuable, not only for this at MC but port for anything really that has to do with security. And we take feedback from security in so many processes today, like how we think and work about the risk management, vulnerability management, privacy cloud C, um, incident response, responsible disclosure.


Everybody wants to, you know, I mean the jet academy and then get their feedback. And I think that the last point here as well, what we learned is also, uh, a, um, a connection through the time commitment was like, we need to spend it cyber jealous time wisely. And the attempt, this must make sense, make the product better, because if it doesn't and the engineering manager and the product owners, they don't see the benefit of this. They only see a person, you know, educating himself. It doesn't give the team in a value that is something that we need to, you know, uh, to, to think about carefully.


Let's talk. Maybe it goes to just the reflection on the recruitment of the cyber jeopardize. So was there like a CV list that you had to check off and say, you can be cyber today? Or how did that process go


Antibody? Currently, anybody that's an MP3 with an Indian gap can become a cyber Jenna. And that's really important that we don't want to close the door on anyone, one thing to pursue this. And it's really, uh, um, you know, I could think when people come and say, I want to become a Jedi and we need to entertain the people, express their own interesting in, you know, if they want to take the step themselves, that is the perfect candidate. We both we've of course have a mix of, you know, both self nominated people and people that come, um, you know, that come from being endorsed by their manager or being forced is the wrong word, perhaps, but, you know, uh, pushed from the managers.


So what went well? Uh, because we learned a lot of things, but we had a thing and we had some highlights that are really want to, to, to talk about that makes the Jetta academy worth all the effort that we've put into it. We create that, uh, help from community and community. This, according to the, the, the state of dev ops and digital transformations or in devil's transformation is community. This is the most important thing to, to succeed instead of center of excellence, because in a community you will help and you will see other peoples that have the change challenges you and we have solved it. And that inspires and in the community learn, it goes both ways. So the jet eyes understand and feels like I can actually feedback what works and what doesn't work in this big enterprise. And I have shaped the future of how are we going to do a Sherman's, how are we going to do security?


And that makes them engaged. And that makes them feel special because we support the jetties, not don't live with, you know, now we're going to do threat modeling, and now we're going to do SAS. We also support them with discussion in their teams and giving them the ammunition of why this is so important. And I think that that is my boat with texted her, did leaving in the mission. The why, because is this thing we speak very much about in the academy? Why are we doing this? Why are we spending our efforts and security? And for me, and for money ANSYS at Kia, it's about what type of company are we and what type of company and what type of software are we trying to produce? Ikea has a clear vision. We want to create a better everyday life for the many people. We want to be people and planet positive.


We want to be sustainable and most maybe not most importantly, but I love this day. We want to show that it is good business to do good business. And if that is something that we want to strive for, and that people believes in, we must have secure and high quality software. And if we have secure on high quality software, you know, the digital experience and all of these things is also benefited from this. So the, the why, and, you know, the engagement is really important to come across with what ones well as well, and this is, this is also a draw, but then I'm going to talk about in a minute, is that we see that the teams with the cyber jet, I, they are more successful in the security sector because they, they believe in it and they understand it.


No, but I think this is a very valuable comment here, because exactly, as you say, if you look at your webpage, if you go, even in read a bit more, in-depth on your annual reports that you publish, it's a really, very clearly stated, uh, um, announcement saying that you want to make or make a contribution to a better world. Um, and, and I'm really happy to hear that this is also reflecting that and part of that. So, um, it all comes to a bigger unity, right?


It's a part of who we are and what we do as a company and secure it. The, in a dev ops world needs to be something that you do. It's not something that comes at the end of a life cycle that we've traditionally CUA. You know, we ended on SSD, we'll see you end in a testing phase, and then you test the hell out of your application. And then you maybe have something that you need to change. We want the teams to do security as well as they do it planning as you know, it's, it's a part of everything they do. We want them, like, we can talk for two hours on our threat form and our approach that that would be another talk out. But at that point in time, but yes, that is, that is really important. So, uh, the drawbacks, there are bad news.


Uh, so if, if you haven't fallen asleep yet, uh, here comes some interesting stuff. We have no good base, like the musher phone. We have made a huge digital transformation as a company. And as a effect that we don't really know where the teams are starting. We don't really know the security state does from, from the start. And that means that it's hard to enforce, to measure the positive impact of the jet us. Um, we do see some things of course, that, that we do know that the jets really are contributing to security and increasing the quality of our software. Another drawback is that there's a lot of expectation on the Jetta, but especially specifically now, when the, we have proven that the academy is something that people want to be, and people want to learn more about, we see that, uh, their security engineers think cybersecurity, everything, an engineer, your managers, they put so much pressure on the Sergeant Jetta.


He needs to solve this. And that's something that we always have to manage as, you know, manage the expectation of that is to facilitate, like, if we think about the slide I showed a while back on the team center, security, where are they? Cyber jet is, is surrounding the team because it's the product team themselves that must do the security work. It also comes with the high cost. It is time consuming. And from internal, some consultants have spent building modules and, you know, doing this, uh, you know, um, every week we're also having some software engineers and maybe not only software engineers, but other engineers in the company where we're giving them assignments where it does not potentially reduce risk when that's really what we want to do. When we talk about security rights. There were some


Of course. So I need you to just ask you also, when you talk about the resource and time consumption, uh, allocated here. So this obviously reflects to the extent of the transformation, right? So if you have some companies who do possibly a smaller kind of a transformation, and some other companies like Eko, I've done a massive transformation, right. And I guess always for a project like this, the magnitude of it is reflected to what you need to, to add to it.


Exactly. I think that, I think that, uh, I think everybody needs a cyber Jetta academy because you can put in what's important for you and, and making sure that the, the effort and the assignments that you give them is valuable. And then, and it doesn't mean to be security different. Doesn't matter. I mean, you can do this around a lot of things that wasn't a discussion today on how we're going to do it. I can recoverability and backups and decide Projeta academy is likely going to teach some things about this as well. So, uh, I think, I think that's a good question. So what should you do and, and what is my tips for you to create your own cyber Jetta academy? Well, start with an MVP program. And I think this relates to Michael's question as well, which is really good. Like, is it only for big, big software companies to do this?


No, do an MVP program and improve on feedback. What is it that you want to drive? What is the behavior and culture you want to foster in your company and in this, make sure that you spend the developer's time wisely so that the, it reaches the objective that you're trying to do. Like, you know, it may be compliance. It may be reducing risks or privacy or whatever you want to call it. All things they do must help their product, because if it helps their product, it w December Jetta, I will get support both from the engineering managers, the product owner, but also from the teams themselves, because they see, they become better asset team by the assignments activities that we send out the Jessie to do. And this is also a great example that the Jedi comes out and implement something, the team, or help the teams implement something. And that is learning by doing, and in my book, that is the far the best way to learn. You need to do with, to learn it. And that's really, uh, you know, that's really what I want to stress with this.


So the future is already done. Like it's the start of a Jetta academy done at the Kia? Absolutely not. Uh, we haven't even had, uh, it was less than a year. We created the big roll up and what we need to focus on right now is make paths for other roads and software engineers and dev ops engineers. Because I mean, we're a big company. We buy a lot of software, we integrate a lot of the software. We have a whole data analytics department with hundreds of people. We need to make paths for them as well, and make sure that the things that they do are relevant. And one example of this, that we, that we've failed with or not failing, but there was a role, but it's the, we have a platform and I had a few platforms engineer, so that's cyber jetties. And when they get an assignment to integrate SAS in the CACD, there was nothing for them to do.


And that is a waste of time and they cannot do it. We want to increase the frequency of onboarding because at the pace we have now, we have approximately 70 cyber Jettas right now. It's hard when we have more and more jet as picking up pace. And we're really created this rolling snowball right now, where we want to have a frequency of one boarding, where they can onboard at any given time and still feel committed and steal from the engagement from us that we're happy that they have joined. We need to make the different types clearer. And this is also related to increasing the communication towards managers on the commitment and personal development that it actually is to go from the SOC have, again, it's still a knife and a master level because this is a transformation and a journey. And not only for the product team, but for the person and the end goal of all of this. And, and I'm sure we'll maybe never reach it. They're a hundred percent, but I want to have one Jetta in each team.


Yeah, we haven't Gusto. That sounds like the project achieved. Thank you so much for your very, very valuable input here is really great to listen to this journey that you've been going through, sharing the tips with us really appreciate. Thank you so much, Kristen,


Michael, and thanks for everyone listening. And I just like to put them as a small store as well on that. This is far from my doing, I have a whole team of really awesome people behind me. So Jenna Filipino and Philadelphia, Rajeev, and the am, and everybody at home, a big thanks to you as well. And thanks for listening.


Great stuff. Thanks.