EP 52 — Gen’s Curtis Koenig on Speaking the Language of Why Security Matters

In this episode of the Future of Application Security, Harshil speaks with Curtis Koenig, Head of Application Security at Gen, a multinational software company that provides cybersecurity software and services. They discuss why it’s key to be able to articulate why security matters and how it impacts business goals, and what Curtis has learned about how different industries approach risk. They also talk about how security can help engineering be more efficient by speaking their language, various metrics that can assess your training and communication, and what the future of LLMs and security looks like.

Topics discussed:

• Curtis’s background in various industries and what he’s learned about how culture, goals, and risk vary.
• How learning about a company’s culture and goals first can help you translate how security matters to them.
• How to create a security strategy roadmap, how often to revisit those goals, and how to incorporate frameworks to sell across the business.
• How security can help engineering be more efficient by speaking their language and translating information into actionable tasks.
• What metrics to track that can help you learn more about how well your training and operations are working.
• How LLMs are helping with software development today, and why they can introduce more security issues if developers aren’t thinking wisely about using it.

Guest Quotes: 

“I think that is a key insight of my career, that being able to understand when I land in a company, understanding that company’s culture, understanding that company’s goals, and being able to speak the business language has been part of what’s been a big part of my success. Because I can translate what security is doing to how it matters to them.”

“If you understand what the business is trying to achieve and what your customers want ultimately out of that, you can tie your security initiatives to that and understand the prioritization, too.” 

“By speaking of security in a quality metric, we’re speaking in a language that engineers understand. This is, again, about how do I speak in a language that my audience understands, because they may not necessarily speak security.” 

“How often do we reintroduce the same security vulnerability in the same set of code? … Metrics like that are great not only for the other team, but you have to ask very hard questions about yourself, about why they exist the way they do.” 

“Those sorts of problems [with LLMs] don’t look like security problems initially, but they become one over time if you’re not consciously thinking about how you put the pieces together.” 

Listen to more episodes: 

Listen on Apple 

Listen on Spotify