A couple of weeks ago, we at Nion, in collaboration with Zacco, conducted a short but intensive Secure Development training program for all our consultants.
The reason is simple: over the years, cyberattacks have increased dramatically, targeting both companies and sensitive data. This made it clear that we must act proactively. Since new incidents are reported every day, affecting both our clients’ data and our standing as a reliable partner, we made the decision to act.
Why Train All Consultants?
We decided to involve the entire organisation – not just system developers, but also managers, project managers, and sales staff.
Security is not just a technical issue. Everyone who contributes to delivering solutions to our clients must develop a security mindset, whether they are writing code, planning projects, or discussing solutions with clients. A holistic perspective is crucial for building robust and secure solutions from the ground up.
The Plan: Theory, Practice, and a Hackathon
Together with Robert Bengtsson and Joakim Blomberg, two senior cybersecurity experts from Zacco, we structured the training into three sessions: two theoretical sessions and a concluding practical hackathon.
This approach allowed participants to first understand the threat landscape in theory and then apply knowledge in practice by finding and exploiting vulnerabilities in a secure environment.
Phase One: Understanding the Threat Landscape
During the theoretical sessions, our Zacco experts guided us through the latest in Secure Development:
- OWASP Top 10: We received a thorough review of the current list of the most severe security risks for web applications. We saw how these mistakes and vulnerabilities arise and how we must think proactively to implement security from the start in the development process.
- Tools and Methods: We also received an introduction to various services and tools available online, as well as an introduction to Burp Suite – a powerful penetration testing tool – and how we can use it in our daily development to find vulnerabilities before they become problems.
The response was immediate and positive. Many participants highlighted that the practical examples made the theory concrete and directly applicable to daily work.
Hackathon: From Theory to Practice
To complete the training and cement the theoretical knowledge, it was time for the practical hackathon – our own Capture The Flag event!
Employees formed small teams, some online and some in the office, and tried to hack the OWASP Juice Shop to collect points (flags).
Changing perspective was the most important lesson in this Secure Development Training. Suddenly sitting in the attacker’s chair and actively looking for flaws like SQL Injection or Cross-Site Scripting (XSS) gave us a completely new understanding of how easily small mistakes in the code can be exploited.
One participant said: “It was an absolute necessity in my opinion. A basic knowledge of application security goes a very long way to affecting the way we think as developers and improving the overall quality of the applications we produce.”
Lessons Learned and the Way Forward
Implementing such a broad competence boost in a growing organisation like Nion, with consultants who sit daily with clients, naturally involved a couple of challenges.
- Logistics and Availability
The biggest challenge was getting approximately 200 employees from multiple offices across Europe to participate. We had to divide the participants into groups and carefully plan the sessions to minimally disrupt ongoing client projects. At the same time, we know that our clients appreciate that we constantly update our knowledge, which benefits the solutions we deliver daily. - Adapting the Content
Although the training received an overwhelmingly positive reception, we received constructive feedback that the theoretical sessions sometimes became too technical for certain roles that do not write code daily (e.g., managers and sales). This observation was confirmed by the participant feedback: “There were some parts I understood fully, but there were also things that were very new to me since I’m not an IT professional.” - Future Competence Investments
Our proactive approach is not just about addressing today’s vulnerabilities. We are also preparing for tomorrow’s challenges and opportunities. AI, for example, offers great potential, but it also changes the threat landscape. By continuously educating ourselves in these areas – including future threats to encryption, which we highlighted this past spring with an internal lecture from IBM on Quantum Computing – we can ensure that we always stay one step ahead. More knowledge gives us the opportunity to both develop safer solutions and benefit from innovation.
A Big Thank You
This is an important lesson for us. We would like to extend a big thank you to everyone who participated and provided their valuable feedback. Moving forward, we see a need to better adapt the content in future training sessions to ensure that all roles receive maximum benefit and that we can continue to strengthen the security culture at Nion – a continuous journey.
Summary: Security is a Continuous Journey
For Nion, this training with Zacco did not mark the end, but rather a new, common beginning on our security journey. By taking all roles out of their daily work to be trained in Secure Development – and even giving them a chance to change perspective and “hack” – we have not only raised technical knowledge. More importantly, we have established a strong security mindset.
As I wrote in the title, knowledge is a perishable commodity. And in a digital world where the threat landscape is constantly changing, continuous training is the best proactive insurance we can give our clients and ourselves. I personally look forward to implementing our new lessons learned in our deliveries and continuing to develop training programs that benefit both our employees and the projects we work with daily.
Have you also recently made a similar investment, or would you like to discuss how we at Nion can help you build safer solutions?
Do not hesitate to contact Mikael directly!
mikael.rickan@nionit.com