Designing security into code is a lot like designing security in a house, Marilyn Barrios (ITM, M.A.S. ITM ’18) says. Each door, window, and any other point of entry must be secured. But these security measures aren’t considered after the house is built. They are embedded in the initial design of the house.
Barrios says a similar philosophy is shifting the way that code is being written for Motorola Solutions’ products and networks.
“The shift is thinking of security by design,” says Barrios, head of Motorola Solutions’ application security team. “It’s foundational in the code and not an afterthought.”
Barrios ensures that this philosophical shift is at the forefront in the development of the company’s networks, devices, and services as she oversees the company’s global engineering and implementation of cybersecurity best practices.
Attackers target code in order to find vulnerabilities. As more code is being exponentially exposed through connected smart devices, the urgency to shift cybersecurity philosophy to the foundation of code writing has been amplified. In the past developers had focused on writing code that makes the software operate, and then turning that code over to cybersecurity experts, who would run the code through diagnostic tools to find security holes. The code would have to go back to the programmers for repairs. It was a slow and burdensome process.
Barrios’s solution was to give programmers access to the diagnostic tools, so they could run a diagnostic after bits of code are written. These diagnostics detect vulnerabilities earlier in the development process, and fixes can be made more efficiently. It also prevents programmers from making the same mistakes as they get deeper into the code.
“Everyone has a security responsibility now,” Barrios says of a development team. “Everyone who touches our products and services has to ask, ‘What is my responsibility?’ It is my job to make sure that our software developers are deputized in security.”
It’s an enormous task, as Motorola Solutions serves more than 100,000 customers in 100 countries using 13,000 networks that the company has installed and designed. Motorola Solutions’ technology platform includes command center software, video security and access control, and the services needed to support these systems. Many of these systems include networks that 911 call centers rely on, as well as public safety and enterprise security systems.
Barrios says that part of her role is to encourage software developers and engineers to embrace the cybersecurity philosophical shift, which is done by familiarizing them with the concepts.
“A lot of them think cybersecurity is hard,” she says. “A lot has to do with demystifying it. I try to give them the easy button.”
Barrios began her work at Motorola Solutions in 2018 as a cybersecurity trainer, and she soon developed a training program, which teaches some 6,000 programmers at Motorola Solutions the best cybersecurity practices. Getting to that point, where she was helping to create solutions, was a gamble—on herself, and on leaving a career in information technology sales.
“While I was working with customers, I heard some sobering problems and started to ask, ‘How can my solutions help?’” she says. “I saw engineers building solutions to solve those problems and thought, ‘That’s what I want to do.’ I wanted to bring the help that solved the problems.”
Katrin Reitsma, a security solutions manager at Motorola Solutions, says Barrios’s role as an agent of change takes a combination of skills, particularly when the company’s programmers, among others, weren’t immediately on board. Reitsma also says that there were significant costs to create the trainings, as well as for the licenses to give more people access to the diagnostic tools. Convincing executives wasn’t easy, but Barrios helped executives understand that the up-front costs would lead to savings long term; fixing security vulnerabilities after production can cost up to 10 times more than doing so during production.
“To do this, you have to be able to speak a business language and a security nerd language,” Reitsma says. “Marilyn can speak both, which is very rare.”
Besides entering school at the high point of her career in sales, Barrios was raising a young family with a two-month-old child and her husband working as a police officer.
“It was a tough time, but I’m very glad that I did it,” Barrios says.
When she decided to change careers, her intention was to get into coding or engineering. She fell in love with cybersecurity during her courses, though, because it satisfies her desire to be a problem-solver—a task that grows bigger every day as more and more devices log on.
“I discovered that security is a problem,” Barrios says. “There is a good guy and there is a bad guy. That fed my initial motivation to help solve problems.”