Strength in numbers: Axis Collaborative approach to cybersecurity

As cyber threats grow more sophisticated, so does our approach to countering them. “Security is integral to everything we do, from technology development to our daily operations,” says Jonas Falk, Axis Director of Cybersecurity. Leading the cybersecurity effort is the Axis Software Security Group (SSG), a central team of five security engineers working in the R&D organization. They have developed the Axis Security Development Model (ASDM), a framework that defines the process and tools we use to build software with security built-in throughout the lifecycle, from inception to decommission.

But can five people handle the cybersecurity of a large organization like Axis alone? Definitely not, which is why the team has implemented a unique network of “satellites”—around 75 individuals who act as the SSG’s feelers across the company. Instead of tackling the security work themselves from a centralized position, the SSG team coaches and empowers the satellite software engineers to take the lead and understand how to do the work themselves and, in turn, coach their teams. By becoming a satellite, you not only enhance your skills and knowledge but also play a vital role in developing innovative cybersecurity solutions. 

To dig a bit deeper into how this setup works, we spoke to three members of the SSG team: Eva Haslum has been at Axis since 2012, first as a software developer and satellite and then in her current role on the team as a software security engineer, where she’s been since 2023. Lisa Eneroth was also a software developer and satellite for three and a half years before joining the SSG team in 2022. And Tara Hassani, a software security engineer who joined Axis and the SSG in 2022 – right after her master’s in computer sciences.

Lisa explains how you can become a satellite, “It all starts with identifying the need for a satellite in the R&D department. Then the R&D manager puts forward one of the software engineers they think would be a good fit for the role.” Eva adds, “But of course, if you’re interested in security, you can also put yourself forward. You don’t need to be a security expert; we’ll coach you in that and give you support; you just need to be curious and enjoy working together and teaching others.” While any software engineer can become a satellite, there has been a noticeable and encouraging increase in the number of women joining the network. Eva speculates why, “We are nearly all women in the SSG team, which perhaps inspires other women to join.”

Once in the satellite role, you typically divide your time, spending around 80% on usual tasks and 20% on cybersecurity responsibilities. The SSG runs initial workshops and coaching sessions with the satellite and their team. As their competence grows, the SSG team begins to step back, allowing the satellite to lead the work, while they continue to get support. The network of satellites acts as a support system and a way to facilitate knowledge sharing and best practice. While the satellites help make our products more secure, Lisa stresses an important point, “Satellites are not responsible for the security of the final products—the line manager in the R&D organization always has the ultimate and final responsibility if something should happen” 

Eva tells us what she enjoyed about being a satellite and her current role, “It’s a fantastic way to get to know the entire organization, and you get to work with people across departments and markets. Then, as a part of the SSG, you get a really in-depth understanding of the Axis portfolio—probably more than most people in the organization.” Lisa explains that while she was a satellite, she always looked forward to the security tasks, so much so that she eventually decided to switch to full-time security work, “It’s a very rewarding job. You can go from being a teacher one moment to a problem solver the next, and you get to see the products evolving.”

The benefits of taking a decentralized, collaborative approach to cybersecurity are numerous, “It results in a much higher quality of security work because it’s being developed and implemented by people who truly know the products and the associated risks,” says Lisa. Lisa, Tara and Eva also agree that this way of working fits the Axis company culture, where we are committed to solving problems together and empowering each other.