5 Ways for Developing an Effective Security Champions Program
Although security professionals and developers want to create secure applications quickly, many development teams lack the necessary coding skills. The fact that only 24 of the top undergraduate computer science programs in America require their students to take security courses is a key reason for this gap in secure development skills.
Organizations often place security barriers in the SDLC, rather than ensuring security expertise within their development teams. This is why developers are frustrated with code reviews, which reduces development velocity.
Organizations can create a security champions program that will help build security barriers into the development, instead of disrupting it with gates. The program is designed to help security champions, developers who have an interest in security and have a home in the development industry, grow their expertise, and become security experts. They can act as an interface between security and development — two traditionally siloed teams – because they have cross-functional expertise.
These are five things to consider when implementing a security champions program.
1. Keep the program developer-focused
To get high participation, security champions programs must be developer-focused. The program must be able to understand the needs, goals, and pain points of the developer. Adoption will only happen if it is focused on security for developers.
2. Get leadership buy-in
Security and engineering executives must buy-in to a security champions program from the start. Executive sponsorship allows program leaders to speak the goals and expectations to security and development teams, scrum masters, and others.
Developers who have leadership buy-in are more likely than others to invest their time and effort in the program. They won’t worry about being penalized for doing things that are not related to their job. This encourages participation from developers and contributes to any security champions program’s success.
3. Clearly define expectations
Programs that are security champions must clearly define roles, responsibilities, and activities. These expectations must be aligned closely with developers’ needs and pain points. As the program grows, security champions will begin with a few activities.
Open communication is essential between security champions, security champions, and their development teams, as well as the champions and their security coach. Clear expectations about what security roles entail and what people can expect of each other will ensure that security knowledge and experience are shared across the organization.
4. Set measurable goals
Set clear KPIs at the beginning to define expectations and establish clear goals. KPIs can be metrics that measure the effectiveness of security champions to the security team or the DevSecOps process. These goals are also used to determine the program’s ROI.
A security champions program might have different designations or achievements depending on the number of security-related certifications, security work completed, and security wins. It not only encourages developers to become security champions but also enhances their security knowledge and experience.
Also read: Top 10 Cybersecurity Trends in Upcoming Year
5. Recognize Developer Achievements
The most effective security champions are those who join the program freely. Organizations can encourage developers to participate in the program, which will increase its adoption. You could get security champion gear or tickets to conferences like DefCon or Black Hat. Additional opportunities for education may also be available.
Recognizing developer accomplishments is another great way to motivate them to work towards security-related goals. An internal recognition from a security executive, or the mention of a security win in meetings, can make a big difference to the adoption and success of any security champions program.
Organizations can increase their security development organically by creating a program of security champions with buy-in from both sides.