Organizations of all sizes continue to place a high value on software security. At the same time, businesses require faster release cycles to meet user demands. These seemingly conflicting requirements have pressured development and security teams. Development teams have little (if any) security training, and security teams are stretched thin and faced with overwhelming competition for talent. Mid-sized organizations, often relying on a one-person team, have the same responsibilities and regulatory obligations of their peers in large organizations, with a fraction of the resources.
It is not a matter of simply hiring more security staff. According to CyberSeek, there are almost 600,000 unfilled cybersecurity jobs in the U.S. and only enough workers to fill 68 percent of those roles. Globally, that number balloons to over a 4 million gap between the demand for cybersecurity resources and available personnel.
When everyone has a security need and resources are limited, the result can be a security island. Security islands are the antithesis of DevOps culture and occur when security becomes disconnected from the day-to-day activities of the development team. Understaffed security teams can publish policies and coding standards but are unable to engage with development teams consistently and effectively due to resource constraints. Instead, interaction between the teams is limited to reporting bugs to development after scans are run later in the development lifecycle. One way to help build a bridge between security and development and help shift security left in the software development life cycle (SDLC) is through a security champions program.
What is a Security Champions Program?
There is no quick solution to the security skills shortage. Instead, organizations need to foster a culture that values security regardless of an individual’s role. A security champions program scales a security initiative by drawing in people without formal cybersecurity experience.
What is a security champion?
Security champions are members of the development team who act as an extension of the security team, keeping their eyes and ears open for potential issues that require security’s expertise. A security champion need not be a busy development lead or Scrum Master. The only requirement is involvement with the day-to-day development process and an understanding of the team’s goals, processes, and culture. Champions can include software engineers, QA, and architects – some organizations even include product managers. In fast moving and resource constrained organizations, champions act as bridge-builders to security islands.
Security champions help advance security culture and embed security awareness and expertise in development teams earlier in the SDLC. Because the champions are part of the technical team, they more naturally connect the dots between what is needed for security in relation to business and engineering requirements. They understand the demands for rapid release cycles and can articulate what does and does not work in an existing process. Security champions work towards solutions that satisfy both security and engineering requirements, thereby reducing friction and promoting an improved security culture.
What Makes a Good Security Champion Program?
Like any initiative, a security champion program must have the support of management, including development leaders. If a security champion identifies areas of potential risk, management must be supportive of investigation. Managers must recognize that security champions have additional commitments and build this into their performance reviews.
Five tips for starting your security champion program
Software security doesn’t automatically improve once a security champion is part of the team. First, understand your current security posture and identify areas where champions can help. This could be reviewing secure coding standards with teams, helping to communicate security requirements, acting as a co-lead on security reviews, or simply bringing developers’ questions to security. Later, it could include conducting automated security scans or participating in design reviews.
Security champions are not tasked with bug identification or other security tasks. Instead, their primary responsibilities are to share knowledge, guard best practices, and help in the decision making process. As their skills mature, they may help define best practices, write test cases, and monitor the status of open issues.
In most organizations, it’s best to start with a single project and one or two champions. This allows focus on the process including communications with security, review cycles, and reporting.
As mentioned, security champions come from the development side of the organization. They need training on the issues where security needs an extra set of hands. At a minimum, security champions should be prioritized for higher level secure coding training – beyond the training (hopefully) required for all developers. Including security champions at industry events can also improve their skills.
Some organizations with successful security champion programs have formalized tiers. For example, Adobe has a curriculum and formal certification for their security champion program. Attaining a green belt is relatively simple, open to any employee, and achieved through e-learning courses. Brown belt and black belt certification requires employees to complete “security project(s) that directly benefit Adobe and our customers” and accumulate points toward each belt.
Recognize security champions
Security champions devote time and effort to the organization’s security goals — beyond what is expected of others. This should be acknowledged. It can be as simple as an internal announcement, a reference on their business cards, and security “swag.” They should be recognized by the security personnel as part of the team.
Security champions promote security awareness, communicate best practices, and simplify software security for development teams every day. By acting as an extension of the security team, they reduce demands on hard-to-find security experts and enable a security program to scale.
To learn more about starting or scaling your security champions program, download Building a Bridge to Security Island.