Software security is a Board-level issue for good reason. In addition to financial losses, regulatory penalties, and reputational damage, there could be personal implications to board members when there are gaps in software security. Poor cyber security practices increasingly bring the threat of “Caremark claims” under which board directors can have personal liability for neglecting an organization’s critical risks, including cybersecurity risk. Marriott and SolarWinds have faced Caremark claims after breaches that impacted shareholder value. Others will likely follow. The EY Global Board Risk Survey’ reported that 84 percent of Boards do not believe their organizations have a highly effective risk management strategy.
Improving the security of applications should be a top target for organizations. A study by Synopsys and the Consortium for Information & Software Quality found that poor software quality – including vulnerabilities – cost organizations $2.41 trillion in 2022. Web applications are commonly at fault. The 2022 Verizon Data Breach Investigation Report found that web applications were used as the attack vector in roughly two-thirds of the incidents covered in the study.
This trend is exacerbated by the lack of skill and awareness in secure development and development practices in most organizations. The cybersecurity talent gap continues to frustrate organizations. In January 2023 CyberSeek reported over 750,000 cybersecurity job openings in the US alone. Few security teams have all the resources they desire and recruiting and retaining new resources is an ongoing challenge. Synopsys’s 2022 BSIMM 13 report found that the average organization had a single software security resource for every 122 developers and 43 applications. Even highly skilled security professionals are incapable of supporting that many developers and applications singlehandedly.
Security Champions Extend Security’s Reach
This is why we have continuously urged organizations to leverage security champions. Security champions are members of other functional teams who lead the charge for improving an organization’s security posture. Most organizations recruit security champions from engineering teams. In others, security champions may also come from operations, development, and product management roles. Champions act as a liaison between security and product teams, encouraging communication and cooperation. They help their peers in development understand why security is important to the organization, what measures can improve product security, and how best to achieve their goals.
Security champions act as a force multiplier, extending the reach of security teams and promoting a security culture. They enable organizations to scale security and embed it within development teams. When an organization has more people thinking about security as a shared priority and requirement for their jobs, they are likely to produce more secure software.
Training for Security Champions
Ongoing training should be a critical strategy in an organization’s security champions program. Security champions are the de facto day-to-day security lead on most teams. Well-informed security champions understand the changing threat space and provide security direction to their peers. They understand and are able to explain the benefits of threat modeling, why least privileges principles help secure products, and the requirements of various regulatory standards, relieving the security team of more routine activity. Importantly, trained security champions can bring operational insights back to security, allowing them to adjust procedures and controls to fit better with the skills, technologies, and limitations of any individual development team.
Depending on their role and technical expertise, several “tracks” should be available to security champions. These include:
- Security awareness: Security awareness educates people on good cyber hygiene practices, and should be a requirement for all employees. Security awareness coursework includes the importance of strong passwords, protecting systems while on public WiFi, and protecting organizational assets from social engineering and phishing attacks that could introduce ransomware or Business Email Compromise and spear phishing attacks.
- Cybersecurity basics: For less technical security champions, cybersecurity basics coursework would cover high level topics and common attack vectors. This could include information on DevSecOps, Cloud security fundamentals, threat modeling, least privileges or zero trust principles, authentication and authorization, and other security topics.
- Compliance: Every organization is subject to a variety of regulatory requirements. These can include GDPR, CCPA, HIPAA, PIPEDA, and the PCI Data Security Standard. Security champions can help the organization understand how these regulations apply to software development and better communicate those obligations.
- Secure coding: All software engineers should have on-demand training available. Security champions from development roles will benefit from in-depth review of threats and vulnerabilities specific to the technology stack they use. For languages like C and C++ this would include memory management, buffer overflows, and format string exploits. For Java and .NET teams, security champions should be able to assist with educating peers on web defenses, input validation, secrets management, and common attacks such as cross-site scripting and SQL injection.
- Operational security: Security champions from DevOps and Ops roles responsible for secure deployments will benefit from training on protecting containers, defending cloud deployments, and securing databases.
- Accreditation: Consider courses that provide accreditation by independent third parties. This can provide organizations with a competitive advantage with customers concerned with supply chain security. It also can improve recruitment and retention of security-conscious development staff.
Security champions are taking on additional responsibilities beyond their normal work. They are tasked with understanding and communicating security requirements and controls to technical staff and the general employee population. Organizations should consider leadership training to assist champions in their career development.
Training is essential for security champions to fulfill their role effectively and help promote good cybersecurity practices within an organization. Targeted training that increases security expertise ensures a more engaged workforce, extends the reach of scarce security resources, and promotes a culture of security.
You can learn more about our coursework and accreditation here.