As software becomes more sophisticated, the need for a security culture in organizations becomes more urgent. However, organizations’ security teams rarely have the necessary resources and expertise to support developers.
In fact, the BSIMM 2016 survey indicates that for every 245 software engineers, there is 1 security expert. Not only do organizations lack the resources and expertise, but security professionals lack direct influence over development teams, aside from enforcing policy. Nevertheless, it is the security professionals’ responsibility to improve the security of software, and developers don’t have sufficient incentive to be interested in security practices — which notoriously slow down their workflow. So, despite the need for a security culture in organizations, the currently defined organizational roles and responsibilities aren’t conducive to creating one.
To address the security deficit in organizations, one notable response is to establish a Security Champions program. One implementation of such a program designates a member from each development team to be the ‘Security Champion,’ who acts as their security conscience. This person leads all security activities on the development side and plays a major role in facilitating an organization-wide security culture shift. In fact, we’ve already seen proof of this program’s success in major corporations, including Adobe, which has a ‘Belt’ program and Cisco, which has a ‘Security Ninjas’ program. Given the success in implementing these programs, Gartner estimates that by 2021, 35% of enterprises will have a Security Champions program, a significant rise from 10% of enterprises in 2017. So, we might ask ourselves, how can Security Champions fill the existing security gap in organizations to facilitate a cultural shift?
They’re the bridge-builder between development and security. The Security Champion builds a relationship between members of the development team and members of the security team. They facilitate all communication between them and help to instill a security conscience in developers. Ultimately, the Security Champion raises awareness about security needs amongst developers to help nurture a security culture.
They’re the go-to security expert on the development team. The Security Champion helps to drive security-related improvements within their development team. They assist in executing application security activities, and they ensure that security is integrated into the development process. If developers on their team have security related questions, they can go to their Security Champion to seek guidance.
They’re trained to be security experts. Once recruited, the Champions are provided with training materials, including books, written resources, and eLearning courses. They’re also enrolled in instructor-led training, which delves into application security related to the OWASP Top Ten as well as security tool training. They may even receive supplemental training in the form of Lunch and Learns or other events.
They’re motivated to be security-minded employees. Developers enter the Security Champion role knowing that it can help them grow in their career. They’re often offered external and internal certifications for each tier of Security Champion achieved.
Security Champions in the bigger picture. A software engineer who also acts as a Security Champion is an important asset for development teams, helping to teach other developers about security best practices while ensuring that secure code is deployed.
Ultimately, applications that have security built into the early stages of the software development lifecycle will have more secure frameworks and architectural design, as well as a decreased attack surface. This helps to reduce the risk and potential damages that could issue while running critical applications in their production environment.
Having a Security Champion in your organization is an easy way to catch vulnerabilities and security defects before the application is released to production, preventing hackers from exploiting the software and protecting the organizations that produce it.
In tandem with e-Learning courses and adequate security training platforms, Security Champions programs play a crucial role in shifting the cultural paradigm toward a security-conscious development environment.