How to turn your developers into security champions?
Márk Félegyházi (Avatao CEO)
Security champions play a vital role in establishing and maintaining a security culture in an engineering organization. Why? Because security champions are the essential nexus and liaison between the security team and various engineering teams, particularly developers. Whereas the primary focus of security teams is to make the product development and operation robust and secure, the engineering teams focus on getting things done as fast as possible with a reasonable quality that does not haunt them later. Security champions understand both worlds and speak both languages.
Objectives of champions
Being a security champion is not an easy task, as you have to juggle this bi-modal set of goals and drive your team from “fast or secure” to a “relatively fast with reasonably secure” mindset. As a security champion, your role is to find balance, prioritize and execute with these goals in mind. Also, you have to manage other stakeholders and advocate security outside of your team to make sure that anyone working with you also adopts a security mindset. Essentially, you have to aim at “secure, but not too strict” outcomes to deliver secure products fast.
But how does one become a security champion? Let me list a few reasons below how a security program manager can spark interest and turn developers into security champions.
Five stages to ignite a security champions program
As with any role and position, the role of security champions must be well-defined, meaningful and they should get the appropriate tools to have an impact on the general engineering processes. Only if you empower security champions can they work effectively.
First stage: Define roles and goals
The very first step is to define what your company expects from security champions. As a security leader responsible for a security program, you have to understand the current status of security processes and initiatives. You have to talk to and understand each stakeholder in the company. In general, you need security champions in most job functions (marketing, sales, support, customer success, finance, engineering), but here we focus on engineering and mostly developers. So you need to explore the goals and KPIs of engineering teams and understand how they are applying (or do not apply) security practices.
This discovery can take months, but it should give you a good indication of what the security champions need to fulfill in the developer organization. In early-stage companies, security champions might have to lead threat modeling and make critical technical security decisions. They are also critical in giving feedback and helping to build security guardrails and processes. In more mature organizations, the role of security champions focuses on ensuring that processes are respected and making sure that day-to-day operation incorporates a security mindset (for ex. doing a regular security code review in critical code releases).
Based on all this information, you have to define key outcomes and the actionable metrics that lead to these outcomes.
Second stage: Assess security status
As part of building a security program, you need to assess the security gaps in terms of People, Processes, and Technology. This will fundamentally determine the job of security champions in the developer organization. The security champions must have a clear understanding of the business requirements, expectations, and the current processes and technology to make smart decisions.
An obvious role of the security champions is to get involved in the core review process and make sure that security tests are developed for most of the product. Hardly any code is written from scratch today and many great frameworks exist to ease the job of developers. Security champions can advise their team on leveraging the in-built security features and best practices of language-specific frameworks.
In terms of processes, security champions can help to build security into the DevOps workflow of developers. Champions can review guardrails and assess how effective these processes are in the developer workflow.
Third stage: Identify security champions
Let us now turn to how to find these security champions. In every organization, there are people who are naturally curious, attracted to try different ways, and detect issues no one has thought of. Look for people who reported security bugs on their own and who might have taken security courses in the company learning catalog. These are typically 5-10% of the developer workforce. These people make the ideal security champions. They are typically more senior in their job role, as security first requires a solid understanding of coding practices to be able to question the status quo. Also, senior people make better security champions because they often have more experience in leading initiatives and teaching their peers.
Identify these potential security champions by giving them the opportunity to shine. Establish company security processes where reporting security bugs is not a shame but a virtue. Quite often, you can gamify this by establishing simple mechanisms like leaderboards, internal chat channels, and some ranking where the best reporters receive some recognition (for ex. a t-shirt with a praise to be a security champion).
Another way to identify these high-performers in security is to organize friendly hacking competitions called, Capture-the-Flag (CTF). In a CTF, developers have a chance to compete with each other individually or in teams by solving interesting hacking and coding puzzles. If the goal is to engage people, then it makes sense to keep the CTF educational rather than highly competitive. There exist hard-core CTFs for hacking pros, like the DefCon or Google CTF, but that’s a whole different story.
Fourth stage: Engage security champions
Once you identify security champions, you have to start caring about them. It means to give them special opportunities to grow. The goal to become a security champion should ideally become part of their job description. Their managers should include this in their personal career goals. You have to identify individually how they can grow their skills and provide the right learning opportunities for them.
Building a security champion program in learning is a fundamental building block in nurturing security champions. Establish a learning path for security champions that is relevant to the technology and frameworks they are using. A quarterly schedule of relevant security practices is a good start. For security champions, we typically add advanced content such as examples created from recent security breaches and bug bounties. Security champions find these examples highly relevant and often very exciting. In contrast with beginners, they understand the core issues with real-life security breaches more easily.
It is a good idea to organize a series of workshops, pizza lunches, or other personal forums for these security champions to meet. Several companies organize regular security seminars and working sessions for security champions to share their experience and the best practices they apply in their daily job. The task for you is to set the agenda and give a roadmap for these meetings that matches the company’s business goals.
Fifth stage: Empower security champions
You have to give enough space for the security champions to incorporate the security operation into their daily job. This is the most important step in empowering security champions. These are great people, interested in security. You have to assume they are motivated and they can help others, but you need to acknowledge this and give them enough time to focus on security as their side-project within their job role. If you add security on top of their daily activities, they won’t be able to carve out enough time to do this additional role properly. This is the most challenging task because the security champions are typically more experienced developers who would be useful at the regular development process as well.
It is not enough to give security champions enough space, but you have to be mindful of strongly consider the outcomes they bring to product development. They are in the best position to recommend and implement changes in technology, processes, and guardrails for their teams. Listen to their feedback and incorporate it to elevate security best practices for everyone.
You have to establish a culture where security is not an enemy and reporting and collaboratively fixing bugs is considered a positive behavior. Thus, you have to praise security champions for the additional work they do. This can be as little as giving them swags and t-shirts or it can go to a formal recognition where they receive bonuses for going out of their way to improve product security. In some cases, companies make security-awareness a mandatory requirement for developers to advance in the career track towards more mature job roles.
Creating a security champion program is a key enabler to scale a security program across product development. Identifying the conditions, selecting the security champions and empowering them requires systematic planning and execution. Plan their goals, give them space to act, and listen to their feedback to improve security. Stay tuned, as in the third part of our security champions mini-series, we ask a director of security to share professional insights about security champions!
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.
Reading Time: 6 minutes To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).
Reading Time: 8 minutes If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?