Security Champions: Interview with Alexander Antukh, CISO of Glovo
Security champions represent an essential part of any security programs. They lead their teams on security projects, ensure internal security and help keeping security on the top of your mind. But how exactly they operate in a business? We asked Alexander Antukh, Director of Security at Glovo for professional insights.
Please tell us a bit about yourself
My name is Alex, I’m the Director of Security at Glovo. I enjoy building security programs from scratch and adapting them to various business environments to ensure maximum value. In my free time, I’m passionate about tea – I’m hoping to be able to open my own tea house one day and spend time there surrendering to the beauty of the world around.
In your Github Security Champions Playbook, you talk about the main advantages of having a team of Security Champions; scaling security through multiple teams; engaging “non-security” folks, establishing the security culture. Can you tell us a bit more about each of these advantages?
If we look at the statistics, in most of the companies across different industries, the number of “central” Security team members rarely exceeds 5% of the overall Tech staff. It means that in order to achieve scalable, sustainable security, the team must be able to not only automate well but also have good processes in place to coordinate multiple teams and ensure the baseline across the company both for existing and new code. And this is precisely when the Champions come into play. Starting with a few enthusiasts and one contact point per team, other team members start to see the security perspective more often, and as a result, it becomes a natural part of their thought process.
Can you tell us what are the main long-term benefits you saw happening in your organization after the security champions program was fully implemented?
In my opinion, this is related to the previous question – scalable security across the organization, faster response to security issues, better application of the best practices and the baseline, and change towards “I own security risks” mindset are some of those.
How long did it take for you to roll out the full security champions program and who was actively involved in the process?
The initial stage of mapping the teams and technologies, conducting interviews with team leads and nominating champions takes approximately three months. A fully working security champions program, considering passing the training path and providing the necessary tooling from scratch, takes approximately a year to complete. Rolling it out included pretty much all stakeholders of the program, such as Security Team, senior management, PMs/EMs, developers, and engineers.
What was the biggest obstacle that you encountered setting up the security champions program and how did you overcome it?
I would say it’s part of the bigger issue of executive support. If the leadership and team management do not see the value in the program, it will be hard to prioritize security activities even for those who really would like to contribute. There are different ways to get the support, but it’s mostly about educating the management about the issues and showing the benefits from this approach.
What advice do you have for companies that would like to start their security champions program but do not know where to start?
Understand where you are now and what problem you are trying to solve. Once you’re certain this is what you need right now given the risks your company faces, I’d suggest following the Security Champions Playbook and work on the management buy-in and preparation of the materials. Assigning champions is easy. Making sure it works is not so – have a clear vision on what would be their involvement, and if this is aligned with team expectations.
How would you motivate developers to become security champions? What do you think is the secret to raise interest?
The new edition of Security Champions Playbook features two levels of engagement: “classic” Security Champions and Security Rockstars. The first level is a must-have for all teams, and in the beginning, it’s often a nominal role to be the point of contact in case of a security escalation. They are expected to follow a limited set of security-provided checklists and be the first to fix the reported vulnerabilities after internal prioritization. Security Rockstars, on the other hand, are volunteers, who aspire to become Security Engineers and who are not satisfied with the status quo.
From my experience, in any company, there are people who sincerely want to write better, more secure code. Those already motivated will be the core of the first generation of the Rockstars, but it is very important to build the foundation for them to develop their skills by providing trainings, CTFs, presentations, participation in various security-related committees, and close collaboration with the Security Team.
Next, it’s a bit of the security marketing – show to your peers that security is not about the complex and boring checks, but about the hacker culture, real breaches, and, well, what motivates you as a security professional. Discuss with them proofs-of-concepts, review top hacking techniques from the past year, and listen to them to adjust your offer to their demands. Soon you will see how it starts to become a snowball effect when those discussions happen even without direct Security involvement.
Finally, give it some time – Rome wasn’t built in a day. Celebrate small victories, appreciate whatever input you receive, and be there when your co-workers need help. By showing the “human face” of Security, you will be able to engage more and more people, and in the end, change the culture from the inside.
What kind of positions/roles/profiles are the security champions in your company?
While there are no strict requirements on who can become a security champion, usually it’s a senior member of the team, who has a good understanding of the context. The roles vary and the non-exclusive list entails developers, testers, architects, and administrators.
How does having a security champions program affect your company culture?
We are always trying to make sure the Champions program (and in fact, all security activities) are well-aligned with the company culture. In the case of Glovo, it means exercising the value of Glownership – feeling accountable for the quality and timeliness of an outcome, including the associated risks.
By providing hands-on training and together solving new security problems, we reinforce the company culture and make sure the teams are well-equipped to make informed security decisions.
What is your opinion on the future of security champions/security champions program?
I’m pleased to see that Security Champion programs already started to become a de-facto standard in the industry. In my opinion, the basic concept – having security-minded folks in the teams – will stay and evolve given the new challenges, such as remote working, increasing complexity of the technological stack, and fast pace of releasing new products.
Once you establish a strong security culture, benefits will follow. However, to build that works, you need champions to lead. Security champions ensure better, secure coding, and also help you fix vulnerabilities and prevent breaches. You need to find the developers with motivation to become security champions, and make sure to provide the right tools to develop their skills.
At Glovo, a security team is being established to improve the organizational security awareness. If you are looking for open positons, check the openings!
Reading Time: 6 minutes To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).
Reading Time: 10 minutes If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?
Reading Time: 11 minutes Containers have been around for over a decade. Yet before Docker’s explosive success beginning in 2013 they were not wide-spread or well-known. Long gone are the days of chroot, containers are all the rage, and with them, we have a whole new set of development and security challenges.