Why do you need a security champions program?
Márk Félegyházi (Avatao CEO)
The time comes in the life of any business that business operations grow and security starts to become a critical business enabler. At this point, a committed leadership starts to hire for dedicated security roles and establishes a small but agile security team within the organization.
As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.
Yet, establishing security awareness across the whole organization is a daunting task and it has to encompass all three major areas: People, Processes, and Technology. Security teams are usually comfortable with technology, but spreading security awareness across different teams requires security champions in the respective teams. That’s the only way to scale security across the organization.
Who are the security champions?
So, who are these mysterious security champions? In each team, some people are more sensitive to errors and bugs, those who think a bit outside the box and discover scenarios others have not thought about. They are hackers but not necessarily in a technical sense. In engineering, these are the people who not only care about shipping the code fast but also that the code is robust to unexpected or malicious inputs, pay attention to proper access control, or raise an eyebrow when improperly handling sensitive customer data. Security champions are the extended eyes and ears of security teams. They work and live in their teams but also consider potential security threats when building and testing their product. Security champions are the security consciousness of their team.
Becoming a security champion is not easy. On the one hand, you have to be part of the product team, you have to maintain the hacker mindset and relate to the daily job of security engineers. A security champion is a liaison between developers and the security teams. You need to be familiar with the technology you are using on a much deeper level to identify the root cause of the bugs the team creates. You also need to be aware of their technology surrounding to anticipate any security issues that may arise when deploying the code into an existing company tech stack. In practice, security champions look beyond the fundamental issues of OWASP top 10 and understand advanced topics like API security, cloud security, cryptography, DevSecOps or data privacy.
Benefits of becoming a security champion
Security champions are guardians. As such, I strongly believe that being a security champion is cool. As a security champion, you can become a trusted consultant within the team who can answer the questions and concerns of other team members. You can be the devil’s advocate while maintaining a positive mindset and being consultative towards the developer team. As a security champion, you are the keeper of software quality to make sure that the shipped code is bug-free. Besides the day-to-day bug-hunting, a good security champion is an advocate of security awareness in the whole team trying to teach the ropes to others as well.
From the career perspective, this is a very meaningful and fulfilling career path. First, security could be frustrating but also very rewarding. In any case, it is not boring as the constant bug-hunting provides new and new challenges to the curious mind. Security forces you to learn a wide range of technologies and frameworks that gives you a broad perspective on the state-of-the-art in your field. Finally, software and application security is a career with practically zero unemployment. As more and more industries are moving towards software-led business operations, application security is becoming one of the cornerstones of a successful business. Application security teams are always understaffed and there is a tremendous demand on the market for new engineers. This is an exceptional opportunity for diverse and self-taught engineers from underserved communities.
The need is real
Every business has security expectations. As the company grows, the expectations get higher, and so do the threats. Businesses need committed leadership and individuals willing to dive deeper into the depths of security. This way, expectation can become a reality. Individuals who become security champions can enhance their security skills and engage in a profiting career path. Beyond personal growth, they also provide a long-term benefit for the company as they essentially improve the security culture.
Building a successful security champion program
Building a security champions program is not an easy task. It has to align with the general security program of the company. The key understanding is that security needs to support the business processes. The goal of security champions is to be an enabler, not a blocker. One has to build a security champions program with this mindset and empower the security champions to help developer teams to select the most secure path to ship products fast. I will detail the challenges and best practices of building a security champion program in the next post.
Reading Time: 6 minutes To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).
Reading Time: 10 minutes If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?
Reading Time: 11 minutes Containers have been around for over a decade. Yet before Docker’s explosive success beginning in 2013 they were not wide-spread or well-known. Long gone are the days of chroot, containers are all the rage, and with them, we have a whole new set of development and security challenges.