Virtualization Technology News and Information
How to Uplevel Security with a Security Champions Program


By Simon Maple, Field CTO at Snyk

With more applications being built than ever before, security is a growing concern for developers.

Developers are changing the traditional way they work. Instead of thinking about security as an afterthought, developers are now trying to build with security in mind. However, like all things, letting go of traditional habits and adopting new ones is hard.

As a leader, implementing a Security Champion program is a finite way to uplevel security protocols internally and bring security front of mind for everyone involved.

The purpose of a security champion's program is to eliminate pain points for developers and increase the development of secure applications.

But how can you implement one effectively?

Take your time while building the program

Like all big projects, taking the time to properly plan will mean the project is more likely to succeed. One of the most time consuming parts of a program like this is determining who the champions will be.

It may sound counter intuitive, but security champions do not need to be security experts. Instead they just need an interest in security. Their primary role is to act as a conduit between developer and security teams, keeping both sides focused on fixing security issues in a timely manner so applications can be developed securely.

When selecting your champions, start by asking your developers what their interests are and if they would be open to taking on the role. Be transparent about the role, time commitments and exactly what you're asking them to do.

Be open to change and support new decisions 

Once you have your champions in place, set up weekly meetings so you can have an open dialogue about what's happening on the ground. Remember in order to succeed they need guidance.

These conversations will give you a better understanding of the security landscape at your organization. Use this insight to continue to strategize and shape the program.

Brace yourself for instances where a developer who was enthusiastic about taking on the role is now not wanting to continue in the role or feels overwhelmed by the new responsibility. Although not ideal, it is okay to allow your champion's to step down and encourage another developer to take on the responsibility.

Scaling the program is another challenge. The number of Champions you instill in the program is up to you. Often it makes the most sense to start with a small handful to test the waters and expand over time as the program starts to take shape.

Present achievable goals and acknowledge successes

Don't set the bar too high by giving champions goals that are difficult to achieve, especially at the start. Consider starting with one or two activities that security champions should focus on and add to them as the program grows.

Over time, present measurable - and realistic - goals, including metrics that track the efficiency that security champions bring to the security team and the DevSecOps pipeline. For example, set a goal to increase the number of vulnerabilities fixed.

The most important tip leaders should follow is acknowledging successes and wins. So make sure to congratulate champions on even the smallest of things so they feel like they really are making a difference.

When teams are succeeding and developers are delivering secure applications quickly, reward champions for their hard work. This will motivate them to continue succeeding in their role and ultimately benefit the company as a whole.

You may not see the results of a security champion program immediately; it could take weeks or even months. However, the ultimate aim of the program is to shift the security mindset of development teams. This could mean something as simple as the teams just having more conversations abouts security or it could go on the other end of the spectrum resulting in more vulnerabilities patched than ever before.  Either way the program will set you off in the right direction.



Simon Maple 

Simon is Field CTO at Snyk, having previously worked as both Director of Developer Relations and VP, Developer Relations and Community at the company. In a role that demands flexibility, Simon thrives on the challenges of working with developers, management, customers, sales, marketing and engineering teams, often at the same time. He is an experienced speaker, with a passion around user groups and community.

Published Thursday, November 11, 2021 7:38 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2021>