In today’s world, every business can be thought of as a software business, comprising hundreds of thousands of applications. However, every application holds an average of 26.8 serious vulnerabilities
— a number indicative of today’s modern security landscape where web application attacks remain the leading cause of large breaches by a very wide margin. Hackers are constantly exploiting weakened application portfolios to get their hands-on sensitive information and because of this, it’s essential for every business to make security a top priority and instill a culture of learning and awareness to defend themselves against hackers.
However, securing an organization’s most sensitive information is not a simple task at hand when most developers and security teams are out of sync and not in close contact with one another. This lack of collaboration or synergy to address security challenges leads to more vulnerable software and an increased likelihood of more applications getting hacked. On top of that, 62% of security professionals are suffering from understaffed teams due to a widespread skills shortage. As more threats grow in volume as well as in sophistication, these issues pose increasing security challenges for the modern-day organization.
Companies struggling with the overwhelming amount of work involved with embedding security into a company’s DNA often turn to a security champions program, which once created can help promote a culture of security across development and non-security teams. A security champion can be anyone within an organization who has a passion to inspire others, increase effectiveness and efficiency of an organization’s application security, and defend information against attacks. These individuals will be the first line of defense for security issues in teams, and also help develop security awareness training, best practices, and frameworks to ensure a more secure future for their organization.
Finding the needle within the haystack
While the responsibilities and tasks of a security champion aren’t too complex, the process in finding the right individuals is oftentimes challenging and can require some leg work. The first step is to go back to the basics and recruit candidates from within. While these individuals do need to have some basic security knowledge, it’s more important that they possess unique characteristics and personality traits. Security champions must be strong communicators, proactive problem-solvers, and big-picture thinkers who can identify the gaps within their organization and take measures to solve it on a wider scale. These candidates are community builders, knowledge sharers, and will soon become the connecting link between every business unit within their organization.
The best security champions are motivated to keep up with the rapidly changing world of security. Typically, this means following security researchers, participating in conferences, and joining online communities. Champions foster a culture of experimentation and learning by interpreting and applying new discoveries as they apply in their company. They should constantly challenge their enterprise security story and seek to identify new risks that are incompatible with their company’s priorities. The best champions give back to the community by sharing what they’ve learned and how they’ve handled new developments.
Building a successful program
Once you’ve identified your security champion candidates that possess these unique traits, you’ll next need to set realistic expectations of their work. While security champion programs are an important part of any balanced breakfast, it’s important to remain realistic about your expectations.Remember, security champions aren’t full time security professionals and almost certainly have other responsibilities, so you can’t expect them to do the heavy lifting.
Instead, your security champions can help manage lists of things that have to get done, they can help with culture and communications, and they can spread an open mindset across the entire company.You’ll also need to provide some training on how to do security. A “ninja belt” system is often used to provide this structure. Next, set up some simple metrics that can get all your security champions aligned. For instance, maybe your goal is to get your application inventory under control, or maybe it’s to eliminate all critical vulnerabilities in 2020. Whatever your goal is, make sure you clearly identify it and communicate it properly to each champion.
Leading your company into “security in sunshine”
With the right mix of ingredients, security champions can lead their companies into “security in sunshine,” a state of openness and collaboration between not just security professionals, but also developers and testers that carry out the primary responsibility for secure code. When executives, development, security, and operations all share an accurate picture of security in their organization, informed decisions about risk can be made.
Unfortunately, many organizations today have a culture of blame that shrouds in secrecy and hides details of both vulnerabilities and attacks. This makes security very difficult and yields a culture of fear. Security champions can tackle this challenge and make efforts to fix this limited mindset by instilling a “blameless culture” that encourages open-mindedness, accountability, knowledge sharing and collaboration between both parties. Security champions make "security in sunshine" their goal and encourage everyone to participate without retribution.
Achieving an effective “security culture” is elusive. Sometimes “cracking down” on security backfires and simply drives vulnerabilities underground. Of course, a lackadaisical approach to security is similarly likely to create massive exposure. The trick is to get the balance right, where employees are aware of the importance of security, empowered to find and fix problems, recognized for their efforts, and not pilloried for mistakes. Try to identify security friction in your organization, such as security teams blaming development teams for issues while development complains that security is slowing down release cycles. Security champions aren’t a magic solution, but by spanning all your teams, they’re a good step towards achieving the harmony necessary to make real security progress.
Jeff Williams, CTO & Co-Founder at Contrast Security