October 14, 20210 mins read
Last month, we held a roundtable discussion on how to build and scale a successful security champions program. Security champions are developers who have an interest in security and a home in development. They serve as an interface between development and security teams to collaborate and share knowledge. These programs can be critical to consistently delivering secure applications at the pace the business demands.
In this session, Nitin Bhargava (VP, Global Head of Product Security & Architecture at Dun & Bradstreet) and Christian Bobadilla (Director, Product & Application Security at Shutterstock) joined us to cover lessons learned from each of their programs. Here are some of the highlights and key takeaways.
How to make “shift left” security work
Both Shutterstock and Dun & Bradstreet have adopted a shift left approach, either by bringing in developers earlier into the security process or by moving security earlier in the development process. Regardless of approach, their objective is to address two issues: the massive security talent shortage and strengthening a company’s security by identifying and partnering with individuals who are passionate about it.
Set expectations with development teams: You need to be clear about the ask from development teams, how much responsibility they need to share, and what percentage of bandwidth is required from a security champion. Then, you must communicate roles and responsibilities clearly.
Gather metrics: It’s most likely that you might have started with a soft mandate to try out a champion program, but if you want to scale it to a larger part of the organization, you need metrics. You must be able to answer, “what’s the value in this program” to the leadership team.
Build a strong community: Having a small, tight-knit community is the key to sharing learnings with each other and feeling vested and motivated to make the program successful.
At Shutterstock, Bobadilla approached building a program differently by keeping it fun and light, organizing events and activities such as a hacking village, escape room, and scavenger hunt. This approach has a few advantages:
Meet and greet: Developers get to really know their security team. If they need to discuss issues related to security or report vulnerabilities, they know whom to reach out to and are comfortable to do so, having interacted with them in an informal setting.
Learn through fun: While having fun, people also learn about security in a hands-on manner. The events are designed to pique their curiosity, and many times, people reach out with questions later.
Get everyone into the fold: These events aren’t just for developers. Other teams like legal are invited to participate and learn, essentially building a culture where everyone appreciates the significance of security principles.
This lightweight approach is all about making people feel like it’s a privilege to be part of the program rather than an extra responsibility.
Making a difference
The conversation shifted toward the benefits of partnering with security champions from development teams. Bhargava explained that without a dedicated person, you can feel as if you are interacting with different people at different times. That makes it hard to keep the communication seamless and effective. On the other hand, identifying a champion from each team helped Dun & Bradstreet with onboarding, remediation strategies, and continued engagement.
The program also helped them scale security measures throughout the organization. Bhargava says that when you’re scaling from 10 or 20 applications to thousands of applications in a short period of time, you need your champion network to function as an “extension of the app sec team.”
Bobadilla observed something unusual while trying to bring about a cultural change in Shutterstock. People started to voluntarily report issues and phishing emails, and include the security team while working on a new idea or a feature. This wasn’t happening earlier, and this shift was an indicator of how the culture of security awareness had evolved.
Advice for new security champions programs
Both Dun & Bradstreet and Shutterstock shared useful tips for starting a new security champion program in your organization.
“Start small, and identify at least some partners or some folks within the development community who are actually passionate about and interested in security,” says Bhargava.
He adds, “Define what exactly you want those individuals to accomplish, and how much time it is going to take from their normal development work. From there, you can make it more formalized.”
“We try to get people to know the security team from the first day, with a security orientation,” says Bobadilla.
“Don’t limit security events to just developers. If you leave it open to anyone in the company, I think you will see that people from different teams care about security, and their participation will make the company better,” he adds.
Taking collective accountability for security
In closing, other guests at the roundtable shared their experiences with security champions programs. The common consensus was that a champion program enables a shift in perception where security is embraced, rather than avoided. These programs also help developers start to own their piece of secure development, making dev teams self-sufficient in the long run. In the end, it's about making security a key part of the developer skillset, just like quality and performance.
To find out more about security champions programs, check out our new white paper on How to Build a Security Champions Program.