How MongoDB built a successful security champions program
We recently spoke with Amy Berman, Security Strategic Operations Lead at MongoDB about the role of security champions at her organization. For those new to the concept, security champions are developers that have an interest in security and can facilitate collaboration between development and security teams.
Read on to learn more about Berman’s insights on building a successful security champions program at MongoDB, and how they were able to encourage a mindset shift to embrace, rather than avoid, application security.
Recruiting highly engaged security champions
When MongoDB first began building its security champions program, the company had a key goal in mind. Berman asked: “How do we influence developers and educate them early on, rather than when an incident happens?” The security strategic operations team at MongoDB knew the first challenge for building this program would be recruiting security champions and fostering strong engagement with the program. Here are some things Berman says worked well.
Berman’s team recognized that executive buy-in would be critical when it came to recruiting security champions across various departments. “The communication part was huge,” Berman said, “so we explained the commitments involved like formal meetings and other requirements throughout the quarter and had executives talk about the program during company all-hands meetings.” Since developers need to get sign-off from their manager to get involved, it’s crucial to understand the level of commitment to becoming a security champion.
Along with transparency around the expectations of a security champion, Berman’s team focused on the exclusivity element of participating in the program. “We always make sure to work with the security champions and give them news first,” Berman explained. Not only do security champions get to feel like they’re part of an exclusive group, but they’re also critical for getting early feedback on new security initiatives and invaluable when explaining these new efforts to non-technical teams. Berman added, “You’re getting insight and helping provide feedback to the security team before they launch things across the company.”
While many security champions programs are successful by solely offering free giveaways, Berman’s team decided to focus on choice as a key incentive, as well. Those getting involved in the security champions program could choose which security-related events they want to attend each quarter. “When people pick and choose what topics they want to attend, they’re much more interested and invested in it,” Berman explained, “so I think there’s a power in choice.” MongoDB does have a points system to earn rewards for finding vulnerabilities or sharing useful security insights, but this is secondary to the idea of giving security champions the freedom to get involved in the things that interest them the most.
Creating a positive security culture
According to Berman, there are two types of security cultures: positive and negative. “We’re trying to create a positive security culture,” Berman explained. “So we want to be a security team that is truly a partner.” That’s why a key aspect of MongoDB’s security champions program is to let developers, product managers, and other individuals influence the security roadmap going forward. This creates shared ownership and responsibility amongst developers to improve the security posture of their applications.
Berman says a huge benefit of spreading security awareness and responsibility is scaling the security team across a large and growing organization. “We don’t have enough resources to handle everything,” Berman explained, “but feedback from security champions helps us prioritize our efforts.” Berman also believes the security team can’t rely on technology alone, so mitigating the human risk element through a positive security culture is crucial for scaling cybersecurity in the long run.
MongoDB’s security champions program today
Over the past year, MongoDB’s security champions program has grown to 90 members across 45 different departments over 25 locations. In order to ensure the program is sustainable and continues to drive security awareness, MongoDB has a specific role for managing and building out the program going forward.
More specifically, MongoDB’s program focuses on cybersecurity education and advocacy for non-security teams. The company-wide scale and depth of this security champions program means security is now a key consideration in all areas of the organization.
To find out more about these programs, read our latest white paper on How to Build a Security Champions Program. And if you’d like to hear about another security champion success story, check out our our recent roundtable with Dun & Bradstreet and Shutterstock.