Click to learn more about author Anne Hardy.
Organizations that want to secure applications are challenged by understaffed security teams and a lack of security awareness on the part of developers, reports Forrester. When developers do understand the importance of security and how to incorporate it into their work, they are security champions — often acting as security points of contact in their teams.
Forrester’s definition of a security champion is someone who is “a member of the development team, focused on translating application security into a language that the rest of the developers can understand.” It seems that these people would exist naturally, but given that developers are often not taught how to code securely, it’s up to company leaders to shape these developers into people who represent the best of both the development and security worlds. Further, the line between developer and security roles is blurring, and we need a better bridge between the two.
Existing programs that support these champions are expensive and time-consuming to plan, but they don’t have to be. In order to create an effective developer security champions program, organizations must understand the importance of security programs and instill a security culture — in turn creating more secure applications.
The Importance of Security Programs
Application security flaws have been the top causes of external breaches for a long time. If security is on the backburner for any company, there can be severe consequences. For example, online liquor delivery service Drizly experienced a data breach that affected as many as 2.5 million customers who had likely recently started using the service while sheltering in place. The data taken by this hacker included email addresses, birth dates, passwords, and even delivery addresses.
A recent Synopsys study found that nearly half (48 percent) of organizations consciously launch vulnerable applications when they’re under a time crunch. It’s clear that developers are one of the main culprits for security issues, and they know it. But it’s not necessarily developers’ faults — it’s often their companies’. When company leaders work to ensure their developers understand the importance of security, developers will pivot from culprits to champions.
Security champions make fixing security issues across development teams a priority. The program creates a single point of contact for security issues in a given team, which makes it easier to query a security issue or follow up on a given task. It also makes a single person (or people if there are multiple champions) “responsible” for security on the team, which helps to create a sense of ownership of security issues and makes it less likely that fixing security issues will be delayed or deprioritized. Project owners need to buy into the concept and allow security champions to prioritize fixing issues over getting a new project out quickly.
How to Build an Effective Security Champion Program
There has often been a disconnect between developers and security teams. While security teams are focused solely on security, developers are focused on building products. However, to avoid breaches like the one Drizly recently experienced, it’s imperative that company executives work on bridging the gap between the two and instilling a security culture.
Succeeding in finding the right metrics and weighing the value of each security practice, whether technical, procedural, or organizational, would help to better assimilate the culture of security. This should be the first step so that everyone feels that security belongs to them. From there, security awareness is key. Over communicating is important, as employees will move around, new people will start working at your company, and people will simply forget. Security needs to be at the top of everyone’s minds, so they make it a priority.
Security champions should bridge the gap between development and security teams to ensure objectives align. With security teams, it’s easy to protect and block threats because the job is to ensure nothing bad happens and, if it does, recovery is quick. But this doesn’t always align with developers, who want to develop products fast and aren’t being asked to build in security or fix security issues along the way.
Security champions must present the program to the development team and work with project managers to keep security at the top of their minds throughout the product development process. There should be a clear and consistent way that the teams will communicate and collaborate.
It’s critical to make sure that security champions are not overwhelmed with security issues on top of their other responsibilities. Being a security champion should be baked into the developer job, not an added thing to manage on top of regular responsibilities. It’s difficult for the program to really take off if it feels like a burden to the champions who are carrying it.
Incorporating incentives for security champions can help. Companies should consider tying bonuses to the metrics they are able to hit within this role. They should also encourage their security champions to upskill and seek security certifications if they are interested. Giving security champions the opportunity to attend security-related conferences could also be a good benefit of being a security champion.
Company executives must instill the importance of security and security culture within their organizations. Once they’ve done this, they will have the tools to build an effective security champion program and confidently present it to their teams. Security champions will ensure applications are more secure, and developers are happy — avoiding flaws that lead to costly security issues.