Five tips for building an effective security champions program

While developers and security professionals aim to deliver secure applications quickly, development teams often lack certain coding knowledge. This secure development skills gap stems from the fact that only one of the top 24 undergraduate computer science programs in the U.S. requires its students to take a security course.

As a result, organizations often introduce security gates into the SDLC rather than build security expertise within their development teams. These security gates are the cause of developer frustration as code reviews reduce development velocity.

Instead of disrupting development with gates, organizations can implement a security champions program to build security guardrails into development. Security champions are developers with an interest in security and a home in development, and the program helps them grow their interest into expertise. This cross-functional expertise allows them to act as an interface between development and security — two teams that have traditionally been siloed.

Here are five considerations for implementing an effective security champions program.

1. Keep the program developer-focused

Security champions programs require a developer-focused approach in order to get a high level of participation. Understanding the developer’s goals, pain points and needs is foundational to the program, as adoption will only occur if the program is focused on making security easy for developers.

2. Get leadership buy-in

The most effective rollouts of a security champions program obtain security and engineering executive buy-in from the beginning — or after a small pilot. With executive sponsorship, the program leaders can communicate the objectives and expectations down to security and development teams, scrum masters and more.

With leadership buy-in, developers are more likely to put time and effort into the program themselves, as they won’t be concerned that they will be penalized for taking on activities unrelated to their role. This encourages developer participation and contributes to the success of any security champions program.

3. Clearly define expectations

Security champions programs must set clear expectations for roles, responsibilities and activities. These expectations should be closely aligned with the needs and pain points of developers. Start with one or two activities that security champions should focus on and add to them as the program grows.

There also needs to be open communication between security champions, the champion and their development team, and the champion and their security coach. Setting clear expectations for what security roles mean and what people can expect from each other ensures that security knowledge and experience are shared throughout the organization.

4. Set measurable goals

In order to clearly define the expectations for a program, set clear KPIs from the start. These could include metrics that track the efficiency that security champions bring to the security team and the DevSecOps pipeline. The goals also serve as the basis for determining the ROI of the program.

For example, a security champions program can have different designations or achievements based on certifications completed, hours of security work, significant security wins and more. This encourages developers to not only become security champions but also to further their own security knowledge and experience.

5. Recognize Developer Achievements

The best security champions are those that join the program voluntarily. But organizations can increase adoption by rewarding developers for participation. Some rewards and perks could include security champion gear, tickets to security conferences like DefCon and Black Hat, or additional education opportunities.

In addition, recognizing developer achievements is another excellent way to empower them to work towards security-related goals in the future. Internal recognition by a security executive or mention of a security win during meetings can go a long way towards the adoption and success of any security champions program.

By building a security champions program, organizations can accelerate secure development organically with buy-in from both teams.

Simon Maple is the Field CTO at Snyk, a Java Champion since 2014, JavaOne Rockstar speaker in 2014 and 2017, Duke’s Choice award winner, Virtual JUG founder and organizer, and London Java Community co-leader. He is an experienced speaker, having presented at JavaOne, DevoxxBE, UK, & FR, DevSecCon, SnykCon, JavaZone, Jfokus, JavaLand, JMaghreb and many more including many JUG tours.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.