How to build a security champions program – TechTarget

Application security is more important than ever, as apps remain one of the most common attack vectors for external breaches. Forrester’s latest « State of Application Security » report stated organizations are starting to recognize the importance of application security, and many have started embedding security practices more tightly into their development stages — a big step in the right direction.
It’s important to understand, however, that building a world-class application security program can’t happen overnight. A great deal of foundational work must be done before an organization can achieve results, including sharpening security processes around the software development lifecycle (SDLC) to identify, track and remediate vulnerabilities more efficiently. These efforts will eventually bring organizations to a high level of maturity.
Adoption of security in the SDLC is often lacking in many organizations. The answer to this problem lies within an organization’s employee population. Companies should establish a security champions program, where certain employees are elected as security advocates and drivers of change.
To create a strong cybersecurity culture, security champions should be embedded throughout an entire organization. These individuals should have an above-average level of security interest or skill, with the goal of ultimately evangelizing and accelerating the adoption of a security-first culture — not only through software and application development, but throughout the organization.
Developing a security champions program doesn’t need to be complicated. This four-step process helps organizations establish their program with ease.
Let managers decide who would make the best security champions. These decisions can be based on interest level in security performance or even seniority.
People tend to learn better through hands-on practice. Trainings using gamification — both online and in person — are an effective way to accomplish educational goals, while creating fun and engaging environments for employees. Tracking individual performance through gamified training also enables organizations to identify employees with an above-average skill set in software security. These individuals are great candidates for the security champions team.
Organizations can bolster security culture by hosting events with external content and speakers. Many events feature external presenters and have hands-on sessions that help engineers create, deploy and operate better coding practices. Employees benefit from hearing outside perspectives, especially those related to fast-moving technology areas, and organizations benefit from putting their security credentials on display. Leadership must invite all employees to the events, as gatherings with small, select groups prevent the organization from creating a companywide cybersecurity culture.
Leadership must prioritize transparency when planning security training events. This includes sharing the organization’s security history, even if it is full of blemishes. Transparency helps foster a strong and lasting change in behavior, as participants discover how they contribute to the problem. From there, employees better understand how the material is relevant to their work and how to apply what they’ve learned to their roles.
Organizations can use threat modeling to advance their cybersecurity posture. This tool helps identify threat actors and enables organizations to implement appropriate security controls to prevent an attack. This standardized approach ensures the output is actionable and provides value to other parts of an organization’s security strategy. The process also gives security champions a platform to communicate design-level flaws and empowers employees to proactively address security issues.
In today’s security environment, new threats are always lurking. Organizations must develop a culture where all employees work to protect their company’s network. Education is an important step in creating this culture. Security champions help spread awareness and stress the importance of strong cyber hygiene. This, in combination with companywide events and training programs, helps ensure sensitive data is protected against evolving threats and hacking techniques.
About the author
Nabil Hannan is managing director at NetSPI. He leads the company’s consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Hannan has more than 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, pen testing, secure code review and vulnerability remediation, among others.
Certifications can help security pros prove their baseline knowledge of infosec topics. Consider adding these top cloud security …
Explore three major multi-tenancy security challenges and how to fix them, including lack of visibility, privilege overallocation…
If your company is using a cloud database provider, it’s critical to stay on top of security. Review the security features …
DHCP is a critical service, and network admins should take the time to create fault tolerance. Windows Server makes it easy to …
The need for NetOps engineers with network automation and software development skills is rising with the continued drive to …
Companies develop their own data center network automation software for security compliance, and they need tools closely aligned …
Companies tapping Ukrainian coding talent are working to relocate employees willing to move. Tech firms, in the longer term, may …
IT departments were overloaded with work before the pandemic, and since it started have been challenged to do more with less. …
The good — the digital transformation project is now a priority. The bad — IT is short staffed, equipment is back-ordered and …
Desktop administrators should look for Windows 10’s native security features and architecture to establish a baseline of desktop …
The advanced security in Lenovo’s ThinkPad X13s is through Qualcomm’s Arm-based Snapdragon 8cx Gen 3 chipset. Lenovo plans to …
Updating to Windows 11 isn’t recommended for every PC. Tools such as PC Health Check assess whether a device meets the …
Compliance monitoring is a critical practice. Learn how to build a cloud compliance monitoring strategy from application design …
Solve disasters in an AWS deployment by having a disaster recovery strategy in place. Learn how to pick the right recovery …
Deciding on the best Azure compute instance type for a cloud workload involves many choices. Use these tips to help select the …
The build-up to the attack on Ukraine by Russia on 24 February saw widespread warnings from cyber security companies and …
The introduction of ‘right to disconnect’ legislation to stop employees having to engage in work-related electronic …
Former H&M head of AI, Errol Koolmeister, discusses an approach to delivering successful artificial intelligence projects
All Rights Reserved, Copyright 2000 – 2022, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source