How to Create a Safety Champions Program

Application security is more important than ever, as applications remain one of the most common attack vectors for external breaches. Forrester’s latest “State of Application Security” report indicates that organizations are beginning to recognize the importance of application security, and many have begun to embed security practices more tightly into their development stages – a big step in the good direction.

It’s important to understand, however, that creating a world-class application security program can’t happen overnight. Much of the groundwork must be done before an organization can achieve results, including refining security processes around the Software Development Life Cycle (SDLC) to identify, track, and remediate vulnerabilities more effectively . These efforts will eventually bring organizations to a high level of maturity.

Security adoption in the SDLC is often lacking in many organizations. The answer to this problem lies in an organization’s employee population. Companies should establish a safety champions program, where certain employees are elected as safety advocates and drivers of change.

To create a strong cybersecurity culture, security champions must be embedded throughout the organization. These individuals should have an above average level of security interest or proficiency, with the ultimate goal of evangelizing and accelerating the adoption of a security-focused culture, not only through the development of software and applications, but throughout the organization.

Developing a Safety Champions program doesn’t have to be complicated. This four-step process helps organizations easily set up their program.

1. Empower managers to nominate champions

Let managers decide who would make the best security champions. These decisions can be based on level of interest in safety performance or even seniority.

2. Fun training harness

People tend to learn best through hands-on practice. Training using gamification – online and in person – is an effective way to achieve educational goals, while creating fun and engaging environments for employees. Tracking individual performance through gamified training also allows organizations to identify employees with above-average skills in software security. These people are great candidates for the Security Champion Team.

3. Set up recurring trainings and social events for champions

Organizations can build safety culture by hosting events with external content and speakers. Many events feature external presenters and offer hands-on sessions that help engineers build, deploy, and leverage better coding practices. Employees benefit from hearing outside perspectives, especially those related to rapidly changing technology areas, and organizations benefit from having their security credentials displayed. Management should invite all employees to events because gatherings with small, select groups prevent the organization from creating a company-wide culture of cybersecurity.

Management should prioritize transparency when planning safety training events. This includes sharing the organization’s security history, even if it is full of flaws. Transparency helps foster strong and lasting behavior change as participants discover how they are contributing to the problem. From there, employees better understand how the material is relevant to their jobs and how to apply what they’ve learned to their roles.

4. Improve skills through threat modeling

Organizations can use threat modeling to advance their cybersecurity posture. This tool helps identify threat actors and enables organizations to implement appropriate security controls to prevent an attack. This standardized approach ensures that the result is actionable and adds value to other parts of an organization’s security strategy. The process also gives security champions a platform to communicate design-level flaws and empowers employees to proactively address security issues.

In today’s security environment, new threats are always present. Organizations must develop a culture where all employees work to protect their company’s network. Education is an important step in creating this culture. Security champions help raise awareness and emphasize the importance of strong cyber hygiene. This, in combination with company-wide events and training programs, helps ensure that sensitive data is protected against evolving threats and hacking techniques.

About the Author
Nabil Hannan is CEO of NetSPI. He leads the firm’s consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Hannan has over 13 years of cybersecurity consulting experience from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, intrusion, secure code review and vulnerability patching, among others.

Ryan H. Bowman