What is a safety champion and do you need one?
The role of security champions in a software development team and how they help create secure applications
First, what is a safety champion?
A security champion is someone in your organization who champions security best practices.
They are essential to the success of an application security program (AppSec). Security Champions initiate early and continued adoption and may be synonymous with the popular term “evangelist”.
Champion, in this context, refers to the alternate definition of a champion: “a person who fights for a cause”
The word struggle is essential as these security champions are trying to accomplish large-scale organizational change, which is one of the hardest things to do in business. Humans are very good at adapting, but we don’t change very well when the change doesn’t come from within.
This is why two out of three transformation initiatives fail.
Why do we need security champions?
A good analogy is an “Agile Champion”. These people are leading similar efforts but in the context of the agile methodology. Since agile transformations take 3-5 years and most organizations can’t wait that long, you need champions within your organization to accelerate adoption.
“While the average CEO lasts 8 years, it’s the CIO who typically sponsors Agile transformation. And the CIO’s tenure is about half that of the CEO, or 4.3 years. “
The same goes with an application security champion. Not only are they trying to transform a business, but their industry – AppSec – is continually trying to catch up with the exponential growth in technology.
And, as software applications become more and more complex, the surface areas for security vulnerabilities also increase.
Over the past year, he hasn’t slowed down. Instead, organizations are “doubling down” on digital transformations. The biggest area of increase in spending, according to an OpsRamp report, is security and compliance.
To keep up with this progress, investing the time and effort of the company in the famous trio: people, process and technology is essential.
- People: Application Security Champions and CISO
- Process: DevSecOps
- Technology: Code security software
“AppSec has been the number one priority for customers looking for RSSIs over the past 12 months.” -André Tehrani, partner at Recrewmint, Inc.
How do I get started with Security Champions?
Depending on your budget, you can hire a full-time employee or search internally for someone who is passionate and ready to tackle them as a career goal.
Here’s a sample Wells Fargo job description for a “Software Engineer – Application Security Champion”.
- “Wells Fargo Application Security Champions are an integral part of the enterprise application security program to improve the ability to manage and resolve vulnerabilities identified by our applications and systems. “
Since 2015, experts have championed security champions within every software development team. You may not be able to staff full-time employees on each team, but at least you can nominate people willing to fill the role.
Besides, who is not ready to be champion?
If you need help getting started, you can check out our learning site where we have many free resources for AppSec training, such as this webinar on the importance of contextual security training.
Or, check out a talk by HackSplaining CEO Malcolm McDonald of the Shifting Left 2.0 conference on “Why Every Member of Your Development Team Should Be a Security Expert (and How to Make It)”.
What is a safety champion and do you need one? was originally posted in ShiftLeft Blog on Medium, where people continue the conversation by highlighting and responding to this story.
*** This is a Syndicated Security Bloggers Network blog from ShiftLeft Blog – Medium written by Randy Gibson. Read the original post on: https://blog.shiftleft.io/what-is-a-security-champion-and-do-you-need-one-938754762894?source=rss—-86a4f941c7da—4