The BTN recently partnered with Synk, a developer security platform for securing code, dependencies, containers, and infrastructure as code for an exclusive virtual roundtable event. This session looked at ‘Security Champions: Providing Scale & Speed for your Developers’ and was an opportunity to share insights around the topic of security within organisations.
Together with the Field CTO at Snyk, Simon Maple, the discussion looked at strategies for rolling out and running an effective security champion program. The group played out the journey of dividing the challenges and best practices for creating a program that enables close collaboration between development and security teams. The open and interactive conversation brought about the following takeaways:
Organisations should consider a security champions programme
The security champions programme is a collaborative formal programme designed to improve security within companies by awarding developers a “Security Champion” title. These champions would spend their time doing security work in their development teams to promote communication, knowledge sharing and collaboration. Embedding a security champion within your development team can promote the role of security visibly across your organisation and improve the overall quality of the products you produce.
Each organisation has different functions, which operate in their own unique ways. For example, in some circumstances, there is encouragement within teams to build their own skills in which they could start their own programme to learn new security skills. By doing this, you are able to give the developer their own security skills and build into the process, the essence of engineering programmes. However, some companies, found that despite wanting to deliver software, they were too busy and wanted to build the skills of regular developers instead. We must decide as a leadership team how security should be perceived and whether we want to upskill individuals/teams or whether we want external support.
Education is Essential
For some organisations, it comes down to self-study where they have motivated developers to go through the educational side of things at their own pace. They aim to continuously work on improving how they work as a team to ensure they have the best practices to get that tight integration between the operations. Others mentioned that their pipeline is driven by engineers and that when operating outside of the European Union, they have consumer regulations to take care of.
Another way that education can get into the development teams is through risk reduction. If you can build in data privacy then that is heavily important. Some leaders would like this idea of freedom and authority. So how do they do it? They stand side by side with the developer’s teams as they develop the system and think about how they can design from scratch and test it. However, being consistent can be a huge challenge for some organisations. So how exactly can you make two teams co-exist, work together and in harmony? People’s diversity is great, however, it can sometimes be challenging to manage if the diversity gets too big. The maturity of the team matters, but then there is a large portion of the team that does not. Sometimes the case is that people need more of that direction to try and understand the next steps. New starters can also help as they are able to come up with their own input and fresh ideas.
So how do business leaders see security? The most important thing is to document the requirements to be able to recreate and create a decentralised autonomy. Without quality assurance (QA), we won’t have data security, so the problem, therefore, becomes making sure everyone has the skills and interest to do it. Yes, you need to be compliant, but you also need to ensure you have the suitable tools, processes and skills for it. Will developers always be too busy? How do you create better code to reuse code and this idea of can we get good quality stuff then reuse this? How do you reduce the defects programmatically? Organisations, therefore, need to be pushed to be more agile.
Understanding the distinction between cyber security and cyber security initiatives is key
For some leaders, they are getting through by having security developers. To ensure the source and supply chain is clean, they bring in the lead developer or Chief Technology Officer (CTO). Organisations want to bring in the visualisation in the hope that this will be the idea to have the correct discussion. If it’s going to be critical, then it needs to be of good quality.
Some organisations have such large programmes where they start bringing in proper engineering to start improving it. Sometimes the skills and tools are lacking, which means that people start realising the amount of technical debt they have, which at this point is usually large.
You need to be clear about what is the distinction between cyber security and cyber security initiatives. Often you have representation from the Chief Information Officer (CIO) to bring the business and technology together when forming that alliance and this is then partnered with other teams, then the set of propositions meets the leadership teams. It’s driven in cross-functional ways with shared responsibility. Developers need to ensure they are using reasonable packages without risk or malicious code and doing security by design rather than leaving so many features enabled. Organisations should try to talk more about identifying that shift early.
Therefore, being clear about the distinction between cyber security and cyber security initiatives is essential for security champions.
About Snyk
Snyk is the leader in developer security. We empower the world’s developers to build secure applications and equip security teams to meet the demands of the digital world. Our developer-first approach ensures organizations can secure all of the critical components of their applications from code to cloud, leading to increased developer productivity, revenue growth, customer satisfaction, cost savings and an overall improved security posture. Snyk’s Developer Security Platform automatically integrates with a developer’s workflow and is purpose-built for security teams to collaborate with their development teams. Snyk is used by 1,200 customers worldwide today, including industry leaders such as Asurion, Google, Intuit, MongoDB, New Relic, Revolut and Salesforce.
Snyk is recognized on the Forbes Cloud 100 2021, the 2021 CNBC Disruptor 50 and was named a Visionary in the 2021 Gartner Magic Quadrant for AST.
For more information, visit https://snyk.io.