SBA Academy Blogpost – Introducing: The Security Champion
From Bad-Cop Culture to Sustainable Security Integration
Since our entire working life runs on software, security is essential for almost every business operation; what is more, customer trust largely depends on whether security incidents happen and if so, how they are handled. To strongly root security in your company culture, SBA Research highly recommends training motivated in-house software developers as Security Champions.
Nowadays all of us are working in software companies. Even if your organization is not producing and distributing software, most of its daily work is running on information technology. Companies of a certain size (medium enterprises and bigger) usually have software teams to develop and/or maintain their infrastructure in-house. This means that software security is a major concern, with immense implications for data and privacy protection, frictionless operation and, most importantly, customer trust. Data breaches and other security incidents not only hurt a company’s business and reputation but, considering the EU’s GDPR, may also carry severe penalties. It does not suffice to treat software security as an on-top afterthought, or to hire third-party providers to audit and test an already implemented tool or program. The people taking care of your company’s security needs should not be external “bad cops”, but team members who not only have the technical software development expertise, but also the mindset and keen interest to make security a first-class citizen in your software ecosystem. This is where the Security Champion comes in.
The concept of Security Champions is relatively new; still, SBA Research’s experts have already poured their know-how into a basic program which is then tailored to the individual customer’s needs. For the time being, an aspiring Security Champion is typically a member of the software development team who wants to take over security responsibilities. While staying firmly rooted in the team’s core task of developing software, approx. 50% of working time are allocated to first train for and then fulfill the role of a Security Champion. As such, one becomes the team’s key person to advise, challenge and coach peers and superiors with regards to security aspects. The Security Champion keeps up to date with current developments in software security and evaluates new tools and approaches; if feasible, they introduce them into the company’s development process. Thereby, a certain pragmatism is required: while security must be guaranteed, it should not inhibit the functionality of any given product or a company’s overall daily operation. This pragmatism also pertains to regulations and policies – here, the Security Champion serves as an ambassador who knows how to integrate technical and operational requirements to achieve a balanced IT Security Governance.
We at SBA Research believe that a Security Champion program is the best way to sustainably incorporate security in one’s company culture. By empowering motivated staff in their initial security training as well as further education, the management of any given company gains trusted, in-house partners for all technical and organizational security issues. The ideal Security Champions not only bring technical expertise and intrinsic interest for security topics to the table, but also the social skills which enable them to consider the requirements of multiple stakeholders, build and maintain a Security Champion community within the organization, and develop a network in the wider software security community. The latter regularly comes together via Meetups and conferences, for example the upcoming sec4dev Conference & Bootcamp 2021, a great opportunity to learn about software security from world-renowned national and international experts. The sec4dev offers deep-dive technological sessions as well as talks to gain a first insight into the topic and welcomes everybody who is interested in software security. sec4dev is the ideal platform both for aspiring and already-active Security Champions. Experts from SBA Research and its vast network furthermore share their know-how via regular security Meetups and the SBA Academy.
For more information on SBA’s Security Champion program, please contact Thomas Konrad.
Blogpost by Veronika Nowak