DEV Community

Cdebrincat for ShiftLeft

Posted on • Originally published at blog.shiftleft.io on

What is a security champion and do you need one?

The role of security champions in a software development team, and how they help build secure applications

First, what is a security champion?

A security champion is a person in your organization that advocates for security best practices.

They are critical for the success of an application security (AppSec) program. Security champions jumpstart early and ongoing adoption and can be synonymous with the popular term “evangelist.”

Champion, in this context, refers to the alternative definition of a champion: “a person who fights for a cause”

The word fight is key because these security champions are trying to accomplish large-scale organizational change, which is one of the hardest things to do in business. Humans are great at adapting but we don’t change very well when the change is not coming from within.

This is why two out of three transformation initiatives fail.

Why do we need Security Champions?

A good analogy is an “Agile Champion.” These people lead similar efforts but in the context of agile methodology. Since agile transformations take 3 to 5 years, and most organizations can’t wait that long, you need champions within your organization to speed up adoption.

“While the average CEO lasts 8 years, it is the CIO who typically sponsors the Agile Transformation. And the CIO tenure is about half that of the CEO, or 4.3 years.”

The same goes with an Application Security Champion. Not only are they trying to transform a business, but their industry — AppSec — is continually trying to catch up with technology’s exponential growth.

And, as software applications grow in complexity, so do the surface areas for security vulnerabilities.

Over the last year, it hasn’t slowed down. Organizations instead are “doubling down” on Digital Transformations. According to a report from OpsRamp, the biggest area of increased spend is in Security and Compliance.

To keep up with this progress, it’s critical to invest company time and effort across the famous trio: people, process, and technology.

  • People: Application Security Champions & CISOs
  • Process: DevSecOps
  • Technology: Code security software

“AppSec has been the number one priority for clients seeking CISOs over the past 12 months.” -André Tehrani, partner at Recrewmint, Inc.

How do you get started with Security Champions?

Depending on your budget, you can hire a full-time employee or look for someone internally who is passionate and willing to approach it as a career objective.

Here is one example of a job description from Wells Fargo for a “Software Engineer — Application Security Champion.”

  • “Wells Fargo’s Application Security Champions play an integral part of the Enterprise Application Security Program to enhance the capability of managing and remediating vulnerabilities identified by our applications and systems.”

Since 2015, experts have been advocating for Security Champions within every software development team. You may not be able to staff full-time employees on every team but at the least, you can designate folks who are willing to fill the role.

Besides, who isn’t willing to be a champion?

https://medium.com/media/e92aa5395582ed653db1d66a483a1432/href

If you need help getting started, you can check out our learn site where we have many free resources for AppSec training, like this webinar on the importance of context-sensitive security training.

Or, check out a talk from HackSplaining CEO Malcolm McDonald, from the Shifting Left 2.0 Conference, on “Why Every Member of Your Development Team Should Be a Security Expert (and How to Get There).”


Top comments (0)