Once just a “technology problem,” cybersecurity is now a business leadership priority across every area of a company. For software development organizations, cybersecurity has to become more than just a tool or program for creating secure code. It should be a mindset and foundational skillset for teams across the software development lifecycle (SDLC). This means every person and team—from secure software development to deployment and maintenance—should work with the same understanding of security concepts, threats, and objectives. Seems obvious, but how do you make that happen?
Training is the short answer, but scaling security is a two-pronged approach. The first prong is adopting a plan that maximizes your investment in training. That means delivering the right levels of knowledge and skills to the right people and tracking results to optimize learning. The second prong is leverage. It means embedding a handful of individuals with more advanced or elite expertise—security champions—into teams where they can increase security collaboration and help their team members up-level security skills through daily workflows. Start by establishing a baseline for team skills and identify an acceptable level of common security awareness.
Elevate security awareness everywhere
The first step is to raise security awareness across all IT and software development functions. That means ensuring everyone who touches the continuous delivery/continuous integration (CI/CD) software pipeline understands security risks and basic principles. Besides developers, this includes engineers, architects, analysts, admins, operations professionals, project managers, and product owners.
Each team should also understand how decisions affect overall security posture. For example, developers code but use open-source tools, provision containers, and manage application infrastructure. They need to be able to recognize potential vulnerabilities in their process, not just their code.
There are various assessment tools to determine levels of security awareness across your team. Based on results, you can introduce training as needed to bring everyone up to a base knowledge level of secure DevOps, privacy protection, OWASP Top 10 security risks and other topics core to your business.
Find your security champions
Next, find and cultivate security champions. These are individuals who demonstrate strong security skills and are excellent at problem solving, critical thinking and implementing best practices. They might already have deeper levels of security knowledge than their peers or demonstrate the desire to become more expert.
Security champions bridge the gap between development, IT, and security teams. OWASP describes them as “canaries” within development teams who decide when to involve security experts. Their role varies by company – some act as evangelists within an organization, focused on sharing critical security knowledge and ensuring tasks get done, while others actively identify and address security issues early in the development process, helping to integrate security into the SDLC, while others may primarily advocate for security best practices.
Embedding security champions within development teams allows you to focus security expertise where it’s most needed. This could be at the code or application level, within controls and network infrastructure, or with third-party and open-source code assurance. Champions improve communication, knowledge sharing, and collaboration between teams. They’re an effective way to scale security improvements across multiple areas and organically improve your overall security posture.
Implement modularized training
Your teams are likely made up of people with a wide range of security knowledge and skills. This means you’ll need to establish a baseline security skill level, especially in topics most relevant to your projects or goals. For example, do you mostly focus on web apps? Are you launching new Cloud or AI initiatives? You will need to account for the platforms and technologies you use most, and security concerns and topics will differ for developers, engineers, and product owners.
If it sounds complicated, it doesn’t have to be. Modularized training options make it easier to train, measure, and optimize learning for everyone in your organization. Core training courses provide fundamentals and best practices. Security topics are broken into individual components of a curriculum library, which can be easily mixed and matched for each person’s path based on their role and depth of knowledge. As individuals advance, they can dive deeper with advanced or elite courses. Typically, modularized courses are short and self-paced—a proven recipe for long-term retention.
Build security skills through hands-on activities
Hands-on experience helps drive skills retention and there has been a significant increase in gamified training options in recent years for IT and development teams. Training labs offer simulated, self-paced, hands-on experiences that give team members practice in technical skills, such as identifying common vulnerabilities and becoming familiar with attackers’ techniques and tactics.
Cyber ranges, hackathons, and Capture-the-Flag competitions take security skills to the next level. These simulated environments use real applications and infrastructure with flawed designs, defenseless code, and misconfigurations commonly found in most applications. Cyber ranges are competitive team environments where players are prompted to think like attackers to resolve different challenges. Whether through labs or cyber ranges, player skills are assessed, and progress is measured to identify additional training needs or to optimize existing training programs. Competitive events also help identify candidates for further development as security champions to drive long-term security improvements across the SDLC.
Develop role-based experts
Once your teams have gained core security education and hands-on experience, help them continue building their expertise with role-specific training. For example, you can provide one learning path for Database Administrators and another for Quality Assurance. Role-based courses deliver more advanced or elite security expertise applied to everyday workflows. In turn, these individuals and security champions can help their peers up-level skills through daily collaboration.
Track Progress and Optimize
Today, almost every company is a software company, and cyber threats change continually. Security and IT leaders need a security training plan to keep pace with changing security best practices, risk levels, and new cyber threats. Requiring a minimum amount of professional development hours is not enough. Security leaders need a training plan that maximizes the training budget with focused learning paths that track progress. Establish specific goals to ensure that teams build real security skills that can be applied to their daily tasks. Once you complete your first round of training, gather feedback from stakeholders to optimize and expand your program to cover other areas of the development lifecycle. With the right plan in place, security becomes second nature, strengthening both software and business resilience.
Kevin Poniatowski brings an optimal blend of speaking ability, technical savvy, and an insatiable passion for security to the CMD+CTRL training program, creating an engaging environment for both technical and security awareness courses. Poniatowski has trained enterprise teams across the globe at organizations including HP, Liberty Mutual, the Federal Reserve Bank, Oracle, MassMutual, VMware, State Street Bank, and the U.S. Department of State. Poniatowski has spoken at many security conferences on topics ranging from Secure Software Development Life Cycle best practices to BYOD and mobile device security. He earned a B.A. degree in Economics from the University of Michigan and a B.S. degree in Computer Science from Florida State University.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.