Security cannot succeed unless it works with development teams in the application security space. It needs developers to do things like patch servers, fix pen test findings, and update libraries, among other maintenance activities — each of which has a direct correlation with managing risk in a piece of software. At times as well, security must convince development teams that a security issue should be fixed over building another feature. Given their interdependence, security teams must find creative ways of engaging development teams in conversation and partnership.
This article will touch on several ways that security teams can engage in developer outreach. As the active engagement and partnership between the teams increases, security outcomes will improve.
Friendly Competition
People love games. There are many fun ways to create friendly competition among teams while simultaneously fostering security awareness and building relationships. One possibility is by hosting a security-themed hackathon. Putting on a hackathon is a lot of work but can be very appealing to the developer community.
Another option for a competitive form of development outreach is gamified challenges related to secure coding or related topics. Sometimes these are a hit, sometimes they’re a total flop. In my experience, their success depends on how stretched development teams are (do they have time to spend playing games?); how invested they are in self-development; and the overall team culture.
The incentives tied to gamification can reinforce certain kinds of behavior and outcomes. For example, a monetary reward or recognition for teams or individuals that perform well may create more engagement and interest. It’s good to experiment and take a human-centered design approach: Look at what’s important and relevant to the people on the other side of this and engage them in the process. For some relevant ideas, check out Trailhead, the gamification training program rolled out at SalesForce several years ago.
The big thing is to try to make the competition fun. If people are having fun, they will come back for more. The more engagement that can be facilitated, the more positive outcomes will be shared across the teams.
Champions
Security champion programs have been happening for several years now. This typically manifests when a development team member becomes a focused security advocate and takes on more coordination and security responsibilities within that development team. As such, there is a good body of work around how to begin such a program and more importantly, how to sustain and grow it.
One of the most important security champion program elements is ongoing volunteer engagement and growth paths. If people don’t have time properly carved out, incentives properly aligned, or engagement with the security team, then the program will almost certainly die out and will likely be counterproductive. There must be clearly defined roles and agreement within leadership on this, and time has to come from somewhere.
Run well, though, a champions program can be a powerful means of scaling developer engagement across an organization.
Callouts
Most people appreciate being recognized for good work. If you’re on the security team, and you recognize a particular developer or a team undertaking tasks that you would be thrilled to see everyone doing, then make sure you recognize them. These tasks could be proactively seeking out bugs and fixing them, setting up more security tools and actively using them, or engaging with the team to do threat models, to name just a few activities. There are a lot of options for recognition at the security team’s disposal. Below are a few that I’ve personally used to great effect:
- Notable mentions at large meetings such as all-hands or in newsletters
- Passing around a physical trophy to create a fun kind of competition (a shield, engraved trophy, big hat, etc.). This one worked better pre-Covid when there was more of an emphasis on in-office culture, but there are plenty of virtual ways to recognize people.
- Handing out challenge coins or gift cards
- T-shirts or other kinds of swag that can be displayed by the recipient
Concluding Thoughts
Security teams need development teams. We can’t function solely through policy and mandates, not well anyway. To operate effectively, security teams must engage with and build relationships with other teams and leaders. The three areas above are a starting point to get ideas going on implementing this outreach. You don’t need to jump in right away: Begin small, experiment, adapt, and grow. The most important thing in my experience is to be intentional and consistent with your efforts.
Want more cybersecurity insights? Visit the Cybersecurity channel:
