Security cannot succeed unless we work with and through other teams. This fact is especially true in the application security space. Security teams need to find creative ways of engaging development teams for a variety of reasons in conversation and partnership. Security teams are not patching servers. They aren’t updating libraries. They aren’t fixing the pentest findings. Security teams need to be able to accomplish their work by convincing other teams at times that a security issue should be fixed over another feature.
This article will touch on several ways that security teams can engage in developer outreach. It’s not recommended to jump in and start doing all these things right away; start small, experiment, adapt, and grow.
Using Competition to Attract the Developer Community
People love games. There are a lot of fun ways to create friendly competition between teams while simultaneously fostering security awareness and building relationships. Hosting a security-themed hackathon is a lot of work but can be very appealing to the developer community.
Some training platforms have begun to release gamified challenges related to secure coding or related topics. Sometimes these are a hit, sometimes they’re a total flop. It’s good to experiment and take a human-centered design approach. The big thing in a competitive sense is to try to make it fun. If people are having fun, they will come back for more.
Security Champion Programs
Security champion programs have been happening for a number of years now. As such, there is a good body of work on how to begin such a program and, more importantly, how to sustain and grow it. I believe that one of the most important elements of any security champion program is the ongoing engagement and growth paths provided to its volunteers. If people don’t have time properly carved out, incentives properly aligned, and actual engagement with the security team, then the program will almost certainly die out and will likely be counterproductive.
Run well, though, and a champion program can be a powerful means of scaling developer engagement across an organization.
Call Outs and Positive Affirmation
Most people appreciate being recognized for the good work they’re doing; positive affirmation works in relationships and it works in organizational dynamics. If you’re on the security team and you recognize a particular developer or a team that is doing things that you would be thrilled to see everyone doing, make sure you recognize it. This could include proactively seeking out bugs and fixing them, setting up more security tools and actively using them, engaging with the team on threat models, or any number of other activities.
There are a lot of ways that security teams can recognize others. Below are a few that I’ve personally used to great effect:
- Notable mentions at large meetings, such as all hands or in newsletters
- Passing around a physical trophy of sorts to create a fun kind of competition (a shield, engraved trophy, big hat, etc.). This one worked better pre-Covid when there was more of an emphasis on in-office culture, but there are plenty of virtual ways to recognize people in a similar way.
- Handing out challenge coins or gift cards
- T-shirts or other kinds of swag that can be displayed by the recipient
Security teams need other teams. We can’t function through policy and mandates, not well anyways. To operate effectively, security teams need to engage and build relationships with other teams and leaders. The three areas above are really just a starting point to get ideas going on how to begin this outreach. The most important thing, in my experience, is to be intentional and consistent.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: