Security within development teams is not just a priority but a necessity. Ensuring that security measures are deeply embedded in every aspect of your team’s workflow can significantly reduce vulnerabilities and protect your organization from potential threats and costs. This blog post outlines a structured approach to establishing security within teams, focusing on key elements such as security chapters, OKRs, roadmaps, and the role of security champions, with real-world examples from leading companies.
Table Of Contents
Security Chapter Led by One Person
A security chapter is a dedicated group within your organization focused solely on security. Chapters are a lightweight matrix organization. When you have different vertical teams working on different products, then the security chapter is horizontally across all teams. Spotify has successfully implemented a “chapter” system, where one person leads specific interest groups, including security. This model has allowed Spotify to maintain a strong focus on security across their global teams.
The security chapter should be led by a knowledgeable and experienced individual who can steer the team towards achieving its security goals. The leader is responsible for setting the vision, aligning the team, and ensuring that security remains a top priority.
Setting OKRs for the Security Chapter
Objectives and Key Results (OKRs) are essential for driving focus and measuring progress. The security chapter should have both yearly and half-yearly OKRs to drive specific topics. Google is known for its rigorous use of OKRs across all departments, including security. By setting clear, measurable goals, Google ensures that all employees are aligned and working towards common security objectives. For example, an OKR could be:
- Objective: Improve overall security awareness.
- Key Result: 30% of employees complete an OWASP training by the end of the year.
- Key Result: High severity security tickets are reduced by 50%
- Key Result: eNPS of this group is above 30
OKRs help in setting clear, measurable goals and provide a framework for tracking progress.
Developing a Security Roadmap
A security roadmap is crucial for driving strategic topics and ensuring long-term success. This roadmap should outline the key initiatives and milestones that the security chapter aims to achieve. For instance, establishing a secure coding practice or implementing regular security audits could be part of the roadmap. Microsoft has a well-defined security roadmap that includes initiatives like the Security Development Lifecycle (SDL), which integrates security and privacy considerations into all phases of development.
Security Champions in Each Development Team
Netflix has implemented a “Security Champions” program where selected individuals are trained extensively on security best practices. These champions then advocate for security within their respective teams, ensuring that security is a shared responsibility.
Each of your development teams should have a designated “security champion.” This individual is responsible for driving security within their team and ensuring that security practices are followed. The security champion acts as a liaison between the development team and the security chapter, ensuring that security remains a focal point in all development activities.
Discuss Topics and Tickets Async
To facilitate communication and quick resolution of security issues, a group chat for all security champions should be established. This platform allows for the discussion of security-relevant topics in real-time, reducing the need for frequent, time-consuming meetings. This approach ensures that security problems are tackled promptly and efficiently.
Monthly Meetings for the Security Chapter
The security chapter should meet once a month with all security champions to review OKRs and ensure that the chapter is on track to tackle strategic topics. These meetings provide an opportunity to discuss progress, address any challenges, and realign efforts as needed. Facebook holds regular security sync meetings where security champions and leads discuss ongoing initiatives, review progress, and plan future activities. This ensures that everyone is aligned and focused on the same security goals.
The Importance of Top Management Support
Apple places a strong emphasis on security, with top executives like the CTO and CISO actively involved in security decisions. This top-down approach ensures that security is integrated into the product development lifecycle from the very beginning.
Security initiatives can only succeed with the support of top management. The CTO or CISO must be involved in decision-making processes that impact the product roadmap. For example, determining the priority between a “security fix” and a “product feature” requires their input to ensure that security is not compromised.
A Charta for the Security Chapter
All the topics discussed above are nice - but they have to be codified in your organization. One way to do this is to create a page in a wiki like Confluence that serves as hub for the documentation. The page could contain the following topics:
- What is the Security chapter (Responsibilities)
- Who leads the Chapter
- Who participates
- What is the current strategic roadmap for security topics
- What is the current OKR (how do we measure support)
- When do meetings take place
- Where to discuss security relevant topics (aka slack group)
- Meeting notes
- …
- FAQ section
- What are security champions
- …
Conclusion
Establishing security within teams requires a structured approach, clear goals, and strong support from top management. By implementing a security chapter, setting OKRs, developing a roadmap, appointing security champions, and fostering open communication, organizations can significantly enhance their security posture. Remember, security is a continuous journey, and with the right framework in place, your teams will be better equipped to navigate the challenges ahead.