How do you drive security proficiency in technical teams?
As we all face increasingly varied security threats, it is important to know how to drive a culture of security across all teams within a business, especially those who have such a big impact on the security of your software, products, or business operations.
If you are a chief information officer, an IT manager, security professional, or developer in a small or medium-sized business, you may be tasked with ensuring your colleagues do the right thing when it comes to security. This means you educate non-technical colleagues about cyber security and prepare them before any threats occur. You may also be creating your own products or software and want to ensure that the development of these services is secure, so that you can offer a reliable service to your customers.
When it comes to security, especially for those in engineering or technical roles, people should feel empowered and confident.
Watch the video below to see how Sage partnered with Pluralsight as part of our security upskilling programme to build a culture of trust. Explore the lessons we learned along the way.
How can you empower teams when it comes to security?
Security is more than just implementing security tools and monitoring for threats. Having colleagues who care about security, understand it, and value how it supports your business goals is essential. To support developers and colleagues who work in technical roles, you can do these 3 things:
1. Understand their role, working life, and issues they face
If you are responsible for delivering security in your organization, spending time understanding those who feed into the technology and critical processes will be time well spent.
Regardless of your role, having conversations, taking short surveys, and reaching out to your organization’s developers, testers, architects, security professionals, or IT managers will help you understand what issues people are facing and whether they understand your company’s security requirements.
Being able to see and hear how people feel, what tools they use, and why they do certain things will help you create an approach to security that is meaningful.
2. Engage and incentivize in a human way
Once you understand how people are working and feeling, you can start to engage with them in the right way. This means, trying to clarify communications channels, use those that are most widely adopted, as long as they are secure.
Establish what you think would be the best way to reward and incentivize colleagues to be more secure or adopt more secure processes. Positive reinforcement based on an understanding of what motivates colleagues will support good security and the desire to acquire more security skills. For example, when developing security culture amongst Sage developers, we understood that their objective was to write “good, clean code” when we spoke to them and found out about their challenges. We tweaked this to “good, clean, secure code” and then supported them with training to achieve this.
Have a clear idea of what it is you are trying to achieve when it comes to security, e.g. what do you need your colleagues to know about to support the capability you are building in your business? When you have this defined, then you can plan what you need colleagues to do. Less is more and focusing on just a couple of points will be best.
3. Consider champions
Sage has a network of security champions who are embedded in technical teams and who dedicate 10 percent of their time to security. They have a role description, key responsibilities, and keep the commitment of 10 percent of their time to security as part of their objectives.
Having a clear group that you can rely on for security is incredibly helpful for the security of your business and is an industry best practice. You can consider allocating the management of this group to a named individual in your business and ensuring that managers are supportive and are also being supported themselves.
In summary, building security capability is a long-term investment. Driving enthusiasm for security through consistent training and support can sit alongside a culture of continuous learning and community building to achieve measurable risk reduction.
You should check out our secure software development page on the Trust and security hub for more information about some of the work of our development teams.