Webinar recap: How to build relationships with developers?
Join our guest expert, Dustin Lehr, to learn how to earn developers' respect, introduce gamification, and get issues fixed in a security context.
All employees of any organization, and especially developers, are crucial to foster a culture focused on security. But how can a security team build good relationships with developers to create this sort of culture?
In our past webinar, security expert, Dustin Lehr, shares invaluable insights from his extensive experience in building effective security champion programs to empower individuals passionate about security.
This article outlines the best practices and strategies for establishing and maintaining such programs, ensuring that your organization remains secure while promoting a culture of continuous improvement and collaboration.
Watch the full webinar below:
Dustin Lehr's Background
Dustin Lehr is an accomplished software engineer turned information security leader. He is a co-founder, CPO, and CTO at Katilyst—a company dedicated to building a security program that incentivizes and rewards employees to take action and former Senior Director of Platform Security and Deputy CISO at Fivetran.
Dustin is the driving force behind the Security Champion Program Success Guide and possesses a wealth of experience in application security. With over 13 years of experience as a developer, his extensive experience in rolling out security initiatives and building relationships with developers makes him a valuable voice in the field of cybersecurity.
He is also a prominent community leader, heading the "Let's Talk Software Security" group.
Earning Developers' Respect
To earn developers' respect, it's crucial to understand their needs and concerns. Developers often operate within a social hierarchy, and respect must be earned through genuine effort and understanding.
“You do have to earn respect. It's not just given to you. You can't just sort of show up as a new person and expect everyone to say, 'Hey, welcome to the community.' It's more like, 'What are you doing here? How do you contribute?" - Dustin Lehr
Engaging with developers by learning their world, trying out coding languages, and understanding their frustrations can help build trust and respect. There is a chance you will need to work at understanding what the other party wants or needs, so this can take time and quite a significant amount of testing.
“It's a very simple thing to just get yourself more involved in the technical world and in the development world specifically by trying stuff. Go learn Python, go learn some initial language, and just play around with it." - Dustin Lehr
Effective Communication with Developers
Building effective relationships with developers involves listening and learning from them. Approaching them with humility and a willingness to learn can foster collaboration.
“I think building an effective relationship has a lot to do with just listening to other people and putting yourself out there. Maybe not coming in hot, coming in a little bit more humble and saying, 'I'm just trying to learn this. Can anybody help me?" - Dustin Lehr
It's essential to understand their systems, gather feedback, and design security programs that cater to their needs while incorporating best practices. Dustin highlighted that the best place to start would be listening. Learning the perspective of developers, learning their systems, having them lead you around and teach you their world.
Introducing Gamification
Gamification involves applying game-like techniques to non-game situations to motivate people. This concept leverages the engaging and motivational elements found in games to enhance user experience and drive participation in various contexts, such as education, work, and personal development. Individuals are encouraged to achieve specific goals through the integration of game mechanics like:
- point scoring
- leaderboards
- badges
- and challenges
For developers, gamification can be particularly effective due to their inherent motivation for accomplishment and social recognition. Developers often thrive on completing tasks, solving problems, and being acknowledged for their skills and contributions. By incorporating gamification into their workflows, such as through coding challenges, hackathons, and progress tracking tools, developers can experience a heightened sense of achievement and visibility within their communities or organizations.
Dustin explained that gamification is not necessarily about turning activities into full-fledged games. Instead, it focuses on identifying and utilizing the techniques that make games engaging and applying these to non-game situations. This distinction is crucial; the goal is not to create an artificial game environment but to harness the principles that drive game players—such as feedback loops, goal setting, and competition—and adapt them to real-world tasks. By doing so, gamification can:
- improve motivation in teams and individuals,
- boos productivity across different projects,
- and improve overall engagement without compromising the seriousness or purpose of tasks.
For example, in a professional setting, gamification can involve setting up a system where developers earn points for completing coding tasks, receive badges for mastering new skills, and see their progress on a leaderboard compared to their peers. This not only makes the work more engaging but also promotes continuous learning and improvement. Similarly, in education, students can benefit from gamified learning modules that reward them for completing assignments, participating in discussions, and achieving high scores on tests, thereby making the learning process more interactive and enjoyable.
Implementing systems like security champion belt levels can increase engagement and status among developers.
“You've seen probably the security champion belt system. That's basically a status that people can earn. The more that they can contribute, maybe you're trying to reinforce or encourage people to fix security vulnerabilities, and so forth." - Dustin Lehr
Overall, gamification taps into the human desire for achievement, competition, and recognition, making mundane or challenging tasks more compelling and rewarding. By understanding and implementing the effective elements of game design, organizations and individuals can enhance motivation and performance across various domains.
Successful Security Champion Programs
Security champion programs are vital for creating a cultural movement towards secure coding. These programs identify and cultivate individuals within an organization who are passionate about security and can serve as role models and advocates for secure coding practices. By leveraging the influence of these champions, organizations can effectively promote and integrate security measures across all teams and departments.
Identifying early adopters and working closely with them to build their skills is a key strategy for scaling a security program within an organization. Early adopters are typically more open to change and can help lead the way by demonstrating the benefits and feasibility of secure coding practices. By investing in their development, organizations can create a ripple effect where these champions influence their peers, encouraging broader adoption of security protocols.
“Finding the allies, finding the champions for the cause, in this case, secure coding, is a necessary part of more wide adoption." - Dustin Lehr
This highlights the importance of strategically selecting and empowering individuals who can drive the security agenda from within their own teams. These champions can serve as the bridge between the security team and the broader organization, facilitating communication and ensuring that security practices are understood and implemented effectively.
These champions can advocate for security within their teams, making it more likely for peers to adopt secure practices. By embedding security advocates within various teams, organizations can create a more organic and sustained adoption of secure coding practices. Champions can provide on-the-ground support, answer questions, and address concerns in real time, making the transition to secure coding smoother and more acceptable.
“People are way more likely to listen to their peers than to listen to you as a security person. Winning those advocates and then making sure that they're empowered to express the changes that are needed across the company, that's the whole concept of security champions." - Dustin Lehr
This underscores the psychological aspect of peer influence, where colleagues are more inclined to trust and follow the advice of their peers rather than directives from an external authority. By empowering security champions, organizations ensure that the message of secure coding is delivered in a relatable and convincing manner.
Moreover, security champions can help to demystify security practices and integrate them into the daily workflow, making them a natural part of the development process rather than an external imposition. They can also provide valuable feedback to the security team about the practical challenges and needs of their peers, enabling continuous improvement of security initiatives.
Security champion programs are a strategic approach to fostering a security-conscious culture within an organization. By identifying, training, and empowering champions, organizations can promote secure coding practices more effectively and ensure that security becomes a shared responsibility across all teams.
Measuring Success
Measuring the success of security programs involves more than just tracking attendance. It's essential to connect the actions of security champions to actual security outcomes. Using metrics like mean time to remediation, vulnerability escape rate, and vulnerabilities introduced per lines of code can provide valuable insights.
“I do think that attendance is a decent place to start because it shows interest. However, you need to connect the actions that your champions are taking to actual security results ultimately." - Dustin Lehr
A/B testing and comparing teams with and without security champions can help demonstrate the program's effectiveness. By implementing an A/B testing approach, organizations can gather empirical evidence on the impact of security champions on various metrics. This method involves dividing teams into two groups: those with designated security champions and those without. Over a specified period, both groups are monitored and assessed to determine how the presence of security champions influences key security outcomes.
“Teams that have security champions, how do they compare to teams that don't, in terms of vulnerabilities introduced and in terms of even phishing emails identified?" - Dustin Lehr
This approach allows organizations to quantitatively measure the benefits of having security champions. Key metrics to compare might include the number of vulnerabilities introduced during development, the speed at which security issues are identified and resolved, and the effectiveness of teams in recognizing and responding to phishing attempts.
Teams with security champions are expected to introduce fewer vulnerabilities due to the proactive role of champions in promoting secure coding practices and awareness. Security champions can provide ongoing education, conduct code reviews with a focus on security, and serve as a resource for their teammates, all of which contribute to reducing the incidence of security flaws in the codebase.
Additionally, teams with security champions might be more adept at identifying and responding to phishing emails. Security champions often lead by example, demonstrating best practices for recognizing phishing attempts and encouraging a culture of vigilance. They can also organize training sessions and share tips on how to spot and report suspicious emails, thereby enhancing the overall security awareness of their team.
The results from such A/B testing can provide compelling evidence to support the continuation and expansion of security champion programs. If data shows that teams with security champions perform significantly better in terms of security metrics, it underscores the value of investing in these programs. Moreover, it can help justify the allocation of resources towards training and supporting security champions across the organization.
Overcoming Challenges
Developers often face time constraints, and balancing security with business needs is crucial. Engineers and engineering leaders must advocate for security and influence product decisions.
“Engineers and engineering leaders have a responsibility to speak up and influence product and the rest of their company to understand what is necessary to build a good quality product at the end of the day." - Dustin Lehr
Aside from integrating security into the software development lifecycle to make it a part of everyday work for engineers, building a culture of positive reinforcement, rather than punishment, can motivate developers to take security seriously. Dustin shared that he would like to see more positive reinforcement, to help education of others.
Conclusion
Building effective security programs requires understanding developers' perspectives, fostering collaboration, and leveraging gamification to motivate secure practices. By listening to developers, identifying security champions, and measuring success through meaningful metrics, organizations can create a culture of security that resonates with their development teams.
For more insights and discussions on software security, consider joining communities like OWASP or the "Let's Talk Software Security" meetup. As Dustin concluded, "There are plenty of ways to get involved. It's all about bringing people together that have similar interests and chatting about it."
This article provides a comprehensive overview of the key points discussed by Dustin Lehr, offering practical advice for building effective security programs and fostering collaboration with developers.
💡Want to learn more? Discover the following articles: