How a ‘Game of Codes’ is leading IAG Group to a more secure coding future
How a ‘Game of Codes’ is leading IAG Group to a more secure coding future
IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.
ENTER: Game of Codes
The challenge
Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.
“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer
The implementation
Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:
“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said
Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.
The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.
The result
Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.
By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.
In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.
Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:
“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”
Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.
And the ultimate advice, from Bianca herself:
“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester
FAST FACTS
- In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
- They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.
- They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
Related Articles We Recommend
Related Articles We Recommend
Dive into onto our latest secure coding insights on the blog.
Our extensive resource library aims to empower the human approach to secure coding upskilling.
Get the latest research on developer-driven security
Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.
How a ‘Game of Codes’ is leading IAG Group to a more secure coding future
IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.
ENTER: Game of Codes
The challenge
Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.
“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer
The implementation
Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:
“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said
Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.
The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.
The result
Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.
By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.
In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.
Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:
“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”
Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.
And the ultimate advice, from Bianca herself:
“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester
FAST FACTS
- In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
- They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.
- They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
