One Culture of Security: How Sage built their security champions program with agile secure code learning
TL;DR
Sage is a British multinational enterprise software company that provides businesses with software and services that are simple and easy to use for Payroll, HR, and Finance. As of 2017, it is the UK's second largest technology company, the world's third-largest supplier of enterprise resource planning software, and the largest supplier to small businesses - with over 6 million customers worldwide.
Situation
Before working with Secure Code Warrior, Sage began outlining their Security Champion Network for approximately 10 years. Despite the robust network of security-focused developers, training was sporadic and not structured to focus on risk reduction.
Sage recognized that it was important to spend time building relationships and embedding security over a period of time with a flexible approach. Sage’s program tied its goals to risk reduction and the material impact of that program. When piloting the program with certain business units, they focused on how to measure risk reduction and replay it back to the business to win developer and senior leadership’s buy-in.
Action
Mads Howard, People-Centered Security Lead at Sage, worked with developers to understand the personas of security champions. She met with developers in each business unit and conducted interviews with them to understand what motivates them, how they like to learn, and what limitations they see in their work. She and her team worked to build relationships with developers and their team leads, and emphasized the importance of being flexible in their approach.
Mads emphasizes a relationship building approach,
“We spent a lot of time building relationships with dev. team leaders, engineering team leaders, and product managers- the people that control the time spent on education during sprint cycles.”
According to Mads, it also boiled down to scaling out their security champions network,
“The security champion network has been seen as a key control of that program. So in order for products to move through this program, we had to really take seriously the role of having somebody as a security champion and also provide them with solid security training.”
The Global Security Teams goal at Sage was to implement a Security Control Program that took into consideration the learning needs of developers in a complex technology environment and choose a partner that worked alongside their existing security tooling to aid in vulnerability management.
It was important that education was seen as an important aspect of a mature security control program. They focused on measuring risk reduction through:
- Risk Score Improvement
- Vulnerability Age Reduction in vulnerability backlog
- Resolution Time
- No closed vulnerabilities v. open vulnerabilities
- Number of issues per line of Sage written code (not third party)
For Mads,
"The next phase for Sage as a business is to demonstrate that upskilling through a secure coding program that is embedded in developer workflows delivers measurable risk reduction."
Results
Mads emphasized the importance of the partnership and guidance Secure Code Warrior provided her and her team,
“I honestly would say that we would not have been able to get this far and build out a kind of a program that has this level of maturity in terms of different layers or dev team across different technologies without the support of Secure Code Warrior.”
Once Mads and her team completed their interviews and won developer buy-in, she began to implement Secure Code Warrior to be part of a wider security culture program.
The results, according to Mads, is,
“Sage has 200 plus security champions now enrolled in the program, and if a security champion is dedicating 3.5 hours a week (or 10% of their time) to skills building, they can advocate for a secure coding program, they can advocate for continuous training, and they can advocate for the value it gives them.”
With senior leader buy-in and measurable goals around risk reduction - Mads was able to begin to measure success around not only the number of people on a platform and the hours played, but time to fix vulnerabilities, vulnerability age, and then comparing with the new features that have been built for customers to give a holistic viewpoint on vulnerability reduction. For one team the impact felt was enormous - with an 82% reduction in mean time to fix a vulnerability.
However, what mattered more, Howard added, was the unquantifiable - the engagement, the commitment, and the willingness of teams to be involved in the program.
Key Takeaways
The Sage experience underlines the relevance of well-planned and executed security training, the importance of a flexible, integrated approach - a lesson worth learning for any organization aiming for a robust, secure coding program. According to Mads, it’s important to remember that working with developers, not against them, is the key to implementing a successful security control program and embedding security into the company’s culture.
- Creating a Security Culture doesn’t happen overnight. It’s important to spend time building relationships and embedding security over a period of time, and dedicating resources to do so.
- Tie everything back to risk reduction and focus on what the material impact is of a secure coding program.
- Focus on how you can measure that risk reduction to replay it back to the business so the program is seen as impactful and successful by both developers and senior leadership alike.
For developers looking to be security champions, she and her team also offered this advice:
- Build a network around you of people who are interested in security and get involved in conferences and talks. Spend time learning about the topics that interest you.
- Keep in mind an organization’s culture isn’t going to change overnight, and it will take time to develop and mature.
Discover how Sage enhanced security with a flexible, relationship-focused approach, creating 200+ security champions and achieving measurable risk reduction.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoTL;DR
Sage is a British multinational enterprise software company that provides businesses with software and services that are simple and easy to use for Payroll, HR, and Finance. As of 2017, it is the UK's second largest technology company, the world's third-largest supplier of enterprise resource planning software, and the largest supplier to small businesses - with over 6 million customers worldwide.
Situation
Before working with Secure Code Warrior, Sage began outlining their Security Champion Network for approximately 10 years. Despite the robust network of security-focused developers, training was sporadic and not structured to focus on risk reduction.
Sage recognized that it was important to spend time building relationships and embedding security over a period of time with a flexible approach. Sage’s program tied its goals to risk reduction and the material impact of that program. When piloting the program with certain business units, they focused on how to measure risk reduction and replay it back to the business to win developer and senior leadership’s buy-in.
Action
Mads Howard, People-Centered Security Lead at Sage, worked with developers to understand the personas of security champions. She met with developers in each business unit and conducted interviews with them to understand what motivates them, how they like to learn, and what limitations they see in their work. She and her team worked to build relationships with developers and their team leads, and emphasized the importance of being flexible in their approach.
Mads emphasizes a relationship building approach,
“We spent a lot of time building relationships with dev. team leaders, engineering team leaders, and product managers- the people that control the time spent on education during sprint cycles.”
According to Mads, it also boiled down to scaling out their security champions network,
“The security champion network has been seen as a key control of that program. So in order for products to move through this program, we had to really take seriously the role of having somebody as a security champion and also provide them with solid security training.”
The Global Security Teams goal at Sage was to implement a Security Control Program that took into consideration the learning needs of developers in a complex technology environment and choose a partner that worked alongside their existing security tooling to aid in vulnerability management.
It was important that education was seen as an important aspect of a mature security control program. They focused on measuring risk reduction through:
- Risk Score Improvement
- Vulnerability Age Reduction in vulnerability backlog
- Resolution Time
- No closed vulnerabilities v. open vulnerabilities
- Number of issues per line of Sage written code (not third party)
For Mads,
"The next phase for Sage as a business is to demonstrate that upskilling through a secure coding program that is embedded in developer workflows delivers measurable risk reduction."
Results
Mads emphasized the importance of the partnership and guidance Secure Code Warrior provided her and her team,
“I honestly would say that we would not have been able to get this far and build out a kind of a program that has this level of maturity in terms of different layers or dev team across different technologies without the support of Secure Code Warrior.”
Once Mads and her team completed their interviews and won developer buy-in, she began to implement Secure Code Warrior to be part of a wider security culture program.
The results, according to Mads, is,
“Sage has 200 plus security champions now enrolled in the program, and if a security champion is dedicating 3.5 hours a week (or 10% of their time) to skills building, they can advocate for a secure coding program, they can advocate for continuous training, and they can advocate for the value it gives them.”
With senior leader buy-in and measurable goals around risk reduction - Mads was able to begin to measure success around not only the number of people on a platform and the hours played, but time to fix vulnerabilities, vulnerability age, and then comparing with the new features that have been built for customers to give a holistic viewpoint on vulnerability reduction. For one team the impact felt was enormous - with an 82% reduction in mean time to fix a vulnerability.
However, what mattered more, Howard added, was the unquantifiable - the engagement, the commitment, and the willingness of teams to be involved in the program.
Key Takeaways
The Sage experience underlines the relevance of well-planned and executed security training, the importance of a flexible, integrated approach - a lesson worth learning for any organization aiming for a robust, secure coding program. According to Mads, it’s important to remember that working with developers, not against them, is the key to implementing a successful security control program and embedding security into the company’s culture.
- Creating a Security Culture doesn’t happen overnight. It’s important to spend time building relationships and embedding security over a period of time, and dedicating resources to do so.
- Tie everything back to risk reduction and focus on what the material impact is of a secure coding program.
- Focus on how you can measure that risk reduction to replay it back to the business so the program is seen as impactful and successful by both developers and senior leadership alike.
For developers looking to be security champions, she and her team also offered this advice:
- Build a network around you of people who are interested in security and get involved in conferences and talks. Spend time learning about the topics that interest you.
- Keep in mind an organization’s culture isn’t going to change overnight, and it will take time to develop and mature.
TL;DR
Sage is a British multinational enterprise software company that provides businesses with software and services that are simple and easy to use for Payroll, HR, and Finance. As of 2017, it is the UK's second largest technology company, the world's third-largest supplier of enterprise resource planning software, and the largest supplier to small businesses - with over 6 million customers worldwide.
Situation
Before working with Secure Code Warrior, Sage began outlining their Security Champion Network for approximately 10 years. Despite the robust network of security-focused developers, training was sporadic and not structured to focus on risk reduction.
Sage recognized that it was important to spend time building relationships and embedding security over a period of time with a flexible approach. Sage’s program tied its goals to risk reduction and the material impact of that program. When piloting the program with certain business units, they focused on how to measure risk reduction and replay it back to the business to win developer and senior leadership’s buy-in.
Action
Mads Howard, People-Centered Security Lead at Sage, worked with developers to understand the personas of security champions. She met with developers in each business unit and conducted interviews with them to understand what motivates them, how they like to learn, and what limitations they see in their work. She and her team worked to build relationships with developers and their team leads, and emphasized the importance of being flexible in their approach.
Mads emphasizes a relationship building approach,
“We spent a lot of time building relationships with dev. team leaders, engineering team leaders, and product managers- the people that control the time spent on education during sprint cycles.”
According to Mads, it also boiled down to scaling out their security champions network,
“The security champion network has been seen as a key control of that program. So in order for products to move through this program, we had to really take seriously the role of having somebody as a security champion and also provide them with solid security training.”
The Global Security Teams goal at Sage was to implement a Security Control Program that took into consideration the learning needs of developers in a complex technology environment and choose a partner that worked alongside their existing security tooling to aid in vulnerability management.
It was important that education was seen as an important aspect of a mature security control program. They focused on measuring risk reduction through:
- Risk Score Improvement
- Vulnerability Age Reduction in vulnerability backlog
- Resolution Time
- No closed vulnerabilities v. open vulnerabilities
- Number of issues per line of Sage written code (not third party)
For Mads,
"The next phase for Sage as a business is to demonstrate that upskilling through a secure coding program that is embedded in developer workflows delivers measurable risk reduction."
Results
Mads emphasized the importance of the partnership and guidance Secure Code Warrior provided her and her team,
“I honestly would say that we would not have been able to get this far and build out a kind of a program that has this level of maturity in terms of different layers or dev team across different technologies without the support of Secure Code Warrior.”
Once Mads and her team completed their interviews and won developer buy-in, she began to implement Secure Code Warrior to be part of a wider security culture program.
The results, according to Mads, is,
“Sage has 200 plus security champions now enrolled in the program, and if a security champion is dedicating 3.5 hours a week (or 10% of their time) to skills building, they can advocate for a secure coding program, they can advocate for continuous training, and they can advocate for the value it gives them.”
With senior leader buy-in and measurable goals around risk reduction - Mads was able to begin to measure success around not only the number of people on a platform and the hours played, but time to fix vulnerabilities, vulnerability age, and then comparing with the new features that have been built for customers to give a holistic viewpoint on vulnerability reduction. For one team the impact felt was enormous - with an 82% reduction in mean time to fix a vulnerability.
However, what mattered more, Howard added, was the unquantifiable - the engagement, the commitment, and the willingness of teams to be involved in the program.
Key Takeaways
The Sage experience underlines the relevance of well-planned and executed security training, the importance of a flexible, integrated approach - a lesson worth learning for any organization aiming for a robust, secure coding program. According to Mads, it’s important to remember that working with developers, not against them, is the key to implementing a successful security control program and embedding security into the company’s culture.
- Creating a Security Culture doesn’t happen overnight. It’s important to spend time building relationships and embedding security over a period of time, and dedicating resources to do so.
- Tie everything back to risk reduction and focus on what the material impact is of a secure coding program.
- Focus on how you can measure that risk reduction to replay it back to the business so the program is seen as impactful and successful by both developers and senior leadership alike.
For developers looking to be security champions, she and her team also offered this advice:
- Build a network around you of people who are interested in security and get involved in conferences and talks. Spend time learning about the topics that interest you.
- Keep in mind an organization’s culture isn’t going to change overnight, and it will take time to develop and mature.
Click on the link below and download the PDF of this one pager.
DownloadSecure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoTL;DR
Sage is a British multinational enterprise software company that provides businesses with software and services that are simple and easy to use for Payroll, HR, and Finance. As of 2017, it is the UK's second largest technology company, the world's third-largest supplier of enterprise resource planning software, and the largest supplier to small businesses - with over 6 million customers worldwide.
Situation
Before working with Secure Code Warrior, Sage began outlining their Security Champion Network for approximately 10 years. Despite the robust network of security-focused developers, training was sporadic and not structured to focus on risk reduction.
Sage recognized that it was important to spend time building relationships and embedding security over a period of time with a flexible approach. Sage’s program tied its goals to risk reduction and the material impact of that program. When piloting the program with certain business units, they focused on how to measure risk reduction and replay it back to the business to win developer and senior leadership’s buy-in.
Action
Mads Howard, People-Centered Security Lead at Sage, worked with developers to understand the personas of security champions. She met with developers in each business unit and conducted interviews with them to understand what motivates them, how they like to learn, and what limitations they see in their work. She and her team worked to build relationships with developers and their team leads, and emphasized the importance of being flexible in their approach.
Mads emphasizes a relationship building approach,
“We spent a lot of time building relationships with dev. team leaders, engineering team leaders, and product managers- the people that control the time spent on education during sprint cycles.”
According to Mads, it also boiled down to scaling out their security champions network,
“The security champion network has been seen as a key control of that program. So in order for products to move through this program, we had to really take seriously the role of having somebody as a security champion and also provide them with solid security training.”
The Global Security Teams goal at Sage was to implement a Security Control Program that took into consideration the learning needs of developers in a complex technology environment and choose a partner that worked alongside their existing security tooling to aid in vulnerability management.
It was important that education was seen as an important aspect of a mature security control program. They focused on measuring risk reduction through:
- Risk Score Improvement
- Vulnerability Age Reduction in vulnerability backlog
- Resolution Time
- No closed vulnerabilities v. open vulnerabilities
- Number of issues per line of Sage written code (not third party)
For Mads,
"The next phase for Sage as a business is to demonstrate that upskilling through a secure coding program that is embedded in developer workflows delivers measurable risk reduction."
Results
Mads emphasized the importance of the partnership and guidance Secure Code Warrior provided her and her team,
“I honestly would say that we would not have been able to get this far and build out a kind of a program that has this level of maturity in terms of different layers or dev team across different technologies without the support of Secure Code Warrior.”
Once Mads and her team completed their interviews and won developer buy-in, she began to implement Secure Code Warrior to be part of a wider security culture program.
The results, according to Mads, is,
“Sage has 200 plus security champions now enrolled in the program, and if a security champion is dedicating 3.5 hours a week (or 10% of their time) to skills building, they can advocate for a secure coding program, they can advocate for continuous training, and they can advocate for the value it gives them.”
With senior leader buy-in and measurable goals around risk reduction - Mads was able to begin to measure success around not only the number of people on a platform and the hours played, but time to fix vulnerabilities, vulnerability age, and then comparing with the new features that have been built for customers to give a holistic viewpoint on vulnerability reduction. For one team the impact felt was enormous - with an 82% reduction in mean time to fix a vulnerability.
However, what mattered more, Howard added, was the unquantifiable - the engagement, the commitment, and the willingness of teams to be involved in the program.
Key Takeaways
The Sage experience underlines the relevance of well-planned and executed security training, the importance of a flexible, integrated approach - a lesson worth learning for any organization aiming for a robust, secure coding program. According to Mads, it’s important to remember that working with developers, not against them, is the key to implementing a successful security control program and embedding security into the company’s culture.
- Creating a Security Culture doesn’t happen overnight. It’s important to spend time building relationships and embedding security over a period of time, and dedicating resources to do so.
- Tie everything back to risk reduction and focus on what the material impact is of a secure coding program.
- Focus on how you can measure that risk reduction to replay it back to the business so the program is seen as impactful and successful by both developers and senior leadership alike.
For developers looking to be security champions, she and her team also offered this advice:
- Build a network around you of people who are interested in security and get involved in conferences and talks. Spend time learning about the topics that interest you.
- Keep in mind an organization’s culture isn’t going to change overnight, and it will take time to develop and mature.
Table of contents
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Deep Dive: Navigating the Critical CUPS Vulnerability in GNU-Linux Systems
Discover the latest security challenges facing Linux users as we explore recent high-severity vulnerabilities in the Common UNIX Printing System (CUPS). Learn how these issues may lead to potential Remote Code Execution (RCE) and what you can do to protect your systems.
Deep Dive: Navigating the Critical CUPS Vulnerability in GNU-Linux Systems
Discover the latest security challenges facing Linux users as we explore recent high-severity vulnerabilities in the Common UNIX Printing System (CUPS). Learn how these issues may lead to potential Remote Code Execution (RCE) and what you can do to protect your systems.
Coders Conquer Security: Share & Learn - Cross-Site Scripting (XSS)
Cross-site scripting (XSS) uses the trust of browsers and ignorance of users to steal data, take over accounts, and deface websites; it's a vulnerability that can get very ugly, very quickly. Let's take a look at how XSS works, what damage can be done, and how to prevent it.