One Culture of Security: How Sage built their security champions program with agile secure code learning

Sage is a British multinational enterprise software company that provides businesses with software and services that are simple and easy to use for Payroll, HR, and Finance. As of 2017, it is the UK's second largest technology company, the world's third-largest supplier of enterprise resource planning software, and the largest supplier to small businesses - with over 6 million customers worldwide.

Situation 

Before working with Secure Code Warrior, Sage began outlining their Security Champion Network for approximately 10 years. Despite the robust network of security-focused developers, training was sporadic and not structured to focus on risk reduction. 

Sage recognized that it was important to spend time building relationships and embedding security over a period of time with a flexible approach. Sage’s program tied its goals to risk reduction and the material impact of that program. When piloting the program with certain business units, they focused on how to measure risk reduction and replay it back to the business to win developer and senior leadership’s buy-in. 

Action

Mads Howard, People-Centered Security Lead at Sage, worked with developers to understand the personas of security champions. She met with developers in each business unit and conducted interviews with them to understand what motivates them, how they like to learn, and what limitations they see in their work. She and her team worked to build relationships with developers and their team leads, and emphasized the importance of being flexible in their approach.

Mads emphasizes a relationship building approach,

“We spent a lot of time building relationships with dev. team leaders, engineering team leaders, and product managers- the people that control the time spent on education during sprint cycles.”

According to Mads, it also boiled down to scaling out their security champions network,

“The security champion network has been seen as a key control of that program. So in order for products to move through this program, we had to really take seriously the role of having somebody as a security champion and also provide them with solid security training.” 

The Global Security Teams goal at Sage was to implement a Security Control Program that took into consideration the learning needs of developers in a complex technology environment and choose a partner that worked alongside their existing security tooling to aid in vulnerability management. 

It was important that education was seen as an important aspect of a mature security control program. They focused on measuring risk reduction through: 

• Risk Score Improvement
• Vulnerability Age Reduction in vulnerability backlog
• Resolution Time
• No closed vulnerabilities v. open vulnerabilities
• Number of issues per line of Sage written code (not third party)

For Mads,

"The next phase for Sage as a business is to demonstrate that upskilling through a secure coding program that is embedded in developer workflows delivers measurable risk reduction."

Results

Mads emphasized the importance of the partnership and guidance Secure Code Warrior provided her and her team,

“I honestly would say that we would not have been able to get this far and build out a kind of a program that has this level of maturity in terms of different layers or dev team across different technologies without the support of Secure Code Warrior.” 

Once Mads and her team completed their interviews and won developer buy-in, she began to implement Secure Code Warrior to be part of a wider security culture program. 

The results, according to Mads, is,

“Sage has 200 plus security champions now enrolled in the program, and if a security champion is dedicating 3.5 hours a week (or 10% of their time) to skills building, they can advocate for a secure coding program, they can advocate for continuous training, and they can advocate for the value it gives them.” 

With senior leader buy-in and measurable goals around risk reduction - Mads was able to begin to measure success around not only the number of people on a platform and the hours played, but time to fix vulnerabilities, vulnerability age, and then comparing with the new features that have been built for customers to give a holistic viewpoint on vulnerability reduction. For one team the impact felt was enormous - with an 82% reduction in mean time to fix a vulnerability. 

However, what mattered more, Howard added, was the unquantifiable - the engagement, the commitment, and the willingness of teams to be involved in the program.

Key Takeaways

The Sage experience underlines the relevance of well-planned and executed security training, the importance of a flexible, integrated approach - a lesson worth learning for any organization aiming for a robust, secure coding program. According to Mads, it’s important to remember that working with developers, not against them, is the key to implementing a successful security control program and embedding security into the company’s culture. 

• Creating a Security Culture doesn’t happen overnight. It’s important to spend time building relationships and embedding security over a period of time, and dedicating resources to do so. 
• Tie everything back to risk reduction and focus on what the material impact is of a secure coding program.
• Focus on how you can measure that risk reduction to replay it back to the business so the program is seen as impactful and successful by both developers and senior leadership alike. 

For developers looking to be security champions, she and her team also offered this advice: 

• Build a network around you of people who are interested in security and get involved in conferences and talks. Spend time learning about the topics that interest you. 
• Keep in mind an organization’s culture isn’t going to change overnight, and it will take time to develop and mature. 

‍