Lance Spitzner, Director, SANS Institute
The security skills gap is well documented. There just aren’t enough security professionals in the workforce to help secure our digital economy. Even if there were, scaling to the number of security professionals needed to create a comprehensive security program alone would not solve the security problem, especially in AppSec. During this talk, Lance Spitzner, Director at SANS Institute talked about the need to create security ambassadors at your organization. These ambassadors would help champion the security initiatives across your entire employee base.
At Veracode we talk about the need to foster AppSec champions in development teams. These champions have a strong understanding of application security best practices and work with their teams to implement them. Security champions also help bring security from theoretical concept to practical application for their development team – bridging the gap that exists between security and development.
Much like security champions, security ambassadors bring the theoretical principles of security to the entire organization, helping promote secure behavior. Why is this valuable? Because we know the two most common ways cybercriminals get into an organization is through insecure applications and through gaining privileged access. The security industry has helped companies implement security training programs, but we all know those can be ineffective. They focus on compliance and helping employees gain just enough security knowledge to pass a multiple choice quiz. But when you have security ambassadors on the team you go further than compliance. These people have deeper security training about secure behavior and can then spread that information to their peers.
Spitzner described the many benefits of using security ambassadors to improving overall security at an organization. Given the success we’ve seen at CA Veracode with our own security champion program, I’d have to agree that creating a mini army of security focused people throughout an organization is an effective way to improve security and behavior.