5 Ways to Train Security Champions in Cross-Functional DevOps Teams - Part 2
August 29, 2019

Ed Adams
Security Innovation

As organizations seek to better embed security into DevOps and Agile software development, they're going to need to find better ways of scaling security knowledge across cross-functional teams. Everyone needs to chip in, and the only way they can do that is if companies properly train members of cross-functional teams on what it means to deploy secure software.

Start with 5 Ways to Train Security Champions in Cross-Functional DevOps Teams - Part 1

3. Tackle Role-Based Security Training

Even with a sophisticated blended learning experience, generic security training should only be the foundation for developing security champions within DevOps teams. A security champion program depends on training that's tailored to specific roles.

Not only that, this training needs to be designed for the new reality of collaborative DevOps-based roles, rather than the limited and siloed IT functions of years past.

Organizations can take a team's security knowledge to the next level with tailored, prescriptive training based on specific roles. Once individuals have the basic education and the hands-on experience, it pays to take the information about how they performed in these trainings and tell the trainee where they should focus next based on their job duties. So developers would get one suggested learning path, QAs another, infrastructure specialists a different one, and so on. By doing that, it'll give every security champion a much deeper level of training applicable to his or her daily workflows.

The training needs to offer people the path to not necessarily turn into security staff, but to learn at an elite level how security applies to their specific role. If teams can pepper even just a percentage of these elite security champions across each common role, these highly trained individuals can help their peers level up their skills organically as they work together on a daily basis.

4. Leverage Modularized Training

Many of the security principles taught to different roles will overlap so there's no reason to reinvent the wheel with brand new curriculum for every unique role. One way to do this is to develop a modularized training approach.

Modularized training breaks down certain principles into individual components of a curriculum library. From there an organization can then mix and match these components for each person's appropriate path — based on their role and depth of knowledge they need. Not only does this make it more elegantly to shift to role-based security training, but it also adheres to the latest research in education that favors moving from traditional, long-form courses to shorter, more consumable modules.

5. Establish a Security Training Plan for DevOps Teams

Gartner analysts predict that DevSecOps practices will become embedded into 80% of rapid development teams by 2021. In this day and age where every company is a software company, IT leaders need to develop a security training roadmap to help their teams keep up with cybersecurity best practices to ensure that applications don't add unnecessary risk to the business.

Without detailed, prescriptive learning paths based on roles, organizations risk wasting their training dollars on generic knowledge. Many times companies simply require a number of hours for professional development in security, without offering any guidance or prescriptions of what the course matter should include. As a result, employees often choose the easiest path to racking up those hours without gaining many appreciable skills or knowledge along the way.

Because there are so many moving pieces to building out training that grooms security champions across so many IT functions, security and IT leaders need to actually lay out a detailed plan for how they're going to develop security skills relevant to every function of a DevOps team. They don't have to go it alone.

Ed Adams is President and CEO of Security Innovation
Share this

Industry News

January 23, 2020

StackRox announced that the latest version of the StackRox Kubernetes Security Platform includes support for Google Anthos, the open application platform that enables users to modernize, build and run applications across on-premise and multiple public cloud environments.

January 23, 2020

CloudVector launched API Shark, the free API discovery and observability tool.

January 23, 2020

Thundra announced $4 million in Series A funding led by global investment firm Battery Ventures.

January 22, 2020

CollabNet VersionOne and XebiaLabs have merged.

January 22, 2020

Keyfactor announced DevOps integrations with automation and containerization providers Ansible, Docker, HashiCorp, Jenkins and Kubernetes to offer security-first services and solutions designed to seamlessly integrate with existing enterprise tools and applications.

January 22, 2020

Sysdig raised $70 million in Series E funding.

January 21, 2020

Red Hat announced the general availability of Red Hat OpenShift Container Storage 4 to deliver an integrated, multicloud experience to Red Hat OpenShift Container Platform users.

January 21, 2020

Snyk has secured a $150 million investment, led by Stripes, a leading New York-based growth equity firm.

January 21, 2020

vChainannounced the close of a $7M Series A investment round.

January 16, 2020

VAST Data announced the general availability of its new Container Storage Interface (CSI).

January 16, 2020

Fugue has open sourced Regula, a tool that evaluates Terraform infrastructure-as-code for security misconfigurations and compliance violations prior to deployment.

January 16, 2020

WhiteHat Security will offer free application scanning services to federal, state and municipal agencies in North America.

January 15, 2020

Micro Focus announced the release of Micro Focus AD Bridge 2.0, offering IT administrators the ability to extend Active Directory (AD) controls from on-premises resources, including Windows and Linux devices to the cloud - a solution not previously offered in the marketplace.

January 15, 2020

SaltStack announced the availability of three new open-source innovation modules: Heist, Umbra, and Idem.

January 15, 2020

ShiftLeft announced a partnership and deep integration with CircleCI that enables organizations to insert security directly into developer pull requests from code repositories.