5 Ways to Train Security Champions in Cross-Functional DevOps Teams - Part 2
August 29, 2019

Ed Adams
Security Innovation

As organizations seek to better embed security into DevOps and Agile software development, they're going to need to find better ways of scaling security knowledge across cross-functional teams. Everyone needs to chip in, and the only way they can do that is if companies properly train members of cross-functional teams on what it means to deploy secure software.

Start with 5 Ways to Train Security Champions in Cross-Functional DevOps Teams - Part 1

3. Tackle Role-Based Security Training

Even with a sophisticated blended learning experience, generic security training should only be the foundation for developing security champions within DevOps teams. A security champion program depends on training that's tailored to specific roles.

Not only that, this training needs to be designed for the new reality of collaborative DevOps-based roles, rather than the limited and siloed IT functions of years past.

Organizations can take a team's security knowledge to the next level with tailored, prescriptive training based on specific roles. Once individuals have the basic education and the hands-on experience, it pays to take the information about how they performed in these trainings and tell the trainee where they should focus next based on their job duties. So developers would get one suggested learning path, QAs another, infrastructure specialists a different one, and so on. By doing that, it'll give every security champion a much deeper level of training applicable to his or her daily workflows.

The training needs to offer people the path to not necessarily turn into security staff, but to learn at an elite level how security applies to their specific role. If teams can pepper even just a percentage of these elite security champions across each common role, these highly trained individuals can help their peers level up their skills organically as they work together on a daily basis.

4. Leverage Modularized Training

Many of the security principles taught to different roles will overlap so there's no reason to reinvent the wheel with brand new curriculum for every unique role. One way to do this is to develop a modularized training approach.

Modularized training breaks down certain principles into individual components of a curriculum library. From there an organization can then mix and match these components for each person's appropriate path — based on their role and depth of knowledge they need. Not only does this make it more elegantly to shift to role-based security training, but it also adheres to the latest research in education that favors moving from traditional, long-form courses to shorter, more consumable modules.

5. Establish a Security Training Plan for DevOps Teams

Gartner analysts predict that DevSecOps practices will become embedded into 80% of rapid development teams by 2021. In this day and age where every company is a software company, IT leaders need to develop a security training roadmap to help their teams keep up with cybersecurity best practices to ensure that applications don't add unnecessary risk to the business.

Without detailed, prescriptive learning paths based on roles, organizations risk wasting their training dollars on generic knowledge. Many times companies simply require a number of hours for professional development in security, without offering any guidance or prescriptions of what the course matter should include. As a result, employees often choose the easiest path to racking up those hours without gaining many appreciable skills or knowledge along the way.

Because there are so many moving pieces to building out training that grooms security champions across so many IT functions, security and IT leaders need to actually lay out a detailed plan for how they're going to develop security skills relevant to every function of a DevOps team. They don't have to go it alone.

Ed Adams is President and CEO of Security Innovation
Share this

Industry News

February 25, 2021

Red Hat announced Red Hat OpenShift 4.7, the latest version of the company’s enterprise Kubernetes platform.

February 25, 2021

Granulate announced the release of its open-source platform, the G-Profiler, a production profiling solution that measures the performance of code in production applications to facilitate compute optimization.

February 25, 2021

Checkmarx announced the launch of KICS (Keeping Infrastructure as Code Secure), an open source static analysis solution that enables developers to write more secure infrastructure as code (IaC).

February 24, 2021

Applause launched its Product Excellence Platform (PEP).

February 24, 2021

Mabl announced the beta release of their new native desktop application that empowers users to easily automate testing for browsers, mobile browsers, and APIs.

February 24, 2021

D2iQ announced the general availability of D2iQ Kaptain, the cloud native end-to-end platform for running ML workloads on Kubernetes.

February 23, 2021

Edge Delta announced new capabilities for dynamically processing and routing logs, metrics, and traces -- allowing DevOps, Security, and SRE teams to analyze large volumes of streaming data without the cost, delay, or complexity of requiring data to be indexed, helping customers decouple where machine data is analyzed from where it is stored.

February 23, 2021

env0 announced a remote run SaaS solution for the automation of Terragrunt workloads across multiple Terraform modules.

February 23, 2021

Platform9 closed its Series-D funding with an additional $12.5 million for a total of $37.5 million.

February 22, 2021

IT Revolution opened its Call for Presentations for both DevOps Enterprise Summit 2021 events in Europe and US.

February 22, 2021

Solo.io announced the general availability of Gloo Mesh Enterprise, an enterprise-grade, Kubernetes-native solution for service mesh management.

February 22, 2021

Copado closed $96 million in Series B funding, bringing the total funds invested in the company to $117 million.

February 18, 2021

ShiftLeft released ShiftLeft Illuminate, a new solution that leverages ShiftLeft technology to identify insider attacks, offer remediation advice and reduce overall risk to organizations’ software code base.

February 18, 2021

CircleCI introduced new platform updates to increase the control, protection, privacy, and confidence of today’s engineering teams.

February 18, 2021

OutSystems announced a $150 million capital raise.