Your company established multiple teams to develop software products. Which of the following is the best role in promoting security awareness and culture across software development teams? (Wentz QOTD)
A. Senior management
B. Data steward
C. Security champion
D. Security administrator

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Security champion.

There are different contexts or levels of culture, e.g., security culture, organizational culture, or national culture. Senior management is a good candidate for promoting security awareness and culture at the organization level; however, the security champion is a more suitable role in software development.

Security Champion and OWASP SAMM

Security champions are software security subject-matter experts who play a crucial role at the maturity level 1 of Organization and Culture in the OWASP Software Assurance Maturity Model (SAMM). Nominating a member, e.g., a software developer, tester, or a product manager, as the security champion helps embed security in the development organization.

• Security Champions receive appropriate training.
• Application Security and Development teams receive periodic briefings from Security Champions on the overall status of security initiatives and fixes.
• The Security Champion reviews the results of external testing before adding to the application backlog.

Senior Management

Senior management is a high-priority target of attacks. Creating a security awareness program for senior management is crucial. They have to lead by example by understanding and following security policies and should never be found bad-mouthing or contradicting policies.

Security Culture

• Culture is essentially a “set of common understandings, expressed in language”, or “shared patterns of meaning”, or “shared values and beliefs that interact with an organisation’s structures and control systems to produce behavioural norms”. Culture is of interest in a security context if it can be proven to affect security outcomes. (IEEE)
• Information security culture guides how things are done in organization in regard to information security, with the aim of protecting the information assets and influencing employees’ security behavior. (IEEE)

Reference

• SAMM AGILE GUIDANCE
• OWASP Cornucopia
• Gamification for IT Security Training and Awareness Programs
• 6 ways to develop a security culture from top to bottom
• ICAO AVSEC2018
• Security culture
• EMBEDDING INFORMATION SECURITY CULTURE EMERGING CONCERNS AND CHALLENGES
• How to build a culture of security

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

貴公司建立了多個團隊來開發軟件產品。 以下哪項是在整個軟件開發團隊中增強安全意識和文化的最佳角色？ (Wentz QOTD)
A. 高階管理人員 (Senior Management)
B. 數據管理員 (Data steward)
C. 安全冠軍 (Security champion)
D. 安全管理員 (Security administrator)