Abstract
The role of security practices is increasingly recognized in fast-paced software development paradigms in contributing to overall software security. Security champions have emerged as a promising role in addressing the shortage of explicit security activities within software teams. Despite the growing awareness of general security practices, there remains limited knowledge regarding security champions, including their establishment, effectiveness, challenges, and best practices. This paper aims to bridge this gap by presenting insights from a survey of 73 security champions and 11 interviews conducted within a large Norwegian software house. Through this study, we explore the diverse activities undertaken by security champions, highlighting notable differences in motivations and task descriptions between voluntary and assigned champions. We also reported challenges with onboarding, communication, and training security champions and how they can be better supported in the organization. Our insight can be relevant for similar software houses in establishing, implementing, and improving their strategic security programs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Coverity scan - static analysis. https://scan.coverity.com
Hack the box. https://www.hackthebox.com
Innovation. https://www.oxfordlearnersdictionaries.com/definition/american_english/innovation
MAXQDA. https://www.maxqda.com
OWASP top ten. https://owasp.org/www-project-top-ten/
Pluralsight. https://www.pluralsight.com
Secure code warrior. https://www.securecodewarrior.com
TryHackMe. https://tryhackme.com
VASP VCDM. https://www.visma.com/trust-centre/security/vasp-vcdm/
Who we are. https://www.visma.com/organisation/
Aalvik, H., Nguyen-Duc, A., Cruzes, D.S., Iovan, M.: Establishing a security champion in agile software teams: a systematic literature review. In: Arai, K. (eds.) Advances in Information and Communication. FICC 2023. LNNS, vol. 652. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-28073-3_53
Alshaikh, M.: Developing cybersecurity culture to influence employee behavior: a practice perspective. Comput. Secur. 98, 102003 (2020)
Alshaikh, M., Adamson, B.: From awareness to influence: toward a model for improving employees’ security behaviour. Pers. Ubiquit. Comput. 25(5), 829–841 (2021)
Gabriel, T., Furnell, S.: Selecting security champions. Comput. Fraud Secur. 2011(8), 8–12 (2011)
Haney, J.M., Lutters, W.G.: The work of cybersecurity advocates. In: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems, pp. 1663–1670 (2017)
Jaatun, M.G., Cruzes, D.S.: Care and feeding of your security champion. In: 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), pp. 1–7. IEEE (2021)
Jenssen, J.I., Jørgensen, G.: How do corporate champions promote innovations? Int. J. Innov. Manag. 8(01), 63–86 (2004)
Likert, R.: A technique for the measurement of attitudes. Arch. Psychol. 22(140), 55 (1932)
Morgan, G.: Riding the waves of change. Imaginization Inc. (2013)
Oates, B.J., Griffiths, M., McLean, R.: Researching information systems and computing. Sage (2022)
Runeson, P., Höst, M.: Guidelines for conducting and reporting case study research in software engineering. Empir. Softw. Eng. 14(2), 131–164 (2009)
Ryan, I., Roedig, U., Stol, K.J.: Understanding developer security archetypes. In: 2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS), pp. 37–40. IEEE (2021)
Thomas, T.W., Tabassum, M., Chu, B., Lipford, H.: Security during application development: an application security expert perspective. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, pp. 1–12 (2018)
Van de Ven, A.H.: Central problems in the management of innovation. Manage. Sci. 32(5), 590–607 (1986)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Nguyen-Duc, A., Cruzes, D.S., Aalvik, H., Iovan, M. (2024). Facilitating Security Champions in Software Projects - An Experience Report from Visma. In: Kadgien, R., Jedlitschka, A., Janes, A., Lenarduzzi, V., Li, X. (eds) Product-Focused Software Process Improvement. PROFES 2023. Lecture Notes in Computer Science, vol 14483. Springer, Cham. https://doi.org/10.1007/978-3-031-49266-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-49266-2_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-49265-5
Online ISBN: 978-3-031-49266-2
eBook Packages: Computer ScienceComputer Science (R0)