Every employee at Wealthsimple is responsible for keeping our millions of clients’ financial transactions safe, but our security team holds the front line. Security programming can be stressful; you spend a lot of time looking for trouble and hearing bad news from people you’ve never met. One of the bedrock principles of security is to make it usable; if you create a function that’s difficult or cumbersome, people will route around it when possible. And that’s when bad things can happen.
To nurture our company-wide security culture, we had the idea to create a security champions program. Maybe, we thought, some enthusiastic software engineers would enjoy the challenge of becoming the security expert for their team. If the program worked, we could scale our efforts. Hey, it might even be fun.
It turns out, being a security champion is more popular than we imagined, for reasons we didn’t imagine.
Who Are the Champions?
At Wealthsimple, we consider the role of security champion a calling, sort of like being a Jedi Knight. We don’t select people to be security champions. They can’t even volunteer. To become a security champion (or a Jedi), a person needs to be nominated. They have to convince their team leads or colleagues that they want to learn more, and bring their expertise back to their team to help grow our security culture.
One of our goals at the outset was to have a minimum of one security champion per team. To encourage engagement, we decided to empower security champions to make some unilateral security decisions within their team. We hoped that each champion would recruit others, come back, and continue to level up their own skills.
We, not Me
Early into this process, we figured we’d position the security champions program as a credential, something that would look good on a résumé and possibly help with a promotion.
But in our subsequent interviews, no security champions mentioned career progression as motivation. Instead, we got responses like this:
“I want to do the right thing for my team.”
“I want to make sure my code is secure.”
“I care about the quality of my product.”
The motivation was intrinsic. Employees wanted to do the best thing for their team and for our clients, and had been looking for the tools and training to accomplish that.
Managers were also motivated to support the security champions program, because having a champion on their team meant they had an expert who could respond to smaller security decisions without waiting for a manager’s approval. We move fast and ship often, so this was an obvious win-win.
We supported our security champions through Slack, pair programming, and open bi-weekly meetings. In exchange, we asked engineering managers and directors for a clear commitment: any member of the security champions program would dedicate 10% of their work hours to it. That meant people interested in the program wouldn’t feel conflicted about balancing their responsibilities.
Looking for Trouble
An early metric of success, we decided, would be an initial increase in reported incidents. Why? It means that people are more aware, actively searching, and therefore rooting out more potential problems. No one wins when a security issue devolves into finger-pointing. Instead, each internal report is celebrated, because we are identifying vulnerabilities early and tracking areas that may need more attention.
Another measure of success, as mentioned earlier, is tracking the number of teams that have at least one security champion. We also look at the responses after our sessions, and the feedback we receive when offboarding people from the security program.
Gamifying Our Security Champions Program
We built our security champions program with an application-security training provider called Security Journey. This program has a leaderboard, modules, and maps that the champions can move their avatars through as they complete lessons. Our security team provides content that requires no more than 20 minutes of time commitment so people can learn between meetings. What could otherwise be a slog becomes something to look forward to.
Our typical cohort is meant to last around six months, but this can vary. On top of the learning that they’re doing in the gamified journey, we also host check-in meetings.
More Fun and Games: Capture the Flag
In cybersecurity, “capture the flag” exercises are competitions in which participants look for exploits or flaws. We’ve found that these competitions are another great way to get engineers interested in security.
Our first “capture the flag” event was a big hit with both our security champions and engineers joining just for the day. We used an open-source vulnerable web application where our six teams could score points on a tracking application based on how complicated or difficult each exploit is. For example, if an engineer found something that should take someone about five minutes to fix, they’d earn 100 points. If they found something that involved digging a little deeper, they might earn 750 points.
We also had members of the security team rotating throughout the day to support participants’ efforts and answer questions. Not only did the group learn a ton, but they also had so much fun that every participant asked us to run another session. We’re planning our second “capture the flag” day in the next few weeks.
Once More, with Feeling
One of the most powerful tools we have at our disposal is incident walkthroughs. Whenever we discovered a security problem that was interesting or valuable as a teaching tool, we walked attendees through what happened, how an issue was missed, and what the consequence was. We also talked about how we found it, and how we mitigated it. Then we discussed what the long-term fixes were, and any lessons we learned along the way.
These simple recaps have turned out to be some of our most effective events. Team members gain a deeper understanding when we’re addressing real-world problems.
If you want to get people more involved with security culture, consider making security a fun, exciting, and wide-reaching topic for everyone on the team. We’re excited to share more about our security champions' journey, how it develops, and what we’re learning along the way.
If you’re a security champion (aka Jedi Knight) at heart, check out the open roles on our Trust team today.
Written by Herbert Lui, in collaboration with Wealthsimplers Connor McKinnon (Team Lead, Application Security) and Amy Dayasundara (Security Engineer Co-op). Edited by Mark Adams.
Wealthsimple is a new kind of financial company. Invest, trade, save, spend, and even do your taxes in a better, simpler way. “Maker Stories” is an inside look at how we get things done. Interested in joining our team? Visit our “Work With Us” page to learn more and view open roles.
The content on this site is produced by Wealthsimple Technologies Inc. and is for informational purposes only. The content is not intended to be investment advice or any other kind of professional advice. Before taking any action based on this content you should consult a professional. We do not endorse any third parties referenced on this site. When you invest, your money is at risk and it is possible that you may lose some or all of your investment. Past performance is not a guarantee of future results. Historical returns, hypothetical returns, expected returns and images included in this content are for illustrative purposes only. Copyright © 2021 Wealthsimple Technologies Inc.