Who are we trying to reach? It’s important to determine our target audience so we can tailor the experience to them and maximize engagement.
Departments and Positions
What specific departments will be part of the program? What specific positions will be allowed to participate? This must align with your Goals as determined in the Vision stage. Is this program built just for the engineering organization to cover Application Security specific goals? Or, will it cover Security Awareness, Legal, Privacy objectives too?
I highly recommend opening the program up to your entire organization as opposed to just engineering or technical teams. If you go this route, you will need to define different groups of Champions so you can have curated content for each group. See the Participant Groups section for more on this.
Example Departments and Positions List
- Engineering
- Software Engineer I, II
- Senior Staff Software Engineer
- Engineering Manager
- Legal
- Revenue
- Customer Support
- Analytics
- Finance
Identify Allies
Culture change is challenging and takes a long time, so set your expectations accordingly. Not everyone will be on board with what you are trying to accomplish. As with all change, some individuals and teams will be quickly onboard, while others will resist that change. So, rather than attempting to get everyone to participate immediately, I recommend starting with your “allies” – those who are already interested and concerned about security. These are also called the “Innovators” in accordance with the Theory of Diffusion of Innovations, which seeks to explain how, why, and at what rate new ideas catch on. As the program’s momentum picks up, you’ll be able to reach more teams and groups over time, reaching a Tipping Point and onboarding the majority, until even the laggards are involved.
Example Allies List
- Specific Engineering Teams: Marvin, Zaphod, and Prefect
- Customer Support
Participant Groups
It’s a good idea to invite multiple departments and positions to get involved in your program from the beginning. Why? Well as word gets out about the program you will likely have non-technical and non-engineers asking to sign up, and will you really want to turn someone away who wants to learn more about security? As they join, if it’s only designed for the engineering organization with purely technical content, you’ll run the risk of losing people who don’t feel like the content is right for them. This is a missed opportunity to spread security awareness throughout your culture. Of course, all this depends on your own unique company culture and program Goals.
If you do have people participating from multiple departments, it is best to group your participants so you can create and tailor the experience by group. I find the largest difference in expectations is between software-focused Champions and non-software-focused Champions as the Application Security program can realize a major benefit in having champions with specifically defined responsibilities to support the various development teams.
Example Participant Groups
- Software-Focused Groups:
- Technical Software-Focused Group: Technical people who design and develop software
- Positions: Software Engineers, Application Architects, Enterprise Architects, Quality Engineers
- Business Software-Focused Group: Non-technical people which are involved in the software delivery pipeline
- Positions: Product Managers, Engineering Leaders, Product Managers, Scrum Masters, Program Managers
- Technical Software-Focused Group: Technical people who design and develop software
- Non-Software-Focused Groups:
- Technical Non-Software-Focused Group: Non-software-focused technical or security people.
- Positions: Sales Engineers, Solution Architects, Analytics, Non-Software Security Positions (GRC), Legal, Customer Support, Site Reliability Engineers
- Business Non-Software-Focused Group: Non-technical people who can help with general security awareness best practices.
- Positions: Marketing, Design, Sales, HR, Finance
- Technical Non-Software-Focused Group: Non-software-focused technical or security people.