This article is based upon a publication about Empowerment and Security, written by Monica Iovan who works with security at Visma. You can read the full article here.
Ensuring a security culture with a bottom-up approach
In all of Visma’s software, security is of the utmost importance. Most often, companies start their security work by establishing policies and guidelines through management. However, Visma has chosen another approach to enhance and value teams’ self-management. Monica Iovan explains:
“Visma has realised that a compliance-driven approach would not be the optimal solution to the security program strategy (top-down approach to security) and chooses to pursue an approach where security becomes part of the teams’ routine (bottom-up approach to security). We believe that to establish true engagement, in each self-managed team, a security culture needs to be planted and nurtured.”
As a result of this, a security program is well established at Visma. Espen Agnalt Johansen created this program together with his Product Security Team:
“The ultimate goal is to ensure that our customer’s data is safe—always. The secondary goal is to embed security into the whole life cycle of the software: from the very first software idea, through to coding and implementation. And thereafter, always maintain, prioritise, and manage its wheel of life. To achieve such a high goal we needed to empower the people that do the heavy lifting. They are Visma’s development members and security engineers, our true Champions!”
—Security engineers are what drive the security program
Every company has its own set of security champions. At Visma we call them security engineers. These engineers are extremely important “because they better understand the challenges and cultures of their teams“ (quote from publication) and therefore, Visma needs them to drive the security program.
We rely on these engineers, since “empowered champions will change the behaviour of the entire team, creating the perfect climate for a security culture around them. Therefore, if your company hasn’t identified them yet, we recommend you to prioritise this,” says Monica Iovan.
Visma’s unique diversity, due to mergers and acquisitions and our federation of around 145 individual companies, has led researchers to take interest in Visma for their studies. This is the case of Daniela Cruzes, a senior research scientist at SINTEF, who during the last five years used Visma as field study in her publications regarding software engineering and security. Please find the whole report written by Monica Iovan together with Daniela Cruzes and Espen Agnalt Johansen here.
Want to learn more about this security program? You can find Monica at the international online conference XP2020 (the premier Agile software development conference combining research and practice) on June 10th, where she will be speaking about empowerment and security.
Would your company like to hear more about this? Or would you like one of our experts to come and speak about our successful security program? Don’t hesitate to contact me at email@example.com and I will organise this.
Let us fight cybercriminals together!