All employees in Visma have confidentiality- clauses in their employment contracts, and go through a two- part basic e-learning course in privacy annually. The development teams (and other teams or employees) receive additional training and support tailored to their needs and requirements. For example, most teams have a dedicated Security Engineer, who receives additional training in security and privacy. The Security Engineer works closely with the Security Team:
We have a dedicated Security Team and Security Operations Centre, which focuses on specialist guidance of the development teams, and providing assets and resources for them, such as threat intelligence, vulnerability scanning tools and best practices in areas such as encryption.
The Security Team also assemble and manage incident response teams if required (please see here for a description).
Our dedicated Data Protection Manager is also available for the teams. The Data Protection Manager, together with the Security Team, supports and guides the development teams through the laborious internal certification process for security and privacy, both in the design- and operational phases.
We believe that enabling the teams to take this responsibility for "their" product or service yields a far better level of security and privacy than the more traditional approach of “write code and hand it off to Operations”, just as having our Security Team and Data Protection Manager working hands-on on a day-to-day basis with the teams is a far better use of their competence than having them monitor systems and writing reports and policies (we do that also).