Sportsbet Engages ‘Security Champions’ to Drive Shift-Left Approach
We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!
Quick Overview
- Sportsbet introduces a ‘security champions’ initiative featuring 42 senior employees.
- The concept is influenced by AWS’ security guardians program.
- Security champions function as advocates, encouraging early threat modelling.
- The initiative seeks to integrate security into all delivery teams.
- An initial pilot with 10 engineers yielded positive outcomes.
- The program intends to minimize last-minute security evaluations.
Overview of Sportsbet’s Security Approach
Sportsbet has taken a notable step towards improving its cybersecurity stance by enlisting 42 senior personnel as ‘security champions’. This initiative aims to incorporate security considerations at the project’s onset, a method known as ‘shift-left’.
Insights from AWS
The initiative is inspired by AWS’ security guardians program, which highlights the importance of frequent and early security evaluations. These guardians work collaboratively with central security teams to enhance security standards while enabling quicker product launches.
The Function of Security Champions
Mirroring AWS’ methodology, Sportsbet’s security champions are responsible for executing threat modelling and posing essential security inquiries during the development phase. This forward-thinking method seeks to avert last-minute security approvals and ensure effective security protocols are established prior to product launches.
Formalizing Security Initiatives
Before the program’s inception, Sportsbet operated with informal security methods across its 25 delivery teams. The organization identified an opportunity to formalize these actions and broaden them across all teams. The objective is to promote consistent threat modelling and secure mindset throughout the project design stages.
Pilot Program Observations
The pilot program, launched in the third quarter of the previous year, engaged 10 engineers acknowledged as ‘security friends’. These individuals naturally identified security issues and assisted their teams with secure methodologies. The pilot aimed to officially support and widen these natural behaviors.
Outcomes of the Pilot
Security solutions consultant Paul Johnson highlighted the favorable results of the pilot. Champions dedicated two hours each week to the program, participating in onboarding and communicating with fellow champions through a specific Slack channel. The initiative aligns with the STRIDE threat modelling framework and has resulted in innovations such as custom plug-ins for threat modelling.
Evaluating Success
While quantitative indicators like time savings in security evaluations are apparent, qualitative factors, including enhanced team involvement and greater willingness to raise security concerns, are also vital signs of the program’s success.
Confronting Challenges
Obstacles emerged, such as the necessity to clearly outline the champions’ roles to prevent them from being perceived as mere extensions of the security team. Johnson stressed the significance of effective communication regarding the responsibilities of champions.
Conclusion
Sportsbet’s security champions initiative aims to integrate security considerations early in the development process, reducing last-minute security challenges and promoting a secure mindset. Influenced by AWS, the program has already shown positive outcomes, both quantitatively and qualitatively, and is set to become a critical element of Sportsbet’s cybersecurity strategy.