Establish a Security-First Engineering Culture

This standard mandates the establishment of a security-first engineering culture to ensure security is a shared responsibility across all teams.

1. Establish a Security-First Engineering Culture:

Security should be a shared responsibility across all teams. This approach ensures that security is integrated into all aspects of engineering.

• 1.1 Security Awareness Training:
  • 1.1.1 Team Training:
    • Provide regular security awareness training for developers, testers, and operations teams.
    • Automate the delivery of security awareness training.
  • 1.1.2 Training Management:
    • Automate the tracking of training participation.
    • Implement training tutorials.
• 1.2 Security Champions Model:
  • 1.2.1 Advocate Encouragement:
    • Encourage a "security champions" model to embed security advocates in each team.
    • Automate the tracking of security champion activities.
  • 1.2.2 Champion Management:
    • Automate the provision of security champion resources.
    • Implement champion feedback collection.
• 1.3 Security Prioritisation:
  • 1.3.1 Agility and Delivery Balance:
    • Foster a culture where security is prioritised without compromising agility and delivery speed.
    • Automate the tracking of security prioritisation.
  • 1.3.2 Prioritisation Management:
    • Automate the integration of security considerations into development processes.
    • Implement prioritisation tutorials.

By establishing a security-first culture, organisations can ensure security is a shared responsibility.