Fortunately, the opposite was true, and we were even able to recruit two people for each position to cover vacations and sick leave. The idea was – and still is - to make the security champion a completely volunteer-driven role, which at first had us worried that we wouldn't be able to find enough willing volunteers.
BANK HACKING PROGRAM HOW TO
Learn more on how to take charge of the API security lifecycle Security 'Martial Arts' training program
We further began supporting this community endeavor with Monday bulletins, updates from the week, and in general encouraged an open exchange of information, knowledge, and experience. These roles were transparent so that the knowledge carrier of security for each product and tribe was known across the entire organization.įinally, we set up a community of practice, which includes monthly meetings where security champions from all of the different products could meet to exchange information, teach case studies, and generally share knowledge about their practice. This role was tasked with supporting the other security champions in their tribe with requirements, risk assessment, design patterns and architecture, thanks to their enhanced expertise. Each tribe was given another role: the "security chapter lead". We also set up tribes consisting of several products associated with a specific business-line to foster a shared sense of community. More than anything, taking ownership over the security aspect of their product meant security champions were well-positioned to ensure that security-related stories get prioritized during backlog meetings, in alignment with the product owner's acceptable levels of risk. Besides our central "Security Design and Architecture "function, security specialists began working together to support products in implementing secure solutions. As part of this journey, we established the security champion role within the DevSecOps team for each of our products. Accordingly, RBI has a substantial R&D division, making for a very large community of IT and engineering professionals all over Europe.īack in 2019, we began shifting to a product-led agile setup for RBI, introducing various security roles contributing and collaborating to achieve our strategic goals. Our focus is on providing universal banking solutions to customers, as well as developing digital banking products for the retail and corporate markets. Headquartered in Vienna, Raiffeisen Bank International (RBI) operates across 14 countries in Central and Eastern Europe with around 45,000 employees. Launching the "Security in Agile" program
BANK HACKING PROGRAM SERIES
This article was written by Peter Gerdenitsch, Group CISO at Raiffeisen Bank International, and is based on a presentation given during Imvision's Executive Education Program, a series of events focused on how enterprises are taking charge of the API security lifecycle.