The Hacks & Hops InfoSec conference brings some of the most interesting speakers to Minneapolis. This year they were back, bigger than ever, and this time the event took over Allianz Field in St. Paul! Start Left® Security's CEO, Jeremy Vaughan, participated as a keynote speaker this year and you can see his presentation below:

SIMPLIFIED TRANSCRIPT:

Introduction: The Start Left Philosophy

Thank you for having me, and a big shoutout to FR Secure for hosting this great event. Today, we’re diving into a topic near and dear to me: scaling security champions within your organization. I come from a software development background, and as the CEO of Start Left Security, I’ve seen first-hand how teams can move fast while maintaining strong security practices. But it requires more than just tools—it requires cultural and behavior change, organizational restructuring, and people empowerment.

At Start Left, our focus is on empowering product teams, and we chose our name intentionally—because you can’t get further left than people. We’re shifting the conversation from tools to organizational design, fostering collaboration and communication across teams to truly embed security into the fabric of the development lifecycle.

Why the Shift Left Approach Falls Short

Many organizations pride themselves on “shifting left,” but simply adopting CI/CD pipelines and implementing tools doesn’t mean you’re practicing DevOps or DevSecOps. While these approaches aim to catch vulnerabilities earlier in the development process, they often miss the most critical element: the people building [and maintaining] the software.

Security needs to be more than just an afterthought or a reactionary measure—it must be integrated from the very start, empowering developers to be proactive in identifying and addressing security risks.

My Personal Why: The Failure of Software Quality

My passion for this subject comes from a personal experience that highlights the consequences of software decay. My daughter was diagnosed with Type 1 diabetes at 16 months old. For the first five years, we didn’t sleep through the night because we were constantly worried about her blood sugar levels.

We finally got a continuous glucose monitor (CGM), and we put our trust in this medical device. But when she was eight, the device failed to notify us of dangerously low blood sugar levels. The software hadn't been updated in two years. It wasn’t a security flaw, but it was a failure in software quality—and it nearly cost my daughter her life.

This experience was a wake-up call for me. Software quality is a security issue, and too many organizations hide behind compliance while neglecting the upkeep of their systems.

A Broken Industry: Focusing on the Wrong Things

When we look at how the industry handles cybersecurity today, it’s clear we don’t have a cybersecurity problem; we have a software quality problem. We’re still focused too much on reactive security, like Cloud Security Posture Management (CSPM), instead of embedding security into the design and development stages. 

If we’re still waiting for issues to appear at runtime or when the product is live, we’re already too late. Alert fatigue and over-reliance on tools are rampant. We’ve created a system that isn’t resilient or effective, and it’s time to change that.

Building a Security-First Culture Through DevSecOps

High-quality software includes security, and that’s where DevOps and cultural change come into play. DevOps, at its core, is about creating high-performing teams that are focused on building resilient, high-quality software—and that includes addressing vulnerabilities as part of the process. 

If you’re a CISO or a C-suite leader, your job isn’t just to buy tools; it’s to build a program. This requires you to shift the culture of your organization, creating an environment where developers are empowered to take ownership of security.

Why Developers Are the Key to Scaling Security

Developers are your front line of defense. They’re the ones building the products that millions of people rely on every day. By empowering them to make security a part of their craft, we’re not only improving the quality of the software but also reducing risks before they reach production.

To truly scale a security champions program, you need to focus on organizational change:

1. Cultural Change: Security shouldn’t be a bottleneck; it should be a competitive advantage.

2. Behavioral Change: We need to incentivize developers to get better at security, and that involves continuous learning and gamification.

3. Organizational Design: Create small, high-performing teams with security embedded into their day-to-day operations.

Why Tool Consolidation Isn’t Enough

A lot of CISOs we talk to believe that consolidating tools will solve their security issues, but they’re wrong. Throwing more tools at the problem without addressing the underlying organizational and cultural issues doesn’t work. Developers already use 10, 20, or even 30 tools, many of them open-source. It’s not about adding more tools—it’s about building high-quality software and creating a resilient, immutable infrastructure.

We need to stop thinking that runtime protection, or the tools we deploy at the end of the development cycle, will save us. By then, it’s too late.

Creating a Continuous Feedback Loop with Gamification

At Start Left, we’ve adopted a data-driven performance management approach, similar to Moneyball in sports. We use data to continuously improve team performance, highlight security champions within teams, and provide situational micro-training to help developers fix vulnerabilities in real time.

By giving developers the tools and incentivizing them with rewards—whether it’s through gamification or other forms of recognition—we’re creating a continuous loop of improvement. This approach monetarily rewards teams for their progress and ensures that security becomes second nature.

The Future: Product-Centric Security

The future of security lies in creating product-centric DevSecOps teams. We need Chief Product Security Officers (CPSOs) embedded within product teams, incentivizing high-quality, secure development. Microsoft has already adopted this approach, and other companies will follow suit.

By giving developers the tools, resources, and incentives they need to take ownership of security, we’re not only protecting our products but also building a stronger, more resilient organization.

Conclusion: Empowering Developers to Lead the Charge

Security is no longer the responsibility of just the security team; it’s everyone’s job. Developers are the front line, and we need to empower them to do it right. By changing the culture, organizational design, and the way we approach security, we can scale security champions throughout the entire organization.

It’s time to stop thinking of developers as the last line of defense and start realizing that they are our first.

Thank you.

(Audience Applauding)