Case Studies

How a ‘Game of Codes’ is leading IAG Group to a more secure coding future

Published Jan 01, 2021

IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.

ENTER: Game of Codes

The challenge

Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.

“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer

The implementation

Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:

“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said

Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.

The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.

The result

Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.

By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.

In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.

Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:

“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”

Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.

And the ultimate advice, from Bianca herself:

“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”

Key takeaways

  • Executives on board and seeing the benefits
  • Building a positive security culture and keeping it front-of-mind
  • Development team upskilled and engaged
  • Introduction of ambassador program
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester

FAST FACTS 

  • In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
  • They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.  
  • They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
Download PDF
View Resource
Download PDF
View Resource

IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum.

Interested in more?

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demo
Share on:
Author
Published Jan 01, 2021

Share on:

IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.

ENTER: Game of Codes

The challenge

Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.

“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer

The implementation

Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:

“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said

Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.

The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.

The result

Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.

By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.

In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.

Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:

“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”

Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.

And the ultimate advice, from Bianca herself:

“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”

Key takeaways

  • Executives on board and seeing the benefits
  • Building a positive security culture and keeping it front-of-mind
  • Development team upskilled and engaged
  • Introduction of ambassador program
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester

FAST FACTS 

  • In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
  • They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.  
  • They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
Download PDF
View Resource
Download PDF
View Resource

Fill out the form below to download the report

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Submit
To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.

IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.

ENTER: Game of Codes

The challenge

Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.

“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer

The implementation

Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:

“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said

Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.

The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.

The result

Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.

By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.

In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.

Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:

“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”

Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.

And the ultimate advice, from Bianca herself:

“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”

Key takeaways

  • Executives on board and seeing the benefits
  • Building a positive security culture and keeping it front-of-mind
  • Development team upskilled and engaged
  • Introduction of ambassador program
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester

FAST FACTS 

  • In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
  • They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.  
  • They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
Access resource

Click on the link below and download the PDF of this resource.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

View reportBook a demo
Share on:
Interested in more?

Share on:
Author
Published Jan 01, 2021

Share on:

IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.

ENTER: Game of Codes

The challenge

Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.

“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer

The implementation

Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:

“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said

Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.

The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.

The result

Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.

By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.

In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.

Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:

“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”

Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.

And the ultimate advice, from Bianca herself:

“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”

Key takeaways

  • Executives on board and seeing the benefits
  • Building a positive security culture and keeping it front-of-mind
  • Development team upskilled and engaged
  • Introduction of ambassador program
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester

FAST FACTS 

  • In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
  • They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.  
  • They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.

Table of contents

Download PDF
View Resource
Interested in more?

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demoDownload
Share on:
Resource hub

Resources to get you started

More posts
Resource hub

Resources to get you started

More posts