How a ‘Game of Codes’ is leading IAG Group to a more secure coding future
IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.
ENTER: Game of Codes
The challenge
Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.
“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer
The implementation
Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:
“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said
Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.
The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.
The result
Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.
By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.
In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.
Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:
“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”
Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.
And the ultimate advice, from Bianca herself:
“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester
FAST FACTS
- In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
- They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.
- They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoIAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.
ENTER: Game of Codes
The challenge
Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.
“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer
The implementation
Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:
“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said
Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.
The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.
The result
Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.
By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.
In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.
Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:
“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”
Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.
And the ultimate advice, from Bianca herself:
“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester
FAST FACTS
- In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
- They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.
- They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.
ENTER: Game of Codes
The challenge
Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.
“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer
The implementation
Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:
“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said
Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.
The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.
The result
Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.
By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.
In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.
Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:
“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”
Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.
And the ultimate advice, from Bianca herself:
“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester
FAST FACTS
- In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
- They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.
- They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoIAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.
ENTER: Game of Codes
The challenge
Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.
“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer
The implementation
Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:
“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said
Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.
The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.
The result
Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.
By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.
In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.
Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:
“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”
Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.
And the ultimate advice, from Bianca herself:
“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester
FAST FACTS
- In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
- They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.
- They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
Table of contents
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Resources to get you started
10 Key Predictions: Secure Code Warrior on AI & Secure-by-Design’s Influence in 2025
Organizations are facing tough decisions on AI usage to support long-term productivity, sustainability, and security ROI. It’s become clear to us over the last few years that AI will never fully replace the role of the developer. From AI + developer partnerships to the increasing pressures (and confusion) around Secure-by-Design expectations, let’s take a closer look at what we can expect over the next year.
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.