How to start a Security Champions Program?

  • 3 November 2022
  • 5 replies
  • 233 views

Badge

Hi folks! 

 

I hear the term security champions being thrown around quite often and how important it is for some to start building the program. I’ve seen different companies approach the topic very differently with some succeeding and some outright failures. Some have started with initiatives to train their entire development organization to understand security a little better before heading down this path. Some have asked for volunteers and incentivize them to help be part of the team and help build the process. Others may go ahead and just select individuals themselves and “volunteer” them to be the bridge for the teams.

 

My question for you all is, what has your experience been like? Is there a method that works better than others? What are some great ways to start this discussion with various teams and how do we get them more engaged? Where should a company start when thinking of building a Security Champions program? Are the any specifics that need to be considered before starting these conversations? 

 

Thanks!


5 replies

Userlevel 3
Badge

Hi kchau

based on the Security Champtions Programs I witnessed or heard testemonials about you should at the very least think about the following (by no means meant as a comprehensive guide):

1) you should have a SecChamp in every team

  • this might seem trivial or like stating the obvious, but it is harder to pull off in practice as it sounds. Especially in large organizations it can happen, that information - such as the requirement of having a Security Chamption in the team - does not reach every team. Usually there is no channel what you can adress directly and be 100% sure, that it reaches every dev team to begin with. Imagine an @AllDevs or simliar Team Channel or mailing list etc. These are usually incomprihensive as most organizations do not have a comprihensive “Developer definition”. Is a Developer Platform Engineering or Infrastructure team considered as a Dev Team? In most cases I came across no or at least the answer was not a clear “yes” :-) Therefore such teams are most likely not involved in an @AllDevs channel even is such a thing would exist, even though a (Developer) Platform or Infrastructure or similar team would definitely need to think about security. Most probably aligned with the developer teams efforts, so they would need to have a Security Champion imho. You can try to reach all developer teams through some other central functions like heads-of list or product owners, but you will always come across special cases: as at some places there is no clear Developer definition / list this might as easily be the case with POs also.  
  •  you also need to think about outsourced developments:
    • Are externals fully onboarded in your org (ie differ  only in the mode of employement from permanent staff)? If yes, you will probably have an easier time reaching them
  1. Ideally you have volunteers for the Security Champion role, but in worst case one could also appoint them. In my experience what in the end really makes a difference, whether you can build an inclusive community of Security Champions and show them the value of their contribution:
    • Usually organizing / offering special trainings around interesting security topics helps to bring them on board. Think something more in-depth like cloud security, container security---threat modelling training :-) Trainings are usually scarce and thus much appriciated, also if they have a hands-on part even the simplest of web security training leaves the participants with a sense of accomplishment (and maybe an appriciation of the added value of their new role). Trainings are also great for team building.
    • Something like a dedicated (or rather Security Champion exclusive) and regular Community of Practice can also help the participants engaged through case studies, insider infos, etc. … even the most high level pentest findings summary can be interesting you have not participated in the test yourselve. Such initiatives also help winning over appointed Champions, who might not be so devoted first to their new roles.
    • A CoP can also go a long way in fostering interaction and a general feeling of being included. Most importantly for you it could be the platform, where you get feedback on how your program is doing, what should be improved, maybe with concrete suggestions.  
  2. This might again be stating the obvious, but management buy-in helps a lot:
    • Security Champion Programs are usually not grass-roots initiatives so this should be a given, but all of the above points need at least a minimal budget  plus regular management attention - like demopnstrating real interest and commitment in one way or the other - can be very motivating for the participants. 

To sum it up, imho the most important element is, that you should aim to create a living, working and healthy community of engaged individuals rather just a role or task list. Nobody wants just another task list... 

I hope this helps somewhat. @Chris Romeo might have a good perspective also, the Cisco Security Advocate Program was great :-)

Userlevel 4
Badge

Great stuff about Security Champions on the thread! My experience is tied to taking the Cisco Security Advocate program from a rag-tag group of twenty security enthusiasts to a team of five hundred over a few short years.  There is a series of steps that works better than others, in my experience. I created and will soon publish the “Security Champion Framework” based on my Cisco experiences and consulting with a few other organizations. I did a talk at ISC2 Security Congress and LASCon on the topic, so you may get a sneak peek of the framework with either of those talks.

Userlevel 4
Badge

Lots and lots of great Security Champion program info here: https://securitychampionsuccessguide.org

Badge

Great question, @kchau

 

I recommend that you keep the following general considerations in mind, In addition to the above security champion specific answers that @fixbits, @Chris Romeo and @izar have provided:

  • A major goal of a manager / mentor is to guide mentees to eventually become mentors / teachers, spreading awareness and implementation of best practices throughout the organization. 
  • It may be useful to frequently check in with champions to provide feedback on the champions program, and get a sense of what they’d like to see / do as part of the program, moving forward. 
  • Embrace the security champions program as a vital part of continuous learning and improvement within your team / organization, overall. 

The above considerations could vary in meaning / implementation, depending on various factors regarding the type, size and culture of a team/organization. 

 

I hope this helps!

IMO, Security Champion Program is part of a company’s broad security culture program by focusing on engaging and developing security communities, and it is not an easy program.

Before you start this program, make sure you have your executives’ support and commitment. Without it, your program will wither away quickly. You will also need other security programs in place to be successful, such as Secure Development Lifecycle, Security Training (at least with the content available), this way you can focus on engaging and developing through information and best practice sharing. 

I like Izar’s (@izar“Force Multiplier” concept. Those “force multipliers”, if exist, can quickly help organizations develop/adopt best practices, but also identify potential security talents into the security champion program. 

The last point I would like to share is that your security champion program has to be aligned with your company’s culture. If your company is command-control as in regulated industries, you will engage management team more than developers. If your company is technology driven, you will need to do more selling to the developers. A company’s macro culture matters.

Reply


V2