I hear the term security champions being thrown around quite often and how important it is for some to start building the program. I’ve seen different companies approach the topic very differently with some succeeding and some outright failures. Some have started with initiatives to train their entire development organization to understand security a little better before heading down this path. Some have asked for volunteers and incentivize them to help be part of the team and help build the process. Others may go ahead and just select individuals themselves and “volunteer” them to be the bridge for the teams.
My question for you all is, what has your experience been like? Is there a method that works better than others? What are some great ways to start this discussion with various teams and how do we get them more engaged? Where should a company start when thinking of building a Security Champions program? Are the any specifics that need to be considered before starting these conversations?
based on the Security Champtions Programs I witnessed or heard testemonials about you should at the very least think about the following (by no means meant as a comprehensive guide):
1) you should have a SecChamp in every team
To sum it up, imho the most important element is, that you should aim to create a living, working and healthy community of engaged individuals rather just a role or task list. Nobody wants just another task list...
I hope this helps somewhat.
@Chris Romeo might have a good perspective also, the Cisco Security Advocate Program was great :-)
Great stuff about Security Champions on the thread! My experience is tied to taking the Cisco Security Advocate program from a rag-tag group of twenty security enthusiasts to a team of five hundred over a few short years. There is a series of steps that works better than others, in my experience. I created and will soon publish the “Security Champion Framework” based on my Cisco experiences and consulting with a few other organizations. I did a talk at ISC2 Security Congress and LASCon on the topic, so you may get a sneak peek of the framework with either of those talks.
Lots and lots of great Security Champion program info here: https://securitychampionsuccessguide.org
I recommend that you keep the following general considerations in mind, In addition to the above security champion specific answers that
@fixbits, @Chris Romeo and @izar have provided:
The above considerations could vary in meaning / implementation, depending on various factors regarding the type, size and culture of a team/organization.
I hope this helps!
IMO, Security Champion Program is part of a company’s broad security culture program by focusing on engaging and developing security communities, and it is not an easy program.
Before you start this program, make sure you have your executives’ support and commitment. Without it, your program will wither away quickly. You will also need other security programs in place to be successful, such as Secure Development Lifecycle, Security Training (at least with the content available), this way you can focus on engaging and developing through information and best practice sharing.
I like Izar’s (
@izar) “Force Multiplier” concept. Those “force multipliers”, if exist, can quickly help organizations develop/adopt best practices, but also identify potential security talents into the security champion program.
The last point I would like to share is that your security champion program has to be aligned with your company’s culture. If your company is command-control as in regulated industries, you will engage management team more than developers. If your company is technology driven, you will need to do more selling to the developers. A company’s macro culture matters.