Start your Security Champions program (part 1)
In this series of blog posts I am aiming to share my view on how to start your own security champions program. This is by no means a step by step guide, but rather an attempt to share my own experiences and lessons with the world.
What is a Security Champions Program?
The security champions program is an attempt to scale security efforts by bridging the gap between the security team and the rest of the company, through improved communication, enhanced cooperation and coordination.
In simpler terms, the security champions program brings together security professionals and security enthusiasts with the aim of improving security overall and spreading knowledge.
Why do you need a Security Champions Program?
Let’s start off by saying that it is not necessarily true that you need a security champions program. Company culture, the way you practice security daily etc might make a security champions program unnecessary or even unsuitable for your organization. However, you might want to consider it if you wish to achieve better coordination in your security efforts and you can relate to the following challenges:
Constantly changing and diverse technology stack The mixture of different technologies and methodologies makes it impossible for a small team of people to know it all. Cloud computing, programming methodologies and languages, on-premise infrastructure, networking, email and DNS just to name a few, all bring their own challenges for security. Not only do companies need to have a common set of principles to apply for all these technologies, but they also need to have skilled people to apply these principles and also evaluate the current security status.
Multiple vectors of attack Each technology is targetted by a number of cybersecurity attacks that can be very specific to the technology. As an example, security vulnerabilities through open source components is very specific to development security. The combination of knowledge about attacker methodologies against the company’s specific tech-stack and company’s risk profile is indispensable.
Communication challenges It gets really hard to keep a constant feed of information about security priorities, ongoing efforts and expectations, between the security team and the rest of the company. The challenge grows exponentially by the size of the company and the variety in technologies used.
Security experts shortage There are simply not enough people in the world, let alone a single company, to do the security work. This is a hard truth to shallow, but at the same time a reality to befriend and make the most out of. People outside the security team, ideally everyone, needs to be involved with security work.
“The security champions program tries to provide an answer to the challenges above. Do not expect the program to solve all your security needs, but you should aspire it to be a facilitator of constant security improvement”
Who are the Security Champions?
Security champions are employees of the company who are genuinely interested in improving and maturing the security of the company. Anyone, regardless of role, can be a security champion. For example, developers can participate by sharing their experience in product development and security needs there. Platform engineers have valuable knowledge in improving cloud security.
But how about a project manager, or someone from HR? Absolutely yes! Who could be a better security advocate other than those who decide how budget will be spent, or someone working with delicate security topics like employee terminations?
What to expect from champions?
You start your security champions program for one obvious reason; that is to improve security. To achieve this the people who are involved with the program need to have a strong desire to work with improving security. So a genuine interest in the field, as well as a curious and positive mentality is a must.
On top of that every champion brings in unique expertise within their field of work. As discussed above, developers and platform engineers bring unique and valuable perspectives that can help to start initiatives aiming to improve security through broader cooperation within the company.
It is recommended to offially define the “security champions” role by setting a few high level guidelines and expectations. An example might be the following:
Security champions are employees of the company that regardless of their role, participate in the program, in order to:
- Evangelise and improve security
- Take initiatives that contribute to better security
- Help others – Share Knowledge – Make it possible
What do champions get in return?
The question is how do you approach the right people within the company who can help you achieve the goal of better security? Incentives and motivation is the right answer here. No one should be forced to be part of the program.
Personal development opportunities is a great example of how to get people interested in joining the program. This an be achieved by providing access to learning platforms that help champions improve technical skills, or even by leading organization-wide projects where champions improve project management skills. It is strongly recommended that participation to the program is tight to the individual’s development plan so that people see a direct connection between personal development and being a security champion.
Additionally, security champions influence decision making, get better understanding of organizational security and therefore gain increased visibility within the org. 40 Congratulations Memes to Give Them A Thumbs Up
By now you know you want to try out a security champions program, you have defined a security champions role and you know how to approach the right people.
So far, so good..but what is next? More in part 2 of the series on security champions.