Who Is a Security Champion?
As your organization seeks to protect itself against security threats, the importance of a strong security culture cannot be overstated. Included in your culture should be the notion of cross functional collaboration; however, this is easier said than done because, over time, silos emerge within organizations. And any silos between your security and development teams profoundly impact your ability to deliver secure products, as security-enabled developers are the best defense against application security breaches.
So how do you create security-enabled developers? A security champion is a person from a development background who is willing to champion the cause of security. The idea is to select developers who are willing to act as subject matter experts for your security needs, thereby helping drive a security culture. They act as a bridge between the security and development silo. Developing these security champions involves managing and structuring a program that consists of activities to enlist and help security-minded developers to act as the voice for their respective teams. A security champions program consists of key elements:
- Program management
- A community or network
- Knowledge and communication channels
This program encourages secure development practices among your developers, increases security awareness, builds knowledge, and helps scale security training initiatives throughout your organization.
Operationalizing a Security Champion Program
There are three steps you should take to create a security champion program.
- Achieve alignment
Align internally with security stakeholders on decisions of the program and how champion(s) will be selected, motivated and recognized for their efforts.
- Set clear objectives
Identify specific objectives of the program and how the success of the program will be measured.
- Enable your security champions
Decide which new responsibilities your security champions will assume, the teams they will serve, and the time and effort dedicated toward these responsibilities.
Recruit Your Security Champion(s)
The key factors to success are motivation and ability. Select champion(s) that have the following attributes:
- Self motivated
- Willing to help make decisions
- Passionate about security
- Quick learner
- Act as the voice of security for a certain product or team
- Assist in identifying areas for process improvement
- Influence others to embrace security
- Increasingly grow as the security subject matter expert
- Continually develop technical development experience
- Intentionally act as a bridge between development and security teams
When recruiting, you should identify and nominate your top prospects and host a mini interview session to ensure the candidate aligns with expectations and meets qualifications outlined. Be inclusive across departments and experience levels. Even though more senior professionals tend to be selected, encourage people in junior roles to also strive to be a champion.
Support Your Security Champion(s)
Now that you’ve identified your security champions, ensure they are set up for success. There are some concrete steps you can take in this regard.
Clearly map out their responsibilities such as:
- Identifying user stories
- Documenting threat models
- Conducting security code reviews
- Overseeing the vulnerability remediation processes
Your security champions will need a support structure among themselves to share their experiences and create a feedback loop for continual improvement. Here are some things you can do to build up this community of practice:
- Create a dedicated communication channel/forum, such as slack or email distribution list for your security champions
- Expose your champions to available training options and resources
- Assign an application security mentor to each security champion
You should also ensure that your security champions have the right tools to do their job. This may include:
- Access to the development team’s issue tracker (ex. JIRA) for raising awareness of potential security issues
- Threat modeling tools to aid architects in identifying potential security threats
Security is continually evolving. Your security champions should receive ongoing training. Here are some tips:
- Be clear in the security training they will need to complete
- Ensure your security champions are knowledgeable about more than just general or basic security. For example, they should also understand more advanced concepts like threat modeling, OWASP Top 10, and the ongoing evolution of development languages used internally.
Launch Your Security Champion Program
Launch your program by promoting the importance of security. Have your security champions assume some responsibility for evangelizing the need for security. Keep the following in mind as you launch your program:
- Have clear communications around specific goals and responsibilities that help enhance security initiatives.
- Announce your security champions to the rest of the organization. Explain how they are here to support, how they can be reached and what employees can expect.
- Have your security champions host informal learning sessions and provide regular access to tools and support to the remaining organization to foster a security culture.
Measure the Success of Your Program
To get the most from your security champion program, continue to evaluate and revisit how well your program is operating. Be willing to adapt as needed. Set up a pipeline to recruit new security champions at a specific cadence (for example, annually). Review progress made, what has been documented, what training has occurred, and whether more employees have been trained. Here are some program metrics to consider:
- Number of champions in the company per development team
- Trendline of issues or vulnerabilities found
- Potential risks which have been mitigated
Continue to share the success stories of the champions program with the full company to increase participation and excitement around the work your champions are doing. You can also consult with a Security Compass representative for more insights, and to help drive the program. We have helped many organizations start a sustainable Security Champions program. To dive deeper, explore the opposite side of a Security Champions program: Security Island.