Skip to content

Security Champions, Are We Doing It All Wrong? Part 1

SJ2023_Blog_SecurityChampion1

Published on

This is part 1 in a 3-part series about Security Champions by Michael Burch, host of The Security Champion Podcast.  

 

What Is a Security Champion? 

A Security Champion is a member of the development team that is a proponent of security-minded development practices. They are not part of the security team but receive a badge of honor for taking on additional responsibilities to support the security team.  

These individuals are often self-identified, thanks to an interest in security, or can be identified by the leadership team because they are star performers. Whatever the case, we hope to pick a few select individuals, provide them with training and resources, and then send them out to change the culture throughout the organization.  

This is not just specific to development teams. Security champions are being embedded across entire companies, in every department, in hopes these select individuals can pollinate the security mindset throughout the organization. 

The idea of training a handful of security gladiators to fight insecure code a line at a time makes a great story, but is it effective? Is culture changing, or have we just found another exciting topic to brief during our security standup? 

 

Force Multipliers For Your SDLC 

I love the concept behind a security champions program.  

Before I was in tech or security, I served as a Special Forces Medical Sergeant in the US Army, aka Green Beret. We would travel to hostile parts of the world and partner with the local police or military units to combat insurgencies and terrorism. One of the reasons Green Berets are so lethal is that they can travel to an austere location with minimal support and turn 12 highly trained operators into a fighting force that is hundreds to thousands of people strong. 

Special forces operators accomplish this because they are not only tactically proficient, but they are also incredible instructors. They use their soft skills to be force multipliers. 

So, I can't help but notice the parallels between green berets and security champion programs. 

Security champions are the special forces operators acting as a force multiplier by getting their peers to buy into a security-first development approach. They are the ones in the trenches working with the developers daily and effecting change in the security culture of our organizations.  

Where does that put the security team? How are they involved in the security champions program? 

 

Selecting The Right People 

Suppose the security champions are the green berets of security. Then the security team is the special forces selection and qualification course instructors.  

When the military selects soldiers to train to be Green Berets, they put them through Special Forces Assessment and Selection (SFAS) to decide who will become a green beret. The instructors at SFAS are all seasoned veterans that have spent a considerable amount of time on a team honing their skills. The military leverages the instructors' experience to ensure that only the best candidates advance in training. 

The security team is responsible for ensuring that the correct people are selected to serve as security champions. One of the most challenging problems is finding and choosing the right individuals. The military uses multiple approaches to find the best individuals for the job.  

First of all, special forces is an entirely voluntary unit. The military showcases the benefits of joining an elite team to incentivize people to try out.  

These benefits include:

  • Increased pay 
  • Extensive training 
  • Best equipment 
  • Increased autonomy 
  • Ability to work alongside some of the best in the world 

With those types of benefits, who wouldn't want to try out? 

Security champions should be recruited and incentivized in the same manner as Green Berets. It should be a group of volunteers that are rewarded appropriately for their expertise and additional responsibilities.  

An appropriate reward will vary from company to company. However, it should be substantial enough to draw in the top talent from the organization. A monetary bonus or increased opportunity for advancement are great ways to ensure you obtain and retain the best talent. One thing to note is that just because it's a volunteer position does not mean everyone gets to join.  

The security team's job is to ensure that the developers selected to be security champions have the right talent and motivation. There needs to be a formal evaluation process to ensure the company invests in the best people for the job. 

This individual should: 

  1. Express an interest in the program 
  2. Have a track record as a high performer 
  3. Conduct an interview with the security team 

Once an individual is selected, it's time to give them the training and tools to be effective in this role. We'll talk about that in part 2! 

 

Follow The Conversation 

Mike Burch is the creator and host of The Security Champions Podcast. If you are interested in learning more about security champion programs and other AppSec topics, please subscribe to "The Security Champions Podcast," brought to you by Security Journey.