Published on
This is part 3 in a 3-part series about Security Champions by Michael Burch, host of The Security Champion Podcast. You can read part 1 and part 2 on our website.
In the past two parts of this series, we covered what security champions are, how to choose your security champions, and training your security champion. In part 3, we'll discuss what security champions are responsible for within your organization.
We've spent the time and effort to select the perfect candidate. We compensate them fairly for the extra effort it took to reach this point. The individual is a security expert in their specialties and is ready to share their passion with the rest of the organization.
Now, what are they supposed to be doing?
Security Champions In Action
This may come as a surprise, but - Security Champions do not work on security-specific tasks.
The idea of the security champion is to be a developer in sync with the security initiatives that work as a liaison and representative for the security team. Many guides explain the responsibilities of a security champion as sharing knowledge, security-focused peer reviews, promoting security best practices, and supporting security-focused design and decisions. But unfortunately, there have not been many initiatives to define a day in the life of a security champion.
On the security team, there should be an individual or group of individuals responsible for supporting the champions program. They should have a weekly standup with the security champions to ensure that the security champions are up to date with all the security initiatives in the company and have the resources to do their job.
This meeting is also an excellent time for the security team to get feedback from the security champions. This is because security champions are not just representatives of the security team - they also represent the developers when interacting with the security team.
Security champions should be effecting change through action as part of their role. At Security Journey, we call these actions Security Activities. For example, when you reach a Brown Belt (level 4) in our security belt program, you unlock the ability to submit security activities for credit to the next level.
Security activities are essential because the security champions must do something that furthers the company's security goals. Security Activities can be as simple as giving a class to teach the development team about a newly discovered vulnerability or as complex as providing a talk at a conference on a security topic. The idea is that the action should improve the security of the organization or community.
Resources For Your Security Champions
The final part of an effective security champion is ensuring they have access to the tools, resources, and continuous training they need to be effective.
I firmly believe that the entire organization should have access to security education that is engaging, fun, and effective. However, you cannot have a long-term and effective security champion program without access to education for these individuals.
In Special forces, every team member must refresh their individual skills and the team's capabilities. As a medic, I had to return to the medic training facility every two years and take a two-week refresher course. I was also required to do a month-long medical rotation at a hospital every four years. Without continued education to refresh and update the skills I had learned, I would quickly fall behind on the current best practices. As a result, I would not have been an effective medic.
Like the medical field, security is constantly changing. If security champions are not up to date, they will become ineffective.
Are Security Champions Enough?
Security champions are a good start, but not the whole story. We need to start doing something differently to change the security culture in our organizations. We need to make radical changes to have an actual effect.
When OWASP updated its top ten threats to web applications, it was mostly the same vulnerabilities with new names and in a different order. Nothing fell off the list as something we do not need to worry about anymore. If what we were doing now was effective, then our threat landscape should have changed more than it did from 2017 to 2021. But it didn't.
Despite all our fancy security tools and pen tests, we see the same security issues. It's not because we do not have the solutions to the problems. We do. People are either not educated on them or not implementing them. Security champions are a great way to start changing our culture to security-focused development, but they are just the start. If we want to tackle the security issues of 2023 in a way that has a meaningful impact, we need to take it a step further.
It is our responsibility as security practitioners to stop living on security islands. Instead, we must embrace the largest part of the security team, developers. They are the ones that can have the most effect on security for our organizations. We must train security champions to be force multipliers for us. Then we must train and treat every developer as part of the security team. As such, we must invest time and money to educate them to be security experts in their field. A once-a-month slide show on a security topic is not enough. The training needs to be specific to the needs of that individual.
You are behind the curve if you do not have a security champion program. Start small and give it the time and care it needs, and it will transform your organization.
Follow The Conversation
Mike Burch is the creator and host of The Security Champions Podcast. If you are interested in learning more about security champion programs and other hot security topics, please subscribe to my podcast, "The Security Champions Podcast,"brought to you by Security Journey.