Have you ever noticed that when people find the perfect recipe for baking chocolate chip cookies, they tend to stick with it? The same goes for creating a security champion program for your organization. Although there are multiple ways to build such a program, we've discovered an excellent recipe that we're excited to share with you.
In this episode of The Security Champions Podcast, Mike talks to Tanya Janca, also known as SheHacksPurple, about her recipe for building and maintaining an effective security champions program.
The first ingredient in an effective security champions program is to recruit the right people. It's essential to attract the right individuals genuinely interested in the role, rather than just 'voluntold' to participate. Remember, an enthusiastic person is often a better fit than a more senior individual who was simply told to do it.
There are many ways to get the word out and recruit security champions:
Individuals with a development background make great and effective security champions with a deep understanding of the software development process and the potential security vulnerabilities that can arise. They also have the skills and knowledge to identify and fix these vulnerabilities and to communicate security risks to other developers and stakeholders.
But Security champions don't have to be developers to be effective. Anyone passionate about security and willing to learn can be a valuable security champion. These non-developer positions can bring a fresh perspective to the program and help build bridges across the organization.
After recruiting the right people to your security champions program, your next goal is to get them interested and excited. Engaged security champions who are enthusiastic about their program will spread the work throughout your organization and work more collaboratively with other teams.
Here are some ways you can engage your security champions regularly:
One of the best ways to engage your security champions is simple: simply talk to each champion regularly.
Consider asking these three key questions:
The next piece of the recipe is teaching your security champions to start training your security champions; you need to establish a list of program goals. These goals should be based on the specific threats to your business.
Tanya suggests, "Create a list of goals for your program and then tailor your champions' responsibilities to meet those goals." Once you have your program goals and champions' responsibilities, you can design effective training to help your champions succeed in their roles.
It's essential to make yourself available to your security champions and assist them with tasks like reviewing scan results. This helps share critical information and ensures that your champions grow to the point where they no longer need assistance.
To provide practical training, it's essential to focus only on the information that your champions need to know. By removing irrelevant content, you can save your organization time and money while keeping your champions engaged with the new content that is necessary for their goals.
Some topics to teach your security champions can include:
The key to retaining your security champions and growing your program long-term is to have an effective system to recognize and reward the hard work of your champions.
Tanya talks about what you can do for your champions as it relates to the five love languages; while many of the love languages would be inappropriate in a work setting, there are two we can focus on:
Let’s dive into each of these:
Some ways you can show recognition for your champions can include:
Some gifts you can give your champions can include:
One of the best ways to reward your champion is by giving them your undivided attention. Remember to step away from your computer or phone, make eye contact, and make them feel valued. This may seem like a simple gesture, but it can have a significant impact.
To learn more about security champion programs and other AppSec topics, please subscribe to "The Security Champions Podcast" by Security Journey.