Published on
This is part 2 in a 3-part series about Security Champions by Michael Burch, host of The Security Champion Podcast. You can read part 1 on our website.
In Part 1 of this Security Champions series, I shared the parallels that I see between the Green Berets and Security Champions.
Now that we've covered what a security champion is and how to select the right people to be your security champions – let's talk about creating effective security champions.
Creating A Security Champion
After a soldier volunteers and is selected for special forces, then passes Special Forces Assessment and Selection (SFAS), they do not automatically become Green Berets. Instead, they must attend the Special Forces Qualification Course (SFQC), where they spend the next year or more training before being awarded the green beret.
During SFQC, the soldiers train on the specialty assigned (medic, engineering, weapons, or communications) to them in SFAS. Not only do they become experts in their given specialty, but they also learn military tactics and soft skills. Soft skills in communication and teaching are one of the most potent tools a Green Beret has at their disposal.
When we select Security champions, we don't just choose people to attend the security team standups and conduct a monthly lunch-and-learn. Those things can support a security champion, but they need much more. They need the tools and training to be effective.
One of the best ways to find and train security champions is through a security training program that is broken down into levels – foundational, intermediate, advanced, and champion.
Using Levels to Build Security Champions
At Security Journey, we use a five-level training program for all our employees; we call these levels 'Belts' and assign them colors: white, yellow, green, brown, and black. We chose this Belt theme to follow other belt systems – think Six Sigma.
White Belt: Everyone in the organization must complete the white belt on our AppSec Education Platform. This first level covers foundational security knowledge and introductory topics.
Yellow Belt: The training topics become more technical for the Green Belt. This content is for anyone involved in the software development process, including UX, Q/A, developers, the security team, and even product managers.
Green Belt: At the Yellow Belt level of our training program, individuals work on learning security practices for their specialty. Suppose you write software in a specific language or use a particular technology like AWS, Docker, or IaC. In that case, you must take training on that topic. Becoming a security expert in your language or field is the same approach as training a Green Beret in their assigned specialty.
Brown and Black Belts: At Brown and Black Belt levels, we start training that is focused on security champions. The individuals that spent the time to get to brown belt are perfect candidates for filling the security champions program. They have already become security experts in their field and are ready for advanced topics. The key to these top belt levels links back to soft skills and communication that we discussed earlier – because security champions are your link to share information with the rest of your organization.
This level system allows for progressive learning, allowing your security champion to build from what they've learned and develop their education throughout the levels.
Customizing Your Training Levels
While the Belt System worked for us at Security Journey, we have the capability on our platform to customize your levels. This is beneficial for organizations to stay on brand and engage learners.
We sourced some ideas from our Security Journey team on alternative-level themes:
- Scout Classes: Tenderfoot, 2nd Class, 1st Class, Star, and Eagle
- Star Wars Theme: Youngling, Padawan, Knight, and Master
- Adventure Theme: Tourer, Discoverer, Adventurer, Explorer, and Voyager
- Whitewater Rafting Classes: Class I, Class II, Class III, Class IV, and Class V
- Military Classes: Private, Specialist, Corporal, Sergeant, and Commander
The possibilities are endless. And your security champions have a clear guide to action from the beginning of their journey.
In part 3, we'll talk about your Security Champions in action.
Follow The Conversation
Mike Burch is the creator and host of The Security Champions Podcast. If you are interested in learning more about security champion programs and other hot security topics, please subscribe to my podcast, "The Security Champions Podcast," brought to you by Security Journey.
Read more from:
Security Culture