Have you ever noticed that when people find the perfect recipe for baking chocolate chip cookies, they tend to stick with it? The same goes for creating a security champion program for your organization. Although there are multiple ways to build such a program, we've discovered an excellent recipe that we're excited to share with you.
Ingredient #1: Recruiting Security Champions
The first ingredient in an effective security champions program is to recruit the right people. It's essential to attract the right individuals genuinely interested in the role, rather than just 'voluntold' to participate. Remember, an enthusiastic person is often a better fit than a more senior individual who was simply told to do it.
There are many ways to get the word out and recruit security champions:
- Host a lunch and learn session
- Allow managers to suggest employees who would be a good fit
- Updating your email signature to draw attention to your security champion program
Do Security Champions Need to be Developers?
Individuals with a development background make great and effective security champions with a deep understanding of the software development process and the potential security vulnerabilities that can arise. They also have the skills and knowledge to identify and fix these vulnerabilities and to communicate security risks to other developers and stakeholders.
But Security champions don't have to be developers to be effective. Anyone passionate about security and willing to learn can be a valuable security champion. These non-developer positions can bring a fresh perspective to the program and help build bridges across the organization.
Ingredient #2: Engage Your Security Champions
After recruiting the right people to your security champions program, your next goal is to get them interested and excited. Engaged security champions who are enthusiastic about their program will spread the work throughout your organization and work more collaboratively with other teams.
Here are some ways you can engage your security champions regularly:
- Have your security champions help you investigate security incidents
- Let your champions help you choose the tools you are considering for the organization
- Create a mailing list to share information regularly
One of the best ways to engage your security champions is simple: simply talk to each champion regularly.
Consider asking these three key questions:
- What are you working on right now?
- What’s next?
- Where do you need help?
Ingredient #3: Teach Your Security Champions
The next piece of the recipe is teaching your security champions to start training your security champions; you need to establish a list of program goals. These goals should be based on the specific threats to your business.
Tanya suggests, "Create a list of goals for your program and then tailor your champions' responsibilities to meet those goals." Once you have your program goals and champions' responsibilities, you can design effective training to help your champions succeed in their roles.
It's essential to make yourself available to your security champions and assist them with tasks like reviewing scan results. This helps share critical information and ensures that your champions grow to the point where they no longer need assistance.
To provide practical training, it's essential to focus only on the information that your champions need to know. By removing irrelevant content, you can save your organization time and money while keeping your champions engaged with the new content that is necessary for their goals.
Some topics to teach your security champions can include:
- Reoccurring vulnerabilities or threats on their application
- Vulnerabilities that are in the news
- Training on your organization’s specific tech stack
Ingredient #4: Recognition and Rewards for Security Champions
The key to retaining your security champions and growing your program long-term is to have an effective system to recognize and reward the hard work of your champions.
Tanya talks about what you can do for your champions as it relates to the five love languages; while many of the love languages would be inappropriate in a work setting, there are two we can focus on:
- Words of Affirmation (Recognition)
- Gifts (Rewards)
Let’s dive into each of these:
Words of Affirmation (Recognition)
Some ways you can show recognition for your champions can include:
- Certificates for display
- Exclusive virtual background
- Slack badges
- Notes in performance reviews
Some gifts you can give your champions can include:
- Baked goods, donuts
- Certificates for display
- Books, subscriptions
- Conference attendance
- External training sessions
One of the best ways to reward your champion is by giving them your undivided attention. Remember to step away from your computer or phone, make eye contact, and make them feel valued. This may seem like a simple gesture, but it can have a significant impact.
Building an Application Security Program that is Right for Your Team
To learn more about security champion programs and other AppSec topics, please subscribe to "The Security Champions Podcast" by Security Journey.