Using the Security Champions Framework to Optimize Your Security Program

Is 2023 the year of security champions?  

In this episode of The Security Champions Podcast, Mike talks to Chris Romeo about the growth of champions programs, the Security Champions Framework, and the mistake that organizations make with their programs. 

The Year of Security Champions 

2023 is certainly looking like the year of security champions. Across the board, we are seeing people release great information, documentation, and guidelines for the AppSec community. 

Recently released Security Champion resources: 

• OWASP Security Champions Manifesto 
• Security Champions Playbook 
• Security Champion Program Success Guide  

Most of these resources you see released are not theoretical. Instead, they are created by experts who have established successful security champion programs and are sharing what they know with the industry. 

The AppSec community is trying to accomplish the same goal: unify a community of collaboration among developers who rise to the occasion with coaching and mentoring to bring that passion back to the organization. 

Read More: How Security Champions Help Improve Application Security 

What Is The Security Champions Framework? 

The Security Champions Framework, created by Chris Romeo, is a program that helps organizations to improve their security posture by building a team of security champions. As a free download from GitHub, anyone can access the information to implement at their organization.  

Access: The Security Champions Framework (hosted on GitHub) 

The Security Champion framework exists as a measuring stick and a roadmap for organizations to follow in order to build and maintain a successful security champions program. 

• As a measuring stick, the framework allows leaders to measure how well their champions program performs.  
• As a roadmap, the leader can use the measurements as input and build a plan to improve their program by applying updates towards a higher framework level. 

The framework was created based on the OWASP Software Assurance Maturity Model (SAMM) to incorporate levels of maturity, which means that you are continuously measuring, assessing, and improving your program. Don't think of Security Champion Programs as binary; they should grow and mature. 

There are 5 main areas of focus: 

1. Planning - Planning includes the activities needed to scope and build a strategy 
2. People - People include recruiting, retaining, capturing commitment, and onboarding new champions 
3. Marketing - Marketing includes the branding of the program and communication plans. 
4. Execution - Execution includes the program pillars, coaching, education, and globalization efforts 
5. Measurement - Measurement includes metrics for demonstrating the value generated by the program

By implementing the Security Champions Framework, organizations can improve their security posture by fostering a culture of security, increasing the visibility of potential vulnerabilities in the code, and empowering developers to take ownership of security within their projects. 

Read More: Security Champions, Are We Doing It All Wrong? 

The Biggest Mistake Organizations Make with Security Champion Programs 

If you don't take care of a customer, they won't renew with your product. The same theory applies to your security champions – if you don't take care of your security champions, they won't stay within your program. 

That effort should be recognized when asking your employees to take on additional tasks. Whether that recognition comes in the form of acknowledgment, monetary, or a chance for promotion – you need to provide your security champions something. 

The biggest mistake organizations make with their security champions programs is making it all about the company.  

You shouldn't be asking what your security champion can do for you and your organization; instead, you should ask, 'how can this program enrich the lives of our developers'? When you put your developers first, you build a champions program that no one wants to leave.  

Some examples of security champion benefits: 

• Continued Education Opportunities 
• Certification Reimbursement 
• Career Paths 
• Bonuses 
• Vacation Time 
• Flexible Work Hours 
• Promotions 
  
  

Are Your Champions Following the Framework? 

There is no set way to establish and optimize a successful security champions program, but hopefully, these resources can help you stay on the right track. Access to comprehensive, secure coding training for your developers is a crucial key to any program. If you are missing that key, check out our AppSec Education Platform to see if it's a fit for you.  

If you are interested in learning more about security champion programs and other AppSec topics, please subscribe to "The Security Champions Podcast," brought to you by Security Journey.