How to Improve Your AppSec With Security Champions

By 
Nitin Raina
,
and
August 9, 2022

Fostering a culture of security is the key to a successful, company-wide implementation of AppSec. But this requires a lot of support and is one of the biggest challenges an organization faces. 

Instilling the idea of security, bringing in the necessary changes, and cementing them for the long-term requires you to take a multi-pronged approach towards communicating the importance of security to different teams. Some of them include: 

  • Impress upon everyone that security belongs to each one of them. From new talent to the CIO, everyone is a crucial piece in the security jigsaw puzzle.
  • Improve AppSec awareness with basic security lessons and equip people with the ability to distinguish the depth of threats. 
  • Ensure you have a secure development lifecycle (SDL). Having an SDL program gives you a strong foundation for a sustainable security culture.
  • Lastly, and perhaps the most importantly, you need security champions to help make things happen.

What is a security champion and what do they do?

OWASP defines security champions as people who “help to bridge the communication between the development teams and the security team. A security champion will know the pain points of their teammates' code bases, team culture, tooling limitations, they are then in a good position to present security in a way that directly connects with the team.”

Security champions are responsible for evangelizing, mentoring, and promoting the cause for security in the organization. They are the critical thinkers who break down the silos between security and delivery teams and help constantly improve and enforce a good security posture.

How do you do this efficiently? 

With a security champions program.

How do you build a security champions program?

“A good security champion program improves the integrity and reach of your security culture, and by localizing the security representation throughout the business, your reach into the organization will become that much deeper,” says Joanna Huisman, former research director at Gartner.

A security champions program is crucial to guiding developers at the right time, in the right way. It’s also a low cost method to increase awareness on security.

The best way to begin is to leverage security champions embedded within the development, IT, and delivery teams to quickly scale the impact. They can act as go-to experts who can provide guidance, training, and answer questions in conjunction with security professionals to align with business objectives and consistently improve the application security posture.

Having a security champion program has many other benefits: 

  • They can perform code reviews to detect bugs and threats early in the development cycle especially when the code is being developed
  • They can partner with a security expert to teach best practices, which will be more effective than quick fixes
  • They simplify and make security an accessible segment for development teams 
  • Security champions are crucial to get top management buy-in and to strengthen the relationships across teams

As the program gains more visibility, you will need to constantly review KPIs, track metrics, and create standards for user behavior. The key is to start small, work towards prioritized goals, identify and resolve the highest risk areas, and gradually build a solid foundation. To reach your eventual goal of a company-wide rollout, it will take time, need senior leadership sponsorship and effort from a good network of security champions. 

Security culture and security maturity are the cornerstones of robust AppSec and security champions are pivotal to magnifying the impact of AppSec in the organization.

Vice President - Cyber and Information Security Thoughtworks