Security Champions: Why Do We Need Them and What Role Do They Play?
It's no secret that poor security can have disastrous consequences. With the ever-increasing sophistication of cyberattacks, and the importance of data security, the need to protect companies and customers’ sensitive information has never been greater. This is where security champions come in.
Why do we need security champions?
As part of a comprehensive security program, enterprises are increasingly appointing security champions as valuable assets in promoting a culture of security within teams. These programs help to facilitate engagement between the teams to help align the operational needs of the business with the appropriate implementation of security policies.
Often misconstrued as cybersecurity engineers, their role is more of an ombudsman’s - to help everyone - from development to operations, sales to recruitment . These champions typically retain their daily responsibilities but do so with an information security perspective.
How to turn an employee into a security champion?
Before nominating a security champion within your team, it is important to have a clear understanding of their existing responsibilities. If the security champion goals are not aligned with their other performance metrics, the program will experience resistance within the business.
First, clearly define the amount of time that is expected to be allocated to the program every month or quarter. This is a commitment from the champion as well as the leadership team. Establish accountability through metrics and periodic “checkpoints” to confirm that the champion’s security related work is aligned and integrated into their other metrics.
Second, There are certain traits that you should look for when nominating someone as a security champion. Your nominations will directly impact the success of the program. Consider candidates with at least two of these traits::
- Employees with an undying passion for security and show tremendous dedication to championing security
- An individual with tenacity, curiosity and the ability to look at things by “what CAN it do” v/s “what does it do?”
- Organized, project oriented, able to multitask and prioritize workloads
- Technical experts/intermediates who understand basic coding concepts and are capable of effectively deconstructing complex security topics
- Good communicators are necessary to ensure they can build relationships and gain trust within their teams
- Able to enroll others into a vision. Someone that others want to emulate or follow
Role of a security champion: what is expected of them?
A security champion should educate and inform their business units about the risks of cyberspace and actively promote security best practices to help combat cyberthreats. Here are three common goals that every security champion is expected to accomplish:
- Key part of security procedures
From assisting in QA/testing to escalating issues for review, integrating scanning tools in the GitHub repository to cleaning out false positives to keeping a tab of the Jira dashboard, security champions stay in the loop for all things security-related and help streamline processes while saving costs. Working to integrate security gates and security best practices into the workflow while minimizing disruptions.
- Promoting cyber security awareness
A security champion can help educate their colleagues about potential security risks and remedial action in many ways, including:
- Creating and distributing security-related content (e.g. blog posts, infographics, etc.)
- Leading or participating in security awareness initiatives
- Acting as a point of contact for employees with questions or concerns about security
- Helping to translate and apply security best practices into normal operations using terminology and concepts familiar to the business
- Demonstrate real examples of how the security champion program has supported the business
- Being in the know
Security champions participate in training workshops related to new and emerging tools and technologies. This helps them stay updated about what’s happening in the security domain and share the knowledge with their colleagues.
Subscribe to industry specific “threat intelligence” podcasts, rss feeds, “ISAC’s” to stay current on novel threat vectors and methods.
How to manage an ongoing security champion program?
There is no one-size-fits-all answer to this question. However, there are a couple of basic best practices to follow to ensure your security program’s momentum never stops, regardless of how large the team may be.
At least two managers must come forward as a team and proceed with a “help your neighbor” attitude to keep the wheels running while managing bigger teams.
For every deliverable contributed by six employees, on average, it’s recommended to have at least one security champion, maintaining the posture in terms of code integration, vulnerable management, etc.
Much like having a workout partner, establishing accountability with routine and meaningful metrics will assure the sustainability of the program.
The program's ongoing success is directly tied to the value it provides to the team. If the program is not reducing defects, it will be difficult to maintain active participation.
How to foster a security champion culture?
A successful security champion culture bridges the gap between security, development, and operations to reduce friction and raise awareness. While creating such programs, ensure to recruit enthusiastic builders and support them with the right learning tools and collaboration channels.
Security champions normally go out of their way from their day jobs to recognize security threats and suggest remedial action. Thus, appreciating and recognizing their efforts via annual performance reviews, appraisals, awards, or bonuses is also pertinent.
Security is bigger than just the right tools. Often seen as the “front line” of defense against cyber threats, security champions help safeguard their organizations from the ever-growing threat of virtual security.
By fostering a culture of security champion programs, enterprises can dramatically improve their security posture and reduce the risk of falling prey to malicious cybercriminals