The first time I heard about security champions programs was from Tanya Janca and the idea stuck with me ever since. If you haven't come across this concept yet, here are a few good resources on it.
- Building Security Champions by Tanya Janca
- Security Champions (OWASP)
- Security champions series by Snyk
- The Security Champion Framework by Chris Romeo, Izar Tarandach and Brook Schoenfield
- The Security Champions Podcast: Tanya Janca - A Recipe for Security Champions
For the first time, I'm in a company that not only has established a security champions program, it's also the first time I became a champion myself! Therefore, the topic grew even more relevant for me in the past months.
Recently, I came across several rather negative, or let's say frustrated viewpoints on security champions programs. People I met said it just never worked for them. Some shared they were not having real organizational buy-in and the program was merely a point on a checklist to tick off for the company to look good. Chris Romeo shared lots of security champion antipatterns in his Reasonable AppSec newsletter that made me think. "Why Security Champions Are Not the Silver Bullet" by Matthias Rohr is another thought-provoking piece pointing out that other initiatives might work better in certain contexts. What I don't hear much about in my bubble, though, are success stories from security champions programs. I do remember one person at Booster Conf talking about their program that managed to raise awareness and spread knowledge. Yet that's... basically it.
It's my first experience with such a program and I only see its current state after having run for quite some time. Therefore, I can't really tell how effective our program is and if it improved the situation compared to the one beforehand. From what I've observed, it does indeed seem to work quite well so far. It did manage to bring people together and scale the efforts of our InfoSec folks through having invested volunteers as contact persons and security advocates in each product development team, hence building bridges. There's clear guidance for lots of security topics and good practices. In the teams we have on demand support and feedback from InfoSec at any point from idea to production. At least from my personal perspective, collaboration works really well. We have buy-in and time set aside for security topics and can actively help drive security efforts for our products and the company. Huge shout-out to our awesome InfoSec folks at this point!
That being said, we recently also talked about how our program can be evolved. The conversation was initiated by an InfoSec person sharing Snyk's Security Champion Playbook and asking people for improvement ideas we could try. I did share my personal point of view of what I'm missing or what would help me benefit from the program even more. We're all working remotely and as of now asynchronously as security champions. It's not a secret how much I am a fan of synchronous collaboration, so that's what I would wish for more. Be it in the sense of regular calls with champions and InfoSec, or frequent pairing and ensembling sessions to work hands-on together. This could be on specific learning topics, general fun challenges like Capture the Flag (CTFs) sessions, on our regular security related tasks, or on solving current challenges in the teams - together. Joining the regular InfoSec call where folks exchange current news would be a great addition as well.
We haven't decided yet what exactly to try out next. I'm curious what other ideas people have, what worked for them best so far and what not at all. More real experiences that we can all draw inspiration from. So, let me ask you: what makes security champions programs effective?
Thanks for the post. Running a security champions program is a bit tricky, I guess.
ReplyDeleteLooking back to my previous job, I was appointed a security champion exactly as a way to tick a checkbox and was thrown into this role with no relevant experience whatsoever (at the time I was perhaps 6 months out of the university and still learning the ropes of what it meant to do my "regular" work). What was missing for me were clear definitions of "this is what you should do", and some regular discussions on how things were going. I don't recall any training done, but in this point I might just have forgotten.
As one can imagine, I wasn't very effective as a security champion, but the title did two things: It got me a place around the table in the security related ceremonies (threat modeling, audits, PenTest reviews) and it made me listen each time "security" was mentioned. So, it took me three years, but eventually I could speak semi-intelligently in those ceremonies and I did learn a trick or two I could use.
I'm assuming there are better ways to conduct such programs, but for me, the minimal condition for such a program to work is that it can't be the only thing done. It is a great way to support other activities, but in order to have successful security champions, the teams they are in should face security issue every now and then - they should be asked to discuss security implication of feature design in the review, they should get results of the Pen-tests done to their product, and even have an annual internal security assessment of their product - the champions could latch on to this activities to grow their skills and demonstrate the value of their expertise to the team.
Thanks a bunch for sharing your thoughts and experiences! Much appreciated. Great advice on how not to do it, as well as what to consider! The point you bring up regarding getting a seat at the table really resonates with me. It makes me think of how frequent collaboration with our InfoSec team got me invited to my first security audit beginning of the year, even before officially becoming a security champion.
Delete