The Security Champion framework exists as a measuring stick and a roadmap. As a measuring stick, the framework allows leaders to measure how well their champions program performs. As a roadmap, the leader can use the measurements as input and build a plan to improve their program by applying updates towards a higher framework level.
A security champion is a security-passionate person engaged with your security team, interested in expanding their knowledge and experience with security.
The security community is a virtual team of engaged developers, architects, software managers, testers, and similar roles (product adjacent) that extends the experience and knowledge of a central security team deeply into product/development teams.
Various names apply to the people that make up a security champion program. For example, organizations use different naming schemes for Champions, Advocates, Guild Members, Ninjas, and Agents.
Names sometimes matter: people may define their roles by their terms. It is vital to choose a name that fits your organization's culture. Some names carry implications on the level of involvement and authority expected: liaisons, champions, advisors, consultants, etc. Choosing the perfect phrase or term to describe the people does not define the success of your program! But do give it a thought so that the label specifies the content and expectations correctly.
For purposes of the framework, the word champion is universal.
Security champions are necessary because most security teams must extend their resources to meet security demands. The security department needs more time/energy/people to perform security for all. They have the knowledge and expertise but need scalability.
Each year, BSIMM asks their member companies how many developers and security team members they have. From BSIMM 12, the ratio was one security person to every one hundred and thirty-five developers. This ratio demonstrates the need for security champions. BSIMM members take security seriously enough to spend money on a consultant to analyze their maturity. Non-BSIMM companies are likely at an even higher ratio. The higher percentage is why Security Champions are needed -- there need to be more security team members to do all the work.
There are four facets to the successful champion experience.
First, consider foundational knowledge. Foundational is the knowledge about application security, from vocabulary to return on investment and the business case. Foundational knowledge answers the why of application security and the things everyone needs to understand.
Second, a spark of passion. A spark of security passion is vital. Rather than forcing a champion to volunteer, the best case is a champion that steps forward because they have some security interest. The champion program can fan that little interest into a security flame.
Third, understand/acknowledge attacks. Champions must realize the reach of modern attacks and recognize that what they build is under attack.
Fourth, utilize tools and processes. Champions must follow the defined procedures to enhance security, like Secure Development Lifecycle, and be the eyes and ears that execute and interpret the results of the tools. They must also participate in making the program better over time by giving feedback on tools and processes and how they fit in the organization.
Many security champion programs focus on the company's value instead of thinking about the champion. Flip the table and consider what's in it for your champions. Make it about them.
Here are some examples of items that can provide value for the champion:
- Advanced training + knowledge and degrees.
- Exclusive learning events.
- Management/Executive visibility and exposure to successful projects that improve security.
- Acknowledgement and recognition as someone who makes company products safer for Customers.
- Cross-organizational collaboration -- networking with other like-minded security people.
- Career advancement.
- Career pivot into security.
The company does receive many benefits from the program. Consider these ideas for the value provided to the organization.
- Specialized security resources without additional headcount investment.
- A population of employees is satisfied with a program dedicated to their interests.
- Integrated security coaches within functional teams.
- Contributes to security ROI.
- Visibility as an organization that takes security seriously.
[The authors adapted this section from a comment by Brook Schoenefield, based on his brilliance in running multiple Champion programs in various organizations.]
There are three general Champion program forms: central team + security referees, central team + Champions, and fully empowered satellite security people. Each of these forms reaches "maturity" somewhat differently.
The central team is responsible for security, and the security referees across the organization spot each need and call in the central resources to perform the security work.
This form is easier to set up and often sits comfortably for security folk since they maintain most control. But this program needs to catch up and has far too much friction.
The champions handle basic security tasks, and the complex functions move to the central security team.
Security engineers still keep complex and tricky in the hands of the central team. But, on the other hand, it's less training, requires the central team investment, and is simple for nearly everyone to understand.
Dedicated security resources exist across the business, paid for by their management. Usually, with this, there has to be a central program, but it may be minimal.
While the journey may be much longer, at some point, the security professionals make themselves redundant. As a result, security becomes "how we build software," and the security culture demonstrates an organization that takes security seriously and takes action to improve security.
Five high-level areas divide the framework, with one to four sub-areas within each area.
Area | Description |
---|---|
Planning | Planning includes the activities needed to scope and build a strategy. |
People | People include recruiting, retaining, capturing commitment, and onboarding new champions. |
Marketing | Marketing includes the branding of the program and communication plans. |
Execution | Execution includes the program pillars, coaching, education, and globalization efforts. |
Measurement | Measurement includes metrics for demonstrating the value generated by the program. |
- Security Champion Program Success Guide -- https://securitychampionsuccessguide.org/
- Security Champions Playbook -- https://github.com/c0rdis/security-champions-playbook
- Chris Romeo, Project Leader
- Izar Tarandach
- Brook Schoenfield
\pagebreak