How to start a Security Champions Program?

Management
1

Original posted by @kchau

Hi folks!

I hear the term security champions being thrown around quite often and how important it is for some to start building the program. I’ve seen different companies approach the topic very differently with some succeeding and some outright failures. Some have started with initiatives to train their entire development organization to understand security a little better before heading down this path. Some have asked for volunteers and incentivize them to help be part of the team and help build the process. Others may go ahead and just select individuals themselves and “volunteer” them to be the bridge for the teams.

My question for you all is, what has your experience been like? Is there a method that works better than others? What are some great ways to start this discussion with various teams and how do we get them more engaged? Where should a company start when thinking of building a Security Champions program? Are the any specifics that need to be considered before starting these conversations?

1 Like
2

At OWASP AppSec Lisbon there were three really great talks about this I want to share:

Growing A Security Champion Program Into A Security Powerhouse - Bonnie Viteri
YouTube

Security Champions And Experiments: Building Blocks For Cultural Change - Mads Andersen
YouTube

Leveraging Psychological Needs For Building A Security Culture Amongst Developers - Juliane Reimann
YouTube

My very high level take aways

  • You will need buy in from the organization leadership
  • You will need some kind of a budget (time + money)
  • Leverage human traits to want to be part of a culture and be rewarded, this helps keep people happy while sacrificing their time.
  • Celebrate success stories and wins all the way up to the executive team, but also all the way across the organization.
  • Don’t give champions the shit work the security team does not want.
3

Another good resource from OWASP which might be interesting to look at. They are soon going to publish some real life artefacts from organisations who have done it on the grounds.