Setting Up and Managing an Effective Security Champions Program

Raising Awareness Amongst the Unaware

Think of the first time you learned of a completely new and interesting subject or activity outside of that which was familiar. Perhaps a friend suggested watching anime, or your partner was adamant that you should try abseiling. At first, you may have resisted, comfortable in your bubble with no interest in seeking new experiences and, quite possibly, fearful of the unknown. However, your trust in the individual showing you a new potential path gave you the confidence to at the very least give it a go. And then you were hooked.

Security Champions

It’s easy to forget for any of us working and ensconced in our own sectors and interests that there are 8 billion people on the planet working in theirs too. And even when these overlap or are adjacent, as in software development, appreciation of what ‘the other team’ is focused on presents a continual challenge.

The fact that cyber security is such a pronounced cross-cutting agenda may well be clear to those of us working in the industry, but put yourself in the shoes of someone outside the industry - and even in the industry but not directly involved in security, like, for example, your developers - and what seems obvious, well, likely, is not. Thus, enter the Security Champion!

Secure Development: Enter the Security Champion!

In the application development and broader technology development fields, Security Champions (also known as Security Ambassadors) play a pivotal role in organizations: they not only possess advanced security knowledge but also promote a culture of security awareness among their peers. By embedding Security Champions within teams, organizations ensure that security best practices are incorporated into every project from the start. Security Champions become the bridge between the technical teams and the security teams, ensuring seamless communication and proactive defense against potential vulnerabilities.

In essence, Security Champions are the unsung heroes who fortify an organization’s digital walls by promoting the criticality of security as both perception and procedure via their capacity and passion for the topic.

Identify Your Security Champions from your Developer Teams

Using SecureFlag’s progress tracking, identify those developers who excel in the program. These high-performing individuals could be your organization’s future Security Champions and act as security advocates and advisors within their teams, serving as a vital link between the developers and the core security team. Embedding Security Champions within teams accelerates the identification and mitigation of security risks, reinforces adherence to security protocols, and significantly improves the security posture of the applications developed.

SecureFlag Security Champions Levels

Once Security Champions have been identified, here is how to ensure the initiative is a success:

1. Make it Exclusive

Establish a benchmark for selection, which could encompass rankings on SecureFlag (like points, badges, etc.), as well as contributions outside the platform, such as mentoring newer team members. A commonly suggested ratio is 1 security champion for every 10-20 developers. This ensures that the champion isn’t overwhelmed and can effectively assist their colleagues.

2. Set Expectations

Define the role and responsibilities of a Security Champion. This might include participating in security meetings, promoting security awareness within their team, assisting in threat modeling (and creating custom training labs using SecureFlag SDKs), or reviewing code for potential security issues.

3. Provide Advanced Training

Equip your Champions with the necessary knowledge and skills. SecureFlag offers advanced courses to further hone their skills and prepare them for the role of a Security Champion.

4. Support Your Champions

Recognize the extra work your Champions are doing and provide them with the support they need. This could be time allocated within their work week for security tasks or backing them up when they need to advocate for security in their teams.

5. Establish Communication Channels

Ensure that your Champions have a direct line of communication with the security team. This could be through regular meetings, an online chat group, or an email list.

6. Recognize and Reward Efforts

To keep your Champions motivated, acknowledge their efforts and accomplishments. This could be in the form of shout-outs in company Town Halls, time-off, awards, or even career progression opportunities.

Once a participant becomes a Security Champion, they can be also set as a Team Manager on the platform. Team Managers can actively manage teams, assign training modules, and review results. Their involvement serves as a link between the developers and the security team and aids Program Managers in reaching out to participants more effectively, ensuring the timely completion of activities.

Establishing a Security Champion Program with SecureFlag is not just an investment in training; it’s a strategic move to embed a culture of security within your organization, enabling a proactive, security-focused approach that will significantly benefit your organization in the long term.

With SecureFlag, your developers become more than just coders; they become guardians of the cyber realm, making the digital world safer for all users.