When talking about Security Champions, we are always careful to put our understanding related to AppSec. This care is grounded because we have some distinct understandings about the figure of the Security Champion, and this does not mean that we are right and others are wrong, just how we position this professional.
We want to put here some points that we understand to be very important when we talk about continuity of a Security Champions program, and that goes for you, who is with your operational program, or for you, who is designing your program.
Knowledge is fundamental
When seeking to create our Security Champions team, we try to create a team that already has some knowledge about secure development and the best development practices. This is important but not fundamental.
Therefore, what we initially look for in a professional who wants to act as a Security Champion is the willingness to learn and acquire more knowledge.
Providing these professionals with the means and resources to deliver knowledge is one of the main goals that a security and/or development manager should have.
Once you have your team created and organized, you need to provide them with the best possible resources. These can be related to training, tools, study groups and anything else that can help build robust knowledge.
Creating a culture of knowledge acquisition is a key factor in creating a Security Champions program, it will ensure that your team stays up to date and delivers to your developer teams the best opportunities to build a secure code.
Your team must have clear objectives
There is no point in setting up a group of professionals who will act as Security Champions if we do not clearly define their objectives.
The clear definition of objectives is what will provide the Security Champions team with the means to help achieve the goal. Without this definition, what we will see is a group of people without much synergy and alignment.
As in any process and structuring, the definition of the objectives is the basis on which the work will be developed.
Furthermore, it is based on the objectives that it will be possible to identify the best profile to be sought to act as a Security Champion, or even in which area this group will operate.
A good point to observe when we have the definition of objectives is that they must be measured and followed up.
So, whenever you create an objective, also create a set of metrics that will support your team to know that it is evolving and how you can adjust some point if something is not going in the desired direction.
Do your Security Champions know their functions?
Even if you have defined the team’s objectives, it is also necessary to define the limits of the Security Champion’s performance.
Defining these limits and how they can best develop their functions helps the Security Champions team to increase support for other development and security teams.
An example of roles that can be defined is who the Security Champion will be in charge of holding lectures and small workshops for non-technical teams.
This perception of roles is important so that you can search within the team the correct and ideal profile for the designed roles, since it is of no use to put a professional as the lecturer if he does not have the necessary skills for the task.
Taking advantage: this is when the gaps in knowledge and skills of the Security Champions team members will be identified.
With these gaps identified, it is possible to build a training program that can help reduce the lack of knowledge and skills.
Is your Secure Development Process Established?
This aspect can be the first one to be approached.
There is no point in having a Security Champions training and a performance program if we do not have a Secure Development Process in place.
The Secure Development Process will be the basis on which the Security Champions team will act, and without it, it is unlikely that your company will have a positive outcome when it comes to secure development.
About the Secure Development Process, many believe that this kind of solution is only possible when we have an agile development process.
It is possible that with a more traditional development model we have a security thinking being used and implemented.
A secure development process is strongly based on best practices and step by step automation processes, however, much stronger than these points is the cultural aspect of secure development.
The change in thinking of development teams is what gives meaning to the safe development process and the rest are supporting resources.
Therefore, it is important that the process is culturally accepted within the development teams and that this culture can be reinforced by the Security Champions teams.
Give your Security Champions time to work
One of the aspects we always find is the participation of members of a development team in the Security Champions teams.
This is positive and really very healthy, because it will always be easier for this professional to deal directly with the development teams because they speak the same “language”.
However, what we can see is that often this professional who performs a dual function ends up not scheduled a time to act as a Security Champion, because he always understands that his primary role is of a developer and that he can not compromise this time.
This is a problem, because the function of the Security Champion above all is the cultural and thought change of his fellow developers, but without this time dedicated to it, this goal is totally compromised.
“Participants in our Security Champions program dedicate about 25% of their time to the program, which is important for allowing them to fully learn and practice security techniques. Since this time is taken from their typical workload, it’s critical to have buy-in from a champion’s manager at the outset”. — Jim Hamilton, senior manager in the Information Security Program Office at LinkedIn
What Jim Hamilton puts is that :
“Participants in our Security Champions program devote about 25% of their time to the program, which is important to enable them to fully learn and practice security techniques. Since this time is taken from their typical workload, it’s essential to have a Security Champion manager’s commitment from the beginning”. — Jim Hamilton
It is important that managers understand that it is important that these professionals act in their Security Champions roles, and they should be encouraged to use their time to expose their knowledge or even participate in trainings that provide more knowledge to the team.
Finally, we must realize that if we want an active Security Champions team that really brings positive results to our secure development process, we need to structure this team and all the resources necessary for this to happen.
There are opportunities for everyone to gain from the process of introducing Security Champions into companies, and we need to understand that by making this kind of opportunity available to our employees, we are gaining more knowledge and more strength within the culture of secure development.