How to build a security champions program
Security champions are key to promoting and creating a security-first company. Learn how to build a security champions program using these four steps.
Application security is more important than ever, as apps remain one of the most common attack vectors for external breaches. Forrester's latest "State of Application Security" report stated organizations are starting to recognize the importance of application security, and many have started embedding security practices more tightly into their development stages -- a big step in the right direction.
It's important to understand, however, that building a world-class application security program can't happen overnight. A great deal of foundational work must be done before an organization can achieve results, including sharpening security processes around the software development lifecycle (SDLC) to identify, track and remediate vulnerabilities more efficiently. These efforts will eventually bring organizations to a high level of maturity.
Adoption of security in the SDLC is often lacking in many organizations. The answer to this problem lies within an organization's employee population. Companies should establish a security champions program, where certain employees are elected as security advocates and drivers of change.
To create a strong cybersecurity culture, security champions should be embedded throughout an entire organization. These individuals should have an above-average level of security interest or skill, with the goal of ultimately evangelizing and accelerating the adoption of a security-first culture -- not only through software and application development, but throughout the organization.
Developing a security champions program doesn't need to be complicated. This four-step process helps organizations establish their program with ease.
1. Empower managers to nominate champions
Let managers decide who would make the best security champions. These decisions can be based on interest level in security performance or even seniority.
2. Harness gamified training
People tend to learn better through hands-on practice. Trainings using gamification -- both online and in person -- are an effective way to accomplish educational goals, while creating fun and engaging environments for employees. Tracking individual performance through gamified training also enables organizations to identify employees with an above-average skill set in software security. These individuals are great candidates for the security champions team.
3. Implement recurring training and social events for champions
Organizations can bolster security culture by hosting events with external content and speakers. Many events feature external presenters and have hands-on sessions that help engineers create, deploy and operate better coding practices. Employees benefit from hearing outside perspectives, especially those related to fast-moving technology areas, and organizations benefit from putting their security credentials on display. Leadership must invite all employees to the events, as gatherings with small, select groups prevent the organization from creating a companywide cybersecurity culture.
Leadership must prioritize transparency when planning security training events. This includes sharing the organization's security history, even if it is full of blemishes. Transparency helps foster a strong and lasting change in behavior, as participants discover how they contribute to the problem. From there, employees better understand how the material is relevant to their work and how to apply what they've learned to their roles.
4. Enhance skill sets via threat modeling
Organizations can use threat modeling to advance their cybersecurity posture. This tool helps identify threat actors and enables organizations to implement appropriate security controls to prevent an attack. This standardized approach ensures the output is actionable and provides value to other parts of an organization's security strategy. The process also gives security champions a platform to communicate design-level flaws and empowers employees to proactively address security issues.
In today's security environment, new threats are always lurking. Organizations must develop a culture where all employees work to protect their company's network. Education is an important step in creating this culture. Security champions help spread awareness and stress the importance of strong cyber hygiene. This, in combination with companywide events and training programs, helps ensure sensitive data is protected against evolving threats and hacking techniques.
About the author
Nabil Hannan is managing director at NetSPI. He leads the company's consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Hannan has more than 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, pen testing, secure code review and vulnerability remediation, among others.