For organizations that develop their own web applications, DevSecOps has become a core initiative. One way to make it a successful endeavor is through security champion programs.

What are security champions

Security champions can help organizations move beyond the conflict that often exists between security teams and developers.

This article explores how such programs work, and how to implement one. 

A post by Invicti Security’s Meaghan McBee notes that the term “security champion” has evolved in recent years to be more inclusive of employees who aren’t necessarily experts, expanding to those who have an interest in security.

“A security champion isn’t someone who wins hacking contests (though that’s certainly a plus) but one who champions the security message wherever they are in your organization,” McBee wrote, adding that a security champion:

  • Serves as both mentor and cheerleader, engaging with and encouraging all employees to learn, adopt, and remain committed to security protocols
  • May not have as deep an understanding of security as someone in infosec or IT, but they know enough to answer basic questions and serve as a bridge between the infosec gurus and the ordinary employees.
  • Are another line of defense between an organization’s sensitive data and criminal actors.
  • Are natural communicators that help amplify critical security messages throughout various teams. 

Profile of an effective security champion

Security champions need not be experts in DevSecOps but are expected to have a clear understanding of security needs. The makings of a successful champion may differ from one organization to the next due to specific company goals, scalability, and security posture. But there are some core competencies and traits that apply to all. McBee describes those as:

  • Clear communication skills that help break down silos and raise awareness around security issues, encouraging others to join the program. 
  • A desire to learn more about secure coding and web application security through continued education helps them stay updated on the latest trends and best practices. 
  • Serving as a resource for technical questions that might not have an obvious resolution ensures they connect the right teams to escalate security issues. 
  • Inspiring team members to take security seriously mitigates the risks presented by products and services in an effort to improve security company-wide.
  • Helping to review code for security issues relieves stress when time is short, deadlines are looming, and DevSecOps professionals are too busy to investigate. 

Creating an effective program

When launching a security champion program, McBee recommends organizations start by defining which issues champions must be responsible for, be it code review or sharing best practices. The organization must clearly outline those expectations in a shared document. Other steps to consider:

  • Use threat modeling to uncover vulnerabilities at the design level and implement better security controls. 
  • Invite volunteers and reach out to those who might be less outspoken to achieve a diverse skill set. 
  • Keep everyone involved and engaged by setting up sessions for games like Capture the Flag (CTF) or team outings to improve relationships.
  • Offer training and educational opportunities outside of work to keep employees engaged with security trends and enhance common best practices. 
  • Engage the Scrum team whenever possible to adopt their best practices and more effectively plug into existing processes and workflows.
  • Track success closely and establish relevant KPIs so one can demonstrate threat management wins to executives.

Depending on your organization’s security goals, success may be measured by:

  • How many vulnerabilities are uncovered, reported, and fixed as a team of champions and whether that number is improving over time.  
  • Stories or internal case studies of success from security champions who have been in the program for a while and have helped tackle difficult issues. 
  • Improvement in work/life balance when security professionals spend less personal time resolving issues. 
  • How engaged the members of your security champions program are, including any questions or ideas that arise around improving security posture.