In the last year, you may have heard the term “security champion” and wondered if this was a specific job or just another buzzword. In this article, we’ll talk about what a Security Champion is, what they do and how to become one.

What Is a Security Champion and What Do They Do?

The primary purpose of a Security Champion is to help incorporate good security practices and a strong security culture into all aspects of a company’s daily operations and development processes. A Security Champion is a member of a team that takes on the responsibility of acting as the primary advocate for security within the team and acting as a first line of defense for security issues within the team.

In day-to-day operations, the role of a team’s Security Champion is to be the individual on a team responsible for leading all security-related activities. This includes reacting to identified security incidents, performing proactive actions to help prevent future security incidents from occurring and spearheading efforts to improve the security posture of the team and the organization as a whole.

The Security Champion on a team is expected to lead efforts in identification and remediation of bugs and vulnerabilities in the product and development processes of their team. This includes identifying, triaging and remediating security incidents. If the issue can be handled within the team, the Security Champion should design, implement, and document the mitigation strategy. If escalation to the organizational Security Team is necessary, the Security Champion should make the initial contact and acts as primary point of communication for between their team and the Security Team throughout the process.

Security Champions should also lead their team in preventing security incidents from occurring. This can include developing security-focused user stories for teams using agile development strategies and developing unit and integration tests for their team’s code. A Security Champion should also support the implementation and management of a continuous integration and testing environment for their development team to ensure that developed code always passes unit, integration and security tests.

Finally, it is the responsibility of a Security Champion to ensure that their team is ready to meet future security needs. This can include organizing security education and training, advocating for security-focused culture changes, and recruiting, mentoring, and training additional Security Champions. A Security Champion can also perform threat monitoring and intelligence gathering to keep their team up-to-date on the latest security trends and threats.

How to Become Your Own Security Champion

If your organization already has a Security Champion program, becoming one is fairly simple. A strong program will always be looking to recruit new members, so reaching out to a member and expressing interest is probably all you need to do to sign on. If your team already has a Security Champion, taking a role as a novice or alternate Security Champion provides the opportunity for you to learn more about your role while enabling your team to expand and improve their focus on security.

If you are trying to start a new Security Champion program at your organization, management buy-in is critical. Acting as a Security Champion is a part-time job and attempting to perform these duties on top of a standard full-time role guarantees that security duties will be neglected due to lack of time. By putting together a good pitch based on the benefits of a Security Champion team for your organization and approaching management, you’ve taken the necessary first steps for becoming a Security Champion and establishing a team of Security Champions for your organization.

A good starting point for developing a pitch for an organizational Security Champion program is taking a good look at your team and identifying where security can be improved. By identifying weaknesses and tying them to potential financial, legal, regulatory or reputational risks to the organization, you can make a case that an improved security culture is necessary for your team and enterprise’s success. By identifying these issues and suggesting potential avenues for correcting them, you demonstrate your ability to perform the duties of a Security Champion. A clear demonstration of potential risks and ROI is a great way to get management buy-in for a Security Champions program.

Who Should Become a Security Champion?

The simple answer to this question is “anyone who wants to.” However, there are a few exceptions and some job roles that are better suited to the job than others.

Anyone who is already part of the security team or already has a full-time role on the team will probably not make a good Security Champion. Since the job of a Security Champion is to act as a point of contact between a team and the security team, it’s illogical to have members of the security team act as Security Champions. The role of a Security Champion is also a role with a regular time commitment (20% is recommended as a good starting point). Job roles like the lead or principal developer can often become a full-time responsibility and leave no space for focusing on additional tasks, meaning that the Security Champion role may fall by the wayside.

The job roles that are best suited to the role of Security Champion are those where an individual is closely integrated with the team and has a good understanding of the team’s goals and processes. Examples include developers, quality-assurance testers, architects, designers, DevOps and operations. The most important requirement, though, is an interest in security and willingness to learn and grow to meet the security needs of the team.

If you’re interested in becoming a Security Champion but none of these job descriptions fit your role, that doesn’t mean that you can’t become one. The most important requirement for a Security Champion is the willingness to help promote a culture of security within your team and organization. Even if you are not in a product development role, there are probably things that you can do to improve the security of your department and team. Identifying these areas for growth is an important first step in defining your own role as a Security Champion.

How Do I Build a Security Champion Team?

The Security Champions Playbook, maintained by OWASP, defines six main steps toward creating a team of Security Champions. Understanding each step in this process is important to becoming a Security Champion. These are identification of teams, defining the roles of Security Champions, nominating potential Champions, setting up communications channels for Champions, building a strong knowledge base and maintaining interest in the Security Champions program.

Identify Teams

The first stage in building a team of Security Champions is identifying the teams that need a Security Champion. Ideally, every development team in the enterprise will have their own Security Champion, but if necessary, a single Security Champion can support multiple teams.

In this phase of the process, it’s also useful to collect detailed information for each team to help define the role requirements for the Security Champion for each team. Useful information that can be gathered in this step includes:

  • Which team(s) are working on a given product
  • Team leads, product managers and other relevant personnel
  • The programming languages and frameworks used
  • How code and documentation is stored
  • Current security and testing practices
  • Most-common communications channels
  • Bug handling procedure

By collecting this information, it’s possible to define role requirements and determine which teams can share a Security Champion if necessary.

In order to become an effective Security Champion for your team, you need to understand the team’s needs and how it works. Collecting this information can help you identify what actions that you can take to maximize your impact on the team’s security posture.

Define the Roles

The role of Security Champion varies based upon the current maturity of security practices and culture within the team. If a team has a well-established security culture and testing practices, the role of the Security Champion may be limited to helping with development of security test cases, performing threat modeling and acting as a liaison with the security team. For a team with a less-mature security culture, a Security Champion may need to improve testing practices, organize security training, and research and implement policies and technologies to integrate security into the development methodologies.

Using the information from the previous phase, take a serious look at your team’s current security and development practices. Is your team mature in terms of security or do you have a ways to go? Identifying a set of three-month, six-month, one-year and five-year goals for your team’s security is a great way to start scoping your role as your team’s Security Champion.

Nominate Champions

The role of Security Champion shouldn’t be a team member’s only role on a team. A good Security Champion should be well-integrated with a team and have a strong understanding of the team’s goals and how the team operates. The best way of accomplishing this is by being an integral part of the team and having duties beyond that of Security Champion.

For this reason, the role of Security Champion should be a voluntary one, not an assigned one. If a team’s Champion is unwilling or considers their security duties to be of less importance than their “real job,” they won’t be effective. Team managers and members can nominate candidates for their team’s Security Champion, who can then be interviewed one-on-one for the role if interested. By having a clearly-defined role and outlining both the benefits of a Security Champion to the team and to the prospective Champion (professional growth, security conference attendance, ability to attend training for secure code development and so forth), the probability increases that each team will have a Champion who is well-suited to and passionate about their new role.

If you are working as a member of a small team, then maybe this phase is less important to you as you are already ready and willing to take up the role of Security Champion. However, if you work as part of a large team or are closely linked to other teams, additional Security Champions may be necessary to make your Security Champion program a success. Identifying and approaching other potential Champions improves your probability of success by scoping your role to be manageable and provides you with a support network of similarly security-focused team members.

Set Up Communication Channels

One of the primary duties of a Security Champion is to act as a security point of contact for their team. In order to be effective, Security Champions need to be able to quickly reach the security team and Security Champions on other teams. Communication channels should be established in advance and should be designed to require minimal training or overhead to use.

The benefits of establishing communications channels for Security Champions are twofold. The primary reason to establish communication channels is to ensure that security issues are escalated and resolved efficiently when necessary. Established channels have the additional benefit of creating a team spirit among the Security Champion team and allow members to exchange information and solicit advice without needing to escalate to the Security Team.

If you plan to act as the point of contact between your team and the Security Team, getting to know the Security Team is important. Make the effort to introduce yourself, explain what you are trying to do, and solicit feedback from the Security Team. Anything that you can do to build relationships now will pay off if you are dealing with an incident in the future.

Build a Solid Knowledge Base

Not every team will have a cybersecurity expert as a team member who is willing to sign on as a Security Champion and provide their expertise to the team. In many cases, a team’s Security Champion will be a team member who is interested in learning more about the security field and wants to help improve their team’s product.

To make Security Champions effective, it’s necessary to build up a collection of cybersecurity resources that Security Champions can use as a reference and as the basis for organizing any necessary security training for their team. A good starting place is the Open Web Application Security Project (OWASP), which provides top ten lists of vulnerabilities for web applications, mobile applications and the Internet of Things. Collecting security information in one location for Security Champions decreases the impact that security flaws have on a team’s development process.

In order to be an effective Security Champion for your team, you need to understand current threats and best practices for dealing with them. Some of this can be accomplished by self-study, but in some cases, you will need to attend training or talk to experts. Building your network by reaching out to colleagues with similar job roles and attending training and conferences can help equip you with the tools you will need to do your job as a Security Champion.

Maintain Interest

The last step of creating a strong Security Champions program is ensuring that the program survives and grows after the initial wave of enthusiasm wears off. By building a team culture among Security Champions and providing Champions with the opportunity to learn and grow in their roles, through providing training, conference travel, security-focused company contests and so on, an organization can prevent burnout among their Security Champions and encourage new members to join the Security Champions team.

Conclusion

Be careful not to let yourself burn out in your role as a Security Champion. Try to make fun security-focused events part of your role like a monthly reading group or a weekly security “horror story” email. As a Security Champion, you have an important role, but that doesn’t mean that you can’t have fun doing it.

 

Sources

Security Champions Playbook, OWASP
OWASP Top 10 – 2017, OWASP
Mobile Top 10 2016, OWASP
Top IoT Vulnerabilities, OWASP