Improving security awareness with specialized programs is essential for small businesses and large corporations alike, but is it enough?
According to Joanna Huisman, research director at Gartner: “The problem is that these traditional security awareness approaches are not flexible enough to meet the cultural or local needs of diverse audiences, especially in global corporations.”
Gartner suggests a security champions program can help “accelerate your security message” at little or no cost to company. Internal gurus with different skills can act as security mentors, researchers, moderators, negotiators, and trainers.
Enterprises may benefit from building such a network of security champions (NoSC) that will promote and improve the security behaviors of employees in the long-term. It looks like it is a good time to jump on the bandwagon, before your competitors do. Gartner predicts: “By 2021, 35 percent of enterprises will implement a security champion program, up from less than 10 percent in 2017.”
What Is a Security Champion?
OWASP defines this role player as:
- An active member of a team whose brief it is to help decide if and when to engage the “real” security ninjas in the basement. Membership in this team does not exclude them from membership of other teams; in fact, their role as a champion usually requires this person wears multiple hats
- A member of a product or other type of team that acts as the “voice” of security for it, e.g. the finance department might select Sue to act as their security liaison on issues relating to finance, and Joe might be the security voice for Human Resources
- The go-to person who assists in the triage of bugs and other security issues for their team
We will mention some alternative models for the champion role in the conclusion. First, let’s explore what is a Network of Security Champions (NoSC) and how we can build one.
What Is a NoSC and Why Do You Need One?
A NoSC is an integrated team of employees who have committed to taking time and making the effort to work with their colleagues to assist the official security team and improve on an organization’s current and future security.
- A NoSC is made up of internal staff members who have specialized and diverse skills. These skills may range from employees with security expertise to people who have the different skills (and time and patience) to implement the program, e.g. trainers, writers and researchers
- The goals behind a NoSC are to utilize existing skills in an organization, spread the training load, share learning and upskill employees with new knowledge
- A NoSC can contribute to positively changing the perception of security policies, create a feeling of camaraderie, build stronger relationships between teams, unite staff at different levels in a common goal and develop a knowledge-sharing, assistance culture
- The benefits include a reduction in the official security team’s workload, a faster and more effective feedback channel of communication between official security and the rest of the company, the fostering of a culture of security, a reduction in security incidents and the identification of factors (change resistors) holding security improvements back
- For champions, benefits may include access to the latest technologies, liaison with executives, paid certification training, sneak previews of R&D projects, and even a new career path
In this article, you will learn how to build a network of security champions in your organization, step-by-step:
- Documenting a plan of action (PoA)
- Gaining support
- Building the network
- Presenting the role
Documenting a Plan of Action (PoA)
If it is not written down, it stays only an idea.
Before you get everyone fired up, you need to document a PoA. The first step is creating a security playbook with emphasis on how employees will fit into the framework. You can do this using the Software Assurance Maturity Model (SAMM), from OpenSAMM. The framework also helps you to identify security risks and create benchmarks to measure the success of your program.
OWASP’s VirtualWare case study describes how the organization created a security roadmap using SAMM. Stages two and six in the below diagram are where NoSC comes in, the creation of informal security response teams.
Your roadmap in place, it’s time to get support for the program by raising excitement. But first, you should present your PoA to management and business leaders.
In “The Impact of the 6 Principles of Influence on Cybersecurity” the author suggests: “Organizations can substantially improve how they address the human aspect of cybersecurity by utilizing the tactics of their cyber-antagonists to change behaviors and reduce risk.” One “weapon of influence” that can be utilized is the Authority Principle, which suggests that people tend to follow people who seem to be confident they know what they are doing. When creating a NoSC program, it is important the company’s leadership explicitly lend their support to the project and lead by example.
Your first champion will be the person who has the skill and nous to come up with innovative ideas to kick-start the program and relay the NoSC message to employees. It could be as simple as having an informal team lunch (with free pizza) or a more formal department workshop (with free pizza).
Chris Parkerson from Adobe Security says a primary goal when Adobe engineering started developing a NoSC was to lower security overhead in the SDLC and change the perception of the official security team as one bent on making developers’ jobs more difficult. “In order to promote security knowledge throughout the large Digital Marketing engineering organization, I created a human ‘botnet’ of security champions,” he wrote. “These champions come from positions all over the organization and coordinate with our security team to facilitate ongoing management and enforcement of our SPLC process.”
Building the Network: Channeling Resources
The first thing you need to do is decide whether you are going to create a team-based program (choose a representative from each team in the company to be the team champion) or skill-based program (choose the best people for the job from the entire pool of company employees), or a combination of both. Which route you choose depends on your organization’s requirements and setup. A small business may not have clearly delineated teams while a larger organization with multiple, large teams may find a team-based model easier to manage.
There is a third option. LinkedIn’s engineering department made building a NoSC a relatively simple process that can be adapted for most companies’ needs. Where they differed from other programs is that the goal was to train engineers without any security experience to get security certification.
- Call for nominations – In LinkedIn’s case, all engineers could nominate themselves or a colleague. Nominees had to explain why they were a good candidate for being a champion.
- Select participants – The security team then selected a pool of participants based on candidates’ skills and ensured there was balanced representation across teams.
- Create a buddy system – Each champion was paired with a “buddy” on the security team and assigned actionable milestones.
- Train the champions – At LinkedIn, each iteration of a program runs for six months. The first three months is dedicated to training. LinkedIn chose the Stanford Advanced Computer Security Certificate Program.
- Work on milestones – During the second three months of LinkedIn’s NoSC program, champions and their buddies worked on the security projects they were assigned.
Some insights from LinkedIn’s NoSC:
- The organization had a Capture the Flag (CTF) competition where team were tasked to solve challenges based on common security vulnerabilities. This gave the champions hacking experience and encouraged their interest in the underworld of real-world cybersecurity
- The buddy system works “because it is exclusive and personal, and both parties can learn from each other.”
- According to LinkedIn, “Through participation in the program, Champions can take advantage of a valuable career advancement opportunity by gaining new skills and becoming knowledgeable resources for their teams. Since its creation, the Security Champions Program has successfully graduated more than 50 Champions.” Organizations should ponder the potential long-term cost savings in creating champions internally rather than recruiting externally as the need arises, or after they have been breached.
Presenting the Role: Who, What, When, Where, How and Why
You will possibly want to create two team roles: department representatives and skills gurus. A department representative would be the liaison between a group, department, or team and the official security team. A skills guru would be a person who would teach, foster, mentor or assist employees on security issues.
OpenSAMM will help you to define champion tasks and responsibilities but there are some practical considerations to take that will ensure the program operates efficiently, has official status, and doesn’t become a “flash in the pan” idea. For instance, if the NoSC team members don’t have a place they can meet regularly, people will start rescheduling “till further notice”, a place in time that, frankly, usually never happens.
TechBeacon provides a few tips to get started:
- Define the role descriptions – What are the champions’ roles and responsibilities? Some ideas: investigating security reports, liaising with official security, writing a checklist of best practices, participating in new development planning, collating user issues, investigating new security software applications and so forth
- Nominate champions – Who is going to investigate bug reports and present them to the official security team? Encourage volunteering; anyone can become involved, e.g. graphic designers can create NoSC posters to market the program internally and drum up interest
- Set up communication channels – When are champions going to meet up? Where are champions going to meet up? How are champions going to communicate? Schedule a regular time and place for champions to meet and standardize communication channels, using a messaging app like Slack for chatting or Jira to manage tasks. You will also need an administrator to monitor these channels so that people don’t abuse them with unrelated content
- Maintain interest – Training workshops, newsletters, regular intranet updates and a notice board next to the coffee machine will all help to remind people the NoSC is an important, ongoing project. You can also provide opportunities for employees to learn new skills or pay for them to get a security certification, and offer recognition and rewards for their input over and above the call of duty, like a meal voucher for two for an employee who presents a weekend security workshop
Implementation – A Measure of Success
The last step in your PoA is to measure the success of your program. You should have benchmarks in place that you created using SAMM. The framework includes:
- A module to measure projects against company compliance standards and security goals
- Use of scorecards to demonstrate improvements against initial benchmarks and capture performance scores at regular intervals
- Maturity level analysis, e.g. success metrics examples to test if an organization is performing at a required level
In conclusion, let’s summarize the three NoSC models you could consider for your organization. The goals are the same: to harden security, take pressure off the official security team, provide opportunities for employees to learn new skills, create a security culture of awareness, and improve incident response. A NoSC is a cost-effective way to do this and if you do it right, its efficacy is measurable.
- Buddy model – Employees with no security experience team up with an employee from the official security team and are mentored to become security experts. In this model, the employee spends time studying towards security certification and simultaneously works hand-in-hand with the security employee to solve real-world security issues. The employee eventually graduates as a cyber security champion.
- Skills model – In smaller companies, anybody can become a champion and they all belong to the core champion team and perform different roles, based on either existing skills, or skills they commit to learning and passing on to their colleagues. The team would include members who are prepared to put in time to assisting the security team on an ad-hoc basis
- Teams model – In larger organizations, teams appoint a champion to liaise with the security team. In this model, champions are security ambassadors for their teams. Their role is to be the go-to security person for a particular area or department
Where to Next?
- Learn more about designing a security champions program
- Watch a video on building a security champions program
- Learn how to nurture security champion developers in an AppSec team
Build a Network of Champions to Increase Security Awareness, Smarter With Gartner
Security Champions, OWASP
Software Assurance Maturity Model, OpenSAMM
The 6 Principles of Persuasion, Influence at Work
Building a Team of Digital Marketing Security Champions, Security @ Adobe
Scaling LinkedIn’s Security Champions Program, LinkedIn Engineering