Why You Need a Practical Security Champions Program
A Security Champions Program is an effective way to scale and distribute security across development teams. By embedding dedicated Security Champions across development teams, we can improve security awareness and maturity across the organization.
A Security Champions program is made up of a collaboration between a security team, development teams, and an executive sponsor who supports and promotes the program. It also includes high-performing individuals within development teams who are nominated as Security Champions, undergoing additional security training to act as ambassadors for security.
FactSet launched its Security Champions Program in July 2022. Here are some of the benefits we’ve realized:
- Improved security awareness and adoption of secure coding practices throughout the software development process
- Enhanced collaboration and knowledge-sharing between the Security Champions and the Security Team, improving the effectiveness of security reviews and testing
- Fostered culture of continuous improvement, integrating security
Here is how to best utilize a Security Champions Program:
Doing your homework — Planning and Preparation
Planning and preparing well ahead of the program’s launch enables you to identify all potential challenges the program might encounter. Think organization culture and maturity, bandwidth constraints, training requirements, resource allocation, etc.
Start brainstorming well ahead of the program’s launch. Create an internal central portal to document the information related to the program. Some of the key sections of your central portal include:
- Program overview
- Roles and responsibilities
- Program roadmap along with key milestone dates
- List of Security Champions and Security Champion Leads
- Success metrics and goal template
- Details of planned training topics
Sponsorship from the top Leadership
For a wider reach, the emphasis on the importance of a Security Champions Program should take a top-down approach. Ensure your top leadership is fully aware and supportive of the program. Ask leadership to discuss the program in their staff meetings, encourage respective departments and its leaders to participate in the program by identifying and nominating team members.
Bandwidth commitment
Create a one-year plan and list all the activities the Security Champions will contribute to in order to calculate the expected average number of hours per week per person. For example, a requirement for Security Champions to allocate 25% of their time, but be flexible with teams that can only allocate a minimum of 10% of their time. Activities for the first year of the program include:
- Training of Security Champions
- Application inventory review and update
- Collaboration on SAST (Static Application Security Testing) onboarding, triaging, and remediation.
- Reduction of security defect backlog
Second year and onward activities are also listed below:
- Collaboration on SCA (Software Composition Analysis) onboarding, triaging, and remediation.
- Collaboration on DAST (Dynamic Application Security Testing) onboarding, triaging, and remediation.
- Threat Modeling
- Dynamic Analysis
- Penetration Testing
It is recommended to limit first-year responsibilities to set a solid foundation for the program and to ensure Security Champions have ample time to get settled down and feel comfortable.
Promotion of the program
After clearly understanding the definition of the program’s success, target teams must be aware that such a program exists, and they should reap the benefits of it. The approaches include:
- Create and share posters organization-wide
- Talk about the program with the engineering teams and encouraged participation as part of ongoing security and architecture review meetings
- Present the program overview as part organization wide townhalls hosted by our executive leadership team
Engagement
For the success of any Security Champions Program, keeping the group engaged and involved is the most critical aspect to achieving the program’s core objectives. Here are several avenues to keep the Security Champions engaged:
- Conduct fun quizzes focused on Security and SDL (Secure Development Lifecycle) awareness
- Conduct several knowledge sharing sessions on numerous SDL & security topics
- Create dedicated chat communication channel for Security Champions
- Schedule monthly meetings to learn, discuss and collaborate
- Produce self-help and guidelines pages addressing commonly asked questions
- Encourage Security Champions to participate in security events such as hackathons
Training Topics and Content
Well before the launch, onboard Security Champions with these training topics.
- Introduction to Security Champions Program
- Review your organization’s Security Policy, Security Review Process & SDL activities
- Application security & security tools
- Illustrate security issues with real examples
- SAST Tool Demo and Usage Guidelines
- Express the importance of maintaining application Inventory
- DAST Tool Demo and Usage Guidelines
- SCA Tool Demo and Usage Guidelines
Rewards and Recognition
An opportunity to learn about security itself could be a great motivation for some, but that zeal might fade away after the initial few months. Realizing the difference that a highly motivated and an energized group can bring in, here are several ways to reward and recognize the Security Champions.
- Order customized swag for the Security Champions
- Allocate budget for external security trainings for a certain percentage of top performing Security Champions
- Publish monthly newsletters highlighting accomplishments of Security Champions
- Publish company-wide content to appreciate their efforts
- Leverage internal recognition tools to spread awareness of their impact
The lessons learned from our experience in implementing Security Champions Programs across multiple organizations provided us with valuable insights on what works and what does not. Throughout our journey, the OWASP Security Champions Project served as a guiding light, offering steady direction wherever needed. Remember, each organization’s culture is unique, and one must cater the program to their cultural needs and challenges. Furthermore, you should continuously evaluate the program through regular communication with the Security Champions, identifying and addressing any challenges. The Security Champions program is pivotal to the overall success of any security team.
Author: Sandeep Kumar Singh (Director, Cybersecurity) & Michael Xin (Director, Head of Product Security)
Editors: Gregory Levinsky (Marketing Content Specialist) & Josh Gaddy (VP, Director, Developer Advocacy)
