Yael Citro
Security champions are popping up everywhere.
Companies are finding it challenging to scale security teams, DevOps can’t be everywhere at once, and developers faced with the pressure to ship features may not always have security top of mind. Steps get missed, leading to vulnerable code making it to production, putting everyone at risk.
Companies are cultivating security champions on their development teams to combat these challenges, make application security part of the continuous integration and delivery (CI/CD) cycles, and scale security across the company.
But what is a security champion, and do you need to find room in the budget for a new role? Not necessarily. Champions are on your teams, already working for you. They are developers with a passion for security and ready to embrace the role of a security champion.
Here’s what you need to know about security champions, what they do, and how to identify them.
What is a security champion?
Security champions know your company’s software applications, development processes, team goals, and culture. They’re good at communication and act as bridge-builders between development and security teams, raising potential issues that may require security expertise.
They are often developers or software engineers already well-versed in day-to-day processes, goals, and culture. Still, security champions don’t always need to be developers. A security champion need not be a development lead or Scrum Master. Champions can include QA, architects, and product managers.
What does a security champion do?
Security champions act as an extension of the security team. They’re the single point of contact for a development team and help advance security culture, raise awareness, and bring security expertise to the entire software development lifecycle (SDLC).
As part of development teams, champions understand your release cycle, whether your SDLC is a waterfall, continuous integration and continuous deployment (CI/CD), or another method. They can connect the dots between security and engineering requirements and work towards solutions, reducing friction during code review. In the process, champions help improve security culture and make security part of the development cycle.
Their duties can include, but are not limited to:
- Educating the engineering team in secure development,
- Adding and improving security checks during the SDLC,
- Questioning where engineering team decisions aren’t including security,
- Providing the security team with visibility into the practices of development teams
- Answering security-related questions from the engineering team.
Note that this is not an extensive list, and duties may vary based on your business needs.
Why do development teams need security champions?
Developers are tasked with writing and pushing code for new features, updating existing features, running tests, and fixing bugs. Security can take a back seat in a rush to meet deadlines and push out features.
Since champions are often developers, they understand the development process and coding challenges and can act as the security conscious of the team. They can raise potential problems before the code reaches production to address issues sooner rather than later and bring stickier code security questions to the security team for guidance.
Having security champions on development teams helps keep application security in the minds of developers throughout the development process, leading to improved code, smoother reviews, and secure releases.
How to start a security champion program
The first thing you need to do to start a security champion program is to get management buy-in from the CEO and the development and security teams. Doing so empowers champions and signals to the rest of the team that it is an important role.
The second thing to do is start small with one or two projects to help champions understand the role and how it fits within the team and the company. Starting with one or two projects also helps the development team figure out how to balance workloads and learnings from the champion.
Throughout the one or two projects, collect information through regular meetings and written updates about issues like communication barriers and workflow bottlenecks and how or if they get resolved. Talk to team leads, developers, and anyone associated with the project about the experience of having a security champion on the team. Then, iterate on the feedback for the next one or two projects.
Starting small will help ensure the success of security champions and scale security practices throughout the company.
How to identify your security champions
The OWASP Security Champions Playbook has six points to follow when selecting security champions:
- Identify the right teams – Based on your company structure, does it make more sense to have one team for the entire organization or individual teams for each department?
- Define the role – To start, figure out where security challenges are most significant in your company and where security champions will be most, then define their duties.
- Nominate prospective champions – This is most likely a voluntary position, so you can ask for volunteers or team members to nominate their peers. Include technical and management representatives with an interest or competency in cybersecurity.
- Communication channels – In addition to regular meetings with each other and the security team, ensure security champions have open communication lines between each other and the security team. A dedicated Slack channel or Confluence page might be beneficial depending on company communication tools.
- Knowledge base – From meeting notes to retrospectives to best practices, keep track of information and build a library of internal security protocols that security champions, the security team, can reference, and the company.
- Maintain interest – Keep things interesting for security champions with regular training opportunities and information sharing. Cybersecurity changes, so keeping security champions abreast of new threats and techniques will help maintain their interest.
Your security champions -whether it’s one person representing the company or a team of people – should meet OWASP’s playbook recommendations.
One more essential ingredient: team player
Security champions don’t have to be members of the company’s leadership team but should demonstrate leadership skills since they are tasked with helping others follow security best practices.
When searching for security champions, look for someone with a proven interest in cybersecurity. They may have volunteered to assist with audits, regularly recognize and report potential attacks, or always participate in the company phishing competition. Potential security champions should also demonstrate good people and communication skills, as they will be mentoring other employees and leading security awareness training.
Benefits of formalizing a security champion program
A formalized security champions program bridges the gap between security and development teams. Remember that security is not a one-off thing but a continuous process. As such, a formal security champions program helps weave security practices into the fabric of software development and the company.=
While different teams will have different motivations and benefits they want from a security champions program, a common goal is to reduce issues and overall risk of the applications they’re building. Formalizing a program is one way to reach that goal since it creates a focal point for training and educating all developers, not just those on the trial projects.
Having developers teach developers is more successful than just yearly training from the security team. Why? Because developers teaching developers helps to integrate secure development techniques, making development teams more self-sufficient and security-minded during the SDLC.
A formal program also creates career growth opportunities, which helps retain employees. Developers acquire a vast amount of knowledge while working at your company, and when they leave for new opportunities, there can be gaps in that knowledge. A security champions program presents additional opportunities in-house for those that are passionate about security.
