Vision - The Security Champion Program Success Guide

Where do we want to end up? Step one of the Security Champion Program Success Guide helps focus our efforts on an ideal end-state. Start a document to capture your decisions as you work through the process.

Steering Team

You don’t have to go it alone! I recommend assembling a group of people to assist with defining your program. You should search for individuals who you feel can add value to your brainstorming sessions while also engaging in healthy debate, optimizing the creative process. I suggest picking 1-2 other people to start, but there may be opportunities to expand to other stakeholders, and even some of the Champions themselves, in the future.

Purpose

Start with why! Why are you building a Security Champion program? What are you trying to accomplish? This should be a simple, to the point, and easy to memorize statement. Avoid long confusing paragraphs here that include too much detail. Let this statement be a guiding star for the rest of your effort.

Example Purpose

To maximize our security maturity by scaling security awareness and best practices across the company.

Ideal Future State

Here’s where it gets exciting. Don your optimism hat and dream big. What does the future state of your company look like due to this program? You may want to capture what the security team would do in this utopia… do they still have a place? I believe so… check out the example below.

Example Ideal Future State

Every member of the organization has seamlessly integrated security best practices into their daily work and consistently thinks about security implications to prevent security risk.

Non-security people perform security-related tasks:
- Software engineers follow secure coding practices
- Cloud engineers keep up with patching systems
- Architects maintain and update their threat models
- Everyone identifies and reports phishing attempts

The security team is still necessary. Responsibilities:
- Set strategic program direction and build executive support
- Set standards, guidelines, and policies
- Maintain security related tools and processes
- Mentor, train, teach awareness of latest security trends
- Coordinate and respond to security incidents

Mission

How do you want your Champion program to operate? This is the “what” and “how” day-to-day driving force of the program. This starts to get you into the details, but don’t worry about getting this perfect. You can refine it later as you continue to brainstorm.

Example Mission

Security Champions will be volunteers who act as embedded security representatives on their teams responsible for the following:

Gaining security knowledge / skills and sharing with their team
Ensuring security best practices are followed by observing, reporting, and remediating security concerns
Building a strong relationship with the security team as the liaison between them and their team

Goals

Now that you have the theoretical ideas down, it’s time to dig into details. What specific business outcomes are you trying to accomplish? These are SMART goals (Specific, Measurable, Attainable, Relevant, Time-bound… more on SMART goals here) ordered by importance. You can start by brainstorming and then take the time to discuss the details and order them effectively. The order you place these goals will have a large influence on how you structure your program.

If possible, try to align your objectives and metrics with the strategic objectives of your security team or even your organization, such as a focus on software quality, or reducing production incidents, for instance. What specific metrics or KPIs are you trying to influence?

Remember, the Program Success Guide is iterative and you may not be able to reach all of these goals in the first phase.

The following example has the top objectives as the ultimate long-term goals, with the bottom objectives as pre-requisites to the ones above them. You may wish to design your program to focus on these “dependency” objectives first and move toward the top ones as your program matures.

Example Goals

Increase the # of Security Habits Followed by the Teams (Prevent Security Issues)
Security Champions drive adoption of security best practices into their teams’ daily work. In the realm of software, this means integrating security-focused habits as part of the Software Development Lifecycle (SDLC), such as Threat Modeling during the design phase of a project or sprint. For the org as a whole, this means focusing on small habits that have large impacts, such as good password habits and phishing email reporting.
Decrease Average # of Security Issues per Team (Remediate Security Issues)
Security Champions encourage their teams to address known security issues discovered from a variety of sources, including tools such as SAST, SCA, DAST, security assessments, penetration tests, and incidents.
Increase % Security Assessment Coverage (Discover Security Issues)
Security Champions encourage their teams to analyze their architecture, systems and processes through scan tools, security assessments, and pen-tests to find security issues.
* Note this one is necessary for 2 to have any meaning. You can’t “cheat” and tout a low # of security issues if you haven’t spent the time to try and find them.
Security Champion Knowledge and Skills (80% of Champions have taken non-required training)
Provide value to the Security Champions by providing resources so they can grow their own knowledge by completing learning activities such as training to ultimately help their teams affect the metrics above.
Security Champion Program Participation (80% attendance in monthly meetings)
Build trust with your Champions by offering a sincere partnership of mutual respect. Demonstrate your commitment to listening and helping them grow in cybersecurity. In return, Security Champions demonstrate commitment to advancing and contributing to the program through attendance in meetings, likes/comments on security posts in slack, inviting others to join the program, and so on.

Goal Dependency Explained

Security Champions must participate in the program so they gain knowledge and skills so they can better discover issues that they can then fix and ultimately learn to prevent!

Participation leads to knowledge leads to discovery leads to remediation leads to prevention.

5.Participation -> 4.Knowledge -> 3.Discovery -> 2.Remediation -> 1.Prevention

Leadership Buy-In

As your program Purpose, Ideal Future State, Mission, and Goals take shape, it’s important to start communicating them to senior leadership, on the security team and beyond. To the extent possible, include others by giving them regular updates to allow them to “weigh-in” early before you go too far down a path they cannot or will not support. This is also necessary influence them to “buy-in” to the program and actively support your effort once you roll it out. Weigh-in leads to buy-in.

Next Step: Participants ->