Where do we want to end up? Step one of the Security Champion Program Success Guide helps focus our efforts on an ideal end-state. Start a document to capture your decisions as you work through the process.

Steering Team

You don’t have to go it alone! I recommend assembling a group of people to assist with defining your program. You should search for individuals who you feel can add value to your brainstorming sessions while also engaging in healthy debate, optimizing the creative process. I suggest picking 1-2 other people to start, but there may be opportunities to expand to other stakeholders, and even some of the Champions themselves, in the future.

Purpose

Start with why! Why are you building a Security Champion program?  What are you trying to accomplish? This should be a simple, to the point, and easy to memorize statement. Avoid long confusing paragraphs here that include too much detail. Let this statement be a guiding star for the rest of your effort.

Example Purpose

Ideal Future State

Here’s where it gets exciting. Don your optimism hat and dream big. What does the future state of your company look like due to this program? You may want to capture what the security team would do in this utopia… do they still have a place? I believe so… check out the example below.

Example Ideal Future State

Mission

How do you want your Champion program to operate? This is the “what” and “how” day-to-day driving force of the program. This starts to get you into the details, but don’t worry about getting this perfect. You can refine it later as you continue to brainstorm.

Example Mission

Goals

Now that you have the theoretical ideas down, it’s time to dig into details. What specific business outcomes are you trying to accomplish? These are SMART goals (Specific, Measurable, Attainable, Relevant, Time-bound… more on SMART goals here) ordered by importance. You can start by brainstorming and then take the time to discuss the details and order them effectively. The order you place these goals will have a large influence on how you structure your program.

If possible, try to align your objectives and metrics with the strategic objectives of your security team or even your organization, such as a focus on software quality, or reducing production incidents, for instance. What specific metrics or KPIs are you trying to influence?

Remember, the Program Success Guide is iterative and you may not be able to reach all of these goals in the first phase.

The following example has the top objectives as the ultimate long-term goals, with the bottom objectives as pre-requisites to the ones above them.  You may wish to design your program to focus on these “dependency” objectives first and move toward the top ones as your program matures.

Example Goals

Leadership Buy-In

As your program Purpose, Ideal Future State, Mission, and Goals take shape, it’s important to start communicating them to senior leadership, on the security team and beyond. To the extent possible, include others by giving them regular updates to allow them to “weigh-in” early before you go too far down a path they cannot or will not support. This is also necessary influence them to “buy-in” to the program and actively support your effort once you roll it out. Weigh-in leads to buy-in.

Next Step: Participants ->