Build Security Champions
Building upon an attendee’s comment, “Tools can help address short-term issues, but the problem is with educating users, customers, and staff on long-term business goals and objectives. Tools come and go, but the knowledge innovation for security & sustainability is what ultimately will make the difference.”
This is also a topic near and dear to Dustin, who has rolled out successful security champions programs. My team at Security Innovation worked with Dustin at Staples and Fivetran to craft and execute those programs. Though Gartner published this (2020) after the Staples program was in operations, what they recommend to build a good security champions program echoes what Dustin oversaw: training that uses a belt system (like martial arts) and has different types of blended learning elements, e.g., online or instructor-led training coupled with some hands-on capture the flag exercises that are practical, all tied together with some specific on-the-job tasks directly related to each person’s role.
Let’s also level-set on what a security champion program is. In my experience, it is recruiting volunteers across the organization to represent security as part of their job (importantly, in addition to their day job). These non-security people you identify to help represent security in their respective group(s) is an effective method for driving culture change. One of the reasons it’s so effective is because it’s different when somebody on the existing team starts talking about security … you’re driving change from within the teams as opposed to some external third party.
As both a software security training and assessment provider, this is a topic I’m passionate about. We see mistakes software teams make in our security testing services and frequently find vulnerabilities automated tools miss. I’m not anti-tool; we use them in our testing as well. However, tools are limited in the way they are programmed (most commonly pattern-matching.) Knowledge is power, and power is confidence.
In terms of building and running a security champion program, it is about starting with those allies mentioned above. Be on the lookout for people who are already interested in security. Some of the pitfalls would be just focusing on content and not necessarily focusing on motivation. Providing things like a belt program to help recognize people’s efforts (maybe even engage HR to tie this to your professional development and job review process). The more effort they put into it, in a gamification fashion, they’re essentially leveling up, which shows that they’re putting in the work, making it easy to recognize people for their effort. Relevant content, structured to acknowledge progress, working from within each organization to incorporate security as part of their daily thought process
About Ed Adams, CEO
Ed Adams is a software quality and security expert with over 20 years of experience in the field. He served as a member of the Security Innovation Board of Directors since 2002 and as CEO since 2003. Ed has held senior management positions at Rational Software, Lionbridge, Ipswitch, and MathSoft. He was also an engineer for the US Army and Foster-Miller earlier in his career.
Ed is a Ponemon Institute Research Fellow, Privacy by Design Ambassador by the Information & Privacy Commissioner of Canada, Forbes Technology Council Member, and recipient of multiple SC Magazine’s Reboot Leadership Awards. He sits on the board of Cyversity, a non-profit committed to advancing minorities in the field of cyber security, and is a BoSTEM Advisory Committee member.