As DevSecOps grows in popularity, we're seeing the rise of other trends aimed at bridging the gap between development, operations, and security teams. One popular concept now is the creation of a Security Champions program.
The program is designed to improve security within companies by awarding developers a "Security Champion" title. These individuals then act as a conduit between security and development teams to promote communication, knowledge sharing, and collaboration.
Together, they work with their respective teams to champion security concepts, celebrate successes, and promote security hygiene throughout the build process for developers.
However, implementing a program like this is not easy. It takes strategic planning and considerable thought in deciding who will take on the role of a champion, how to effectively roll it out, and how to measure success. Here are some tips.
Step 1: Create Buzz
Instilling this program shouldn't be about obligation or following the footsteps of others. It's about finding a smart and creative way to identify security challenges in your organization.
Before you do anything, you must clearly define your goals. This could include designing and implementing new security processes, finding and fixing a higher volume of vulnerabilities, or simply making security top of mind for more people internally. Once these are set, it's time to introduce the program to your developer teams and get them on board.
Start by outlining the benefits the program could bring to their teams. Focus on how it will help eliminate pain points for developers.
For example, if a particular team is showing signs of stress due to increased obstacles, encourage them to volunteer to be part of the pilot program to see firsthand how it could benefit them. Think of previous projects that struggled with security challenges and explain how being part of a program like this could have avoided those hiccups.
Step 2: Identify Champions
Choosing who the champions will be is one of the most important parts of the process and sets the tone for how the program will play out. Get it right and you're off to a great start. Get it wrong and the program may fail before it's begun.
Remember, the first wave of champions will set the precedent for the program. The aim is for others to see them in action and want to take part later.
As a rule of thumb, programs should aim to have one security champion per engineering team. This level of visibility helps the entire security team have a good idea of where risk is manifesting. Make sure you roll it out slowly though, so there's time to iron out any kinks.
Ideally, the people you select should be both confident and passionate. These tend to be developers who have proven themselves through hard work and effort in developing and have shown their ability to resolve issues that occur among the engineering teams.
If there isn't anyone obvious who comes to mind, you may want to consider asking if any developers have a desire to change positions and work within the security team. Be clear on what the role will entail to avoid any confusion.
Remind everyone that there is no pressure for the security champion to be an expert, as their role is primarily to act as a connection point between developers and security teams. Granted, having an interest in security will be helpful — but they aren't expected to wave a magic wand and fix all the security issues. Their job is to provide visibility and keep both sides focused on achieving security goals, within a time frame, and work out the steps needed to achieve this.
Try to involve anyone who volunteers. Their passion and intrigue will play a vital role in the program's success.
Step 3: Rolling Out the Program
Although the overall goal is companywide coverage, the rollout of a Security Champions program should start small.
Implement the program with just a few teams first. Start with teams that are working on higher-priority areas, who experience the highest risk, and teams that are mature in security practices. This will help you have a solid foundation to build from.
Make sure you're offering support to the champions. Set up regular meetings between champions and with the security teams so they can openly discuss issues and collaborate on development.
Likewise, encouragement can — and should — also be provided in the form of recognition and rewards, which will also help drive further recruitment.
Step 4: Measurement and Expanding
Knowing when to expand the program to include more teams can be tricky. It comes down to two things. First, is the security team in a position to support more teams? Second, is the current program successful?
Measuring success is difficult, but it can be done if you look at both qualitative and quantitative data.
Devise a set of protocols that you're looking at: Is the program being adopted by engineering teams, are the recommendations by champions being implemented, are champions active, meeting goals, and hitting the requirements you set out at the start of the program? These should connect back to your original goals for the program.
The first couple of months are about trial and error. Talk to developer teams and see if they can give you any examples of how they have better started implementing security protocols into their processes. For example, from a certain date have they always done threat modelling, reduced backlog, or added automated testing of a particular feature throughout their pipeline?
A Security Champions program is a great way to enhance security maturity, reduce vulnerabilities, and make security top of mind throughout the business. But it's not something that can be achieved overnight. It requires patience and planning, and it must be rolled out slowly to maximize success.