Month: October 2021

In the previous article, ‘Recruiting Security Champions’, we covered several ways to find, attract and recruit people to your cause. In this article, we will talk about how to get them revved up about security once you have found them.

Engage:

To occupy, attract, involve – in security activities!!!!

To participate or become involved – with your champs!!!!

If we want IT professionals to join our security champions programs, we must make it interesting and appealing to participate. We want to motivate them; to do extra work on top of their regular job, to care about security, to learn a lot of new things, to work with us. It needs to be good.

Below are a few ideas of how you can make your champions feel engaged.

If possible, bring them on a security incident that has to do with software. Teach them what it’s like to respond, the consequences, and just how much damage insecure code can cause.

Share (appropriate) secrets with your champions. If you are going to share quite sensitive info, inform them of the concept of ‘need to know, then ‘Deputize’ them onto your team for that one meeting.  Being vulnerable and admitting mistakes is a great way to get buy-in, and interest.

Let your champions see everything first. New tools, documents, policies, changes, etc. And ask their opinions. First, because they will likely have great ideas, and second because it makes them feel like they matter.

Create a mailing list for your champions to tell them new security stuff. Send them links to podcasts, articles, events, or anything else that you think is relevant and they may find interesting.

Meet with them 1:1 once every month, and have a pre-set list of questions. Potential questions (thanks to my friend Ray at Hella Secure Blog): What are you working on? What are you going to be working on next? Do you need any help? These questions will spark conversation and led you down the right path. That said, when you ask questions like this brace yourself for potentially bad news so that you can play it cool if they reveal something that makes you cringe.

Hold team-building events, let them know each other. Having a friend on a team always makes it worth coming back.

Invite them to join security communities, such as OWASP or We Hack Purple Community (with of which are free to be part of!).

There are many, many ways you can make the champions feel engaged, and one of the best ones is to give them training, which is what we will talk about in the next article, ‘Teaching Security Champions’.

In the previous article, ‘Building Security Champions’, we covered what champions are, why you need them, and our plan to make an amazing program.

The #1 most important rule of recruiting security champions is that you must attract them. Do not “voluntell” someone to be a security champion. That person is not going to do their best for you, and they certainly won’t enjoy the experience. Attract the right people instead of forcing them.

How does one ‘attract’ champions?

Perform Outreach

• Use lunch and learns to teach about security
• Arrange security training
• Anyone who asks questions or attends all the events is a potential champion
• Use interesting titles for events if you can
• Add a note to your email signature, saying you are looking for champions
• Put a sign on the fridge in the kitchen
• Talk about it at the all-staff meeting
• Send an email to all of IT

 

Observe

Pay attention to who responds, attends events, asks questions, and who is ‘always there’. Those are the people you need.

 

Adjust Your Attitude

Change your team’s mantra to “I am here to serve you” and your team will attract even more candidates. Saying “you are my customers” to the rest of IT if you are a security professional, is basically the truth. Plus, you always get more bees with honey.

#2 most important rule of recruiting: ensure their manager is on board. You don’t want this person to have to fight to do work for you or feel conflicted. Ensuring their manager is comfortable.

In the next article, we will talk about how to engage your champions (which will result in you finding even more).

Most of us that work in cybersecurity are well aware that there are not enough people to fill all of the positions that we have opened. There is a severe shortage of trained and experienced people who are capable of securing the systems that we must protect. Application security engineers, DevSecOps professionals, security architects, you name it, there’s a shortage.

We will never have the staff, budget or time to do all the security work we want to do.

One of the ways that we can address this is by scaling our security teams and programs. When I say scaling, I don’t mean what you do to a fish after you catch it. I mean finding a way to do more, with less. This can involve automation, creating self-service systems, and many other potential solutions. In this series of blogs, we will discuss how you can solve this problem by building a security champions program for your organization.

What IS a security champion?

A Security Champion is a member of a team that takes on the responsibility of acting as the primary advocate for security within the team and acting as the first line of defense for security issues within the team.

Or more plainly:

The person who is most excited about security on a team. They want to read the book, fix the bug, or ask security questions. Every time.

 

Tell me more!

Security champions are your communicators. They deliver security messages to each dev team, teaching, sharing, and helping.

They are your point of contact, delivering messages to and from the security team, and keeping you up to date on what matters to your team.

They are your advocate. They perform security work, for their dev team, with your help.

They also advocate for security, asking questions in situations you would have been left out of. Raising concerns, you might have missed. They are a peer for everyone on their team and can influence in ways that you yourself cannot.

In the next few posts, we will cover how to build an amazing security champions program! We will follow this recipe:

• Recruit
• Engage
• Teach
• Recognize
• Reward
• (Over)Communication
• Metrics & Data
• Don’t Stop!
• Conclusion

In the next article, we will talk about how to find the right people to become security champions.

If you want to learn it all right now, I have a conference talk on this topic already, which covers much of what these posts will cover. Feel free to watch it. I gave it at B-Sides Vancouver, an AMAZING community-led conference, close to where I live.