Building a Network of Security Champions
Many security practitioners have traditionally struggled with how to get key stakeholders to take security seriously. In recent years, security discussions have come to the forefront and more likely than not, you may find yourself struggling to meet growing security demands with limited resources. That’s why it’s imperative for central security teams to look beyond their group and build a network of security champions to expand their reach into various parts of the organization. This will help create a constant, virtual representation of security throughout cross-functional teams.
A security champion program is essential to any thriving organization. While a central security team is typical in most companies, establishing security champions is more unique. Security champions are embedded within the various product engineering teams, and effectively form a channel of communication between the product teams and the central security team. Security champions are a great way to build strong relationships outside your central security team and a crucial step in maintaining a security-aware culture. Security champions can help demonstrate the value and benefits of security by working with cross-functional product engineering teams and their respective management to assign security priorities across key functions.
Security champions outside of the central security team should seek to build close relationships with the leadership across your organization. Take your peers to lunch. Join planning meetings in groups such as sales, PR, marketing and legal–claim a seat at the table. This will provide an avenue to evangelize and implement security best practices amongst respective teams. Make sure they understand that you are there to help, not make their lives difficult. Find ways to demonstrate that integrating security does not have to hinder the development process by exhibiting simple tasks to improve security. And, get to know your executive team better. Don’t wait for your organization’s leadership to get to know you when you find yourself in the unfortunate position of having to respond to a crisis. If you have those existing relationships and buy-in from the top, it will be much easier to get the rest of the organization on your side.
Security champions are a great way to build strong relationships outside your central security team and a crucial step in maintaining a security-aware culture
A good approach is for the central security team to align with its security champions across the organization. This helps open the lines of communication. For example, if the central security team is not brought into product development conversations early on, how can they weigh in on what improvements could be made to product revisions? It’s a lot easier to get buy-in if a security champion, embedded in the product engineering team, can help the central security team prioritize and establish open dialogue with key stakeholders.
Extending beyond the central security team’s typical comfort zone, security champions know their audience and speak the right language. The central security team may have a habit of coming to the table with a laundry list of things, in no particular order that that must be addressed. Rather than this approach, the central security team should work with the security champions to deliver collaborative, prioritized, data-driven arguments that outline what priorities should be addressed. Since the security champions sit on the product engineering teams—they know the products, and they also understand where security needs fit within product priorities. Security, reliability, performance and enhanced features are all ways to measure a product release’s success.
There are several inflection points that can motivate an organization to get behind the security battle-cry and put the need for a security champion program front and center. One example that presents an opportunity for security involvement early on, is when an organization is considering an acquisition. A proactive plan should be put in place so the newly acquired product portfolio can be quickly integrated into the software development lifecycle and make sure processes are quickly adopted to follow standards of the rest of the organization. Newly acquired products that are being folded into an existing portfolio need to be examined carefully and have security participation from the beginning.
The central security team in coordination with security champions will focus on identifying potential complications that the newly acquired assets may bring and can ease potential growing pains. It’s a good idea to identify security champions as early as possible to evaluate risks and make informed recommendations based on that assessment. Acquisition plans are typically put in place for HR and finance–the same needs to happen for security. You will also want to identify a specific security champion on the newly acquired team who can make suggestions, since they will have a heightened awareness from the perspective of the new investment.
If your organization does not have a security champion program in place, there is no better time than the present to get one organized. Once you have a program in place and execute well, your central security team will be viewed as an invaluable asset to the organization. Security champions are a critical part of maintaining a strong central security team. Your team will thrive with an open culture mindset and operate as an essential business partner across the organization – this ultimately benefits the entire business–a win-win for all parties involved.