Security Champions? Introduce them in your Organisation | Ives Laaf

Security

Introduce security champions in your organization to improve security, share knowledge, and reduce technical debt. Learn the roles, responsibilities, and benefits of security champions and how they can improve your organization's security posture.

Key takeaways
  • Security champions should be introduced in every organization to improve security.
  • Everyone in the organization is responsible for security, no matter their role.
  • Security champions should be given clear roles and procedures, and backed by the security team.
  • They should have some knowledge or affection for security, and be expected to be champions not leaders.
  • Security champions should provide guidance and knowledge sharing, and help reduce the technical debt in the organization.
  • They should have a mandate to secure the organization’s application, and be active in all aspects of the development process.
  • Security champions should have clear objectives, such as threat modeling, vulnerability management, and risk assessment.
  • Incident response and disaster recovery plans should be part of the security champion’s duties.
  • Security champions should have a clear understanding of the organization’s security policies and procedures.
  • They should be able to use available tools and frameworks, such as OpenSEM and Security Knowledge Framework.
  • The security champion’s role is not a new one, and it’s been around for years, e.g. in the Software Assurance Maturity Model.
  • OWASP (Open Web Application Security Project) has been around for many years and has many resources available.
  • Security champions should be motivated and enthusiastic, and have a desire to improve the organization’s security.
  • They should have a good understanding of the organization’s security posture and be able to prioritize efforts.
  • It’s important to communicate and collaborate with other teams, including developers, DevOps, and management.
  • There are many tools and resources available to support security champions, including training and certifications.
  • Everyone in the organization should be aware of the security champion’s role and what they do.
  • Managers and leaders should support the security champions and provide resources for them to do their job.
  • A security champion can help identify security issues and steer the development process in a more secure direction.
  • They can also help identify technical debt and guide the organization in reducing it.
  • Security champions should be able to measure and track the progress of the organization’s security efforts.

More talks

"Data Driven Investigation in Defense of Human Rights" by Christo Buschek (Strange Loop 2022)

Dr. Björn Bringmann | Race to AI – A Global Perspective | Rise of AI Conference 2022

Disaster Recovery & You: The Gift of Paranoia - Valerie Regas

AI Assisted Decision Making of Security Review Needs for New Features

🚀 Feature Branching Considered Evil (Thierry de Pauw )

Vue: Feature Updates - Evan You, Vue.js Live 2023

Five Common Signs of a Dysfunctional Leadership Team • George Burrows & Leandro Balan • YOW! 2019

Securing the Future: Balancing Cybersecurity and Innovation. Panel moderated by Elvīra Krēķe