Security Champions? Introduce them in your Organisation | Ives Laaf

Introduce security champions in your organization to improve security, share knowledge, and reduce technical debt. Learn the roles, responsibilities, and benefits of security champions and how they can improve your organization's security posture.

Key takeaways
  • Security champions should be introduced in every organization to improve security.
  • Everyone in the organization is responsible for security, no matter their role.
  • Security champions should be given clear roles and procedures, and backed by the security team.
  • They should have some knowledge or affection for security, and be expected to be champions not leaders.
  • Security champions should provide guidance and knowledge sharing, and help reduce the technical debt in the organization.
  • They should have a mandate to secure the organization’s application, and be active in all aspects of the development process.
  • Security champions should have clear objectives, such as threat modeling, vulnerability management, and risk assessment.
  • Incident response and disaster recovery plans should be part of the security champion’s duties.
  • Security champions should have a clear understanding of the organization’s security policies and procedures.
  • They should be able to use available tools and frameworks, such as OpenSEM and Security Knowledge Framework.
  • The security champion’s role is not a new one, and it’s been around for years, e.g. in the Software Assurance Maturity Model.
  • OWASP (Open Web Application Security Project) has been around for many years and has many resources available.
  • Security champions should be motivated and enthusiastic, and have a desire to improve the organization’s security.
  • They should have a good understanding of the organization’s security posture and be able to prioritize efforts.
  • It’s important to communicate and collaborate with other teams, including developers, DevOps, and management.
  • There are many tools and resources available to support security champions, including training and certifications.
  • Everyone in the organization should be aware of the security champion’s role and what they do.
  • Managers and leaders should support the security champions and provide resources for them to do their job.
  • A security champion can help identify security issues and steer the development process in a more secure direction.
  • They can also help identify technical debt and guide the organization in reducing it.
  • Security champions should be able to measure and track the progress of the organization’s security efforts.