In a world where speed matters in IT development, and cyber breaches are an expected part of doing business, enterprises across all industries need to prepare now. Security champion programs can augment their security teams and help organizations cultivate a strong, security-focused culture to not only protect data and systems, but also speed up development. Enterprises with mature security cultures have started to engage security champions throughout their organization to foster greater security awareness and expertise at every level of the development process and beyond.

Yuval Malisov, a chief information security officer (CISO), says that security champions become the "eyes and ears" of CISOs. "They assist in identifying and escalating relevant issues, control gaps, or user pain points to the security team, while offering guidance to users on common security issues and processes to reduce the number of tickets the security team must address," he explains.

Security policies cover a broad swath of security matters from vulnerability management to penetration testing and security and privacy by design. According to Diane Norris, engineering automation architect at Broadcom and a security champion herself, "Security champions play a crucial role in facilitating both the timely and effective adoption and implementation of security policy."

“Sometimes,” she explains, “the best security policies struggle during implementation without feasible and balanced adoption strategies or procedures to accompany them. These strategies help incorporate security priorities into existing team engineering practices as seamlessly as possible.” For example, Norris says, "Champions, who are not always security experts, interpret and implement security policy into the software development life cycle, while surfacing policy and procedure feedback from the teams to continually improve and enhance security policy."

Traits of Successful Security Champions

Although it is not necessary to understand all of the technology, Malisov advises that enterprises select candidates who are process-oriented and have a good eye for detail. Security champions have the ability to understand common fraud scenarios or the red flags associated with suspicious activity, particularly the security risks facing their enterprise's line of business.

Meanwhile, Broadcom has a set of guiding principles that embed security into every stage of software development, and the corporate culture reflects an "everyone is responsible for security" mindset. Another essential skill in a security-focused environment is communication.

For example, in Norris' role as security champion and automation solution architect, she must advocate for and facilitate the adoption of security principles by building a bridge between the teams creating Broadcom's security policies and the teams developing software solutions. "I’m responsible for establishing and maintaining two-way communication between the security and automation solution teams for security policy awareness and feedback, process implementation, and education," she says.

"As a security champion, on any given day, I may be communicating a new security policy to the teams, assisting the teams with evaluating a vulnerability, providing team policy and procedure feedback to the security teams, coordinating a vulnerability response, or participating in security education for myself or the teams," explains Norris. "While these daily activities may look quite different from my day-to-day architect responsibilities, such as designing microservices and choosing data stores, the role overlap turns out to be both complementary and advantageous."

According to Norris, her architect role provides her with an in-depth understanding of Broadcom's automation solution technology stack and how to best adapt security policies and procedures for maximum effectiveness within automation teams. As a security champion, she receives and shares security education with the teams to make sure security is not only at the forefront of her own duties, such as designing solution architectures, but also on the minds of her team members.

How to Structure Security Champion Training

To create an effective security champion training program, Malisov recommends that those programs target specific lines of business. "Developers should get trained on secure coding and the front office should be familiar with the common scams, social engineering, and phishing patterns, etc., while the help desk should be able to triage a basic host compromise, and all should know what issues need to be escalated to the security team," he explains. Malisov also says that security champions should remain in their line of business and report to their respective managers. "A formal reporting line to the security team would effectively make this a BISO [Business Information Security Officer] role," he adds.

Norris agrees that security champion training programs should define roles and responsibilities clearly, as well as provide trainees with a high-level understanding of company security policies and procedures. She adds that these programs also need their own roadmap with links to existing policies and procedures, communication channels, and other reference resources.

"It is imperative that basic training include vulnerability concepts and scoring (i.e., common vulnerabilities and exposures, the common vulnerability scoring system vectors, etc.)," Norris advises. "From there, ongoing education, training, and communication should include the use of security scanning and penetration testing tools, vulnerability types and assessment, security best practices, secure design reviews, threat modeling, and changes to security policies and procedures."

Another key element for a successful training program is flexibility. Resource information will be revised as critical vulnerabilities are uncovered, and it is important that security champions can adapt their own approaches based on new information, according to Norris. "The security landscape, both internally and externally, is always evolving," she says.

Security Champions Balance Business With Protection

According to Malisov, security champions can help an organization not only adopt a security-focused culture, but also breathe life into it. "They become the face of security," he says, "through open communications with peers about the importance of security policies and procedures, as well as ensuring those policies become living documents that change as the landscape evolves."

For instance, a champion can intervene when a user creatively attempts to bypass a block or find alternative solutions for a business pain point, a move that would likely introduce other security risks to the system or process. Through these front office interactions with customers, Malisov says, a security champion can steer users away from risky activities or escalate the problem to the security team for a proper resolution.

Further, Norris explains that champions not only have the ability to answer security questions, but also find answers for teams when they don't have the knowledge at hand. For example, champions can advocate on behalf of development teams for policy and procedure changes that make the most sense both in terms of security and business case. With consistent messaging both with security and individual teams, every member can take responsibility for integrating security throughout the software development process.

Within Broadcom, Norris says there is a hierarchical structure for the security champion program, which follows the mainframe software division, value stream, and solutions structure to ensure that the program is well organized and has nimble communication and execution paths. She points out, "The security champion program and structure was an important component in our mainframe division’s swift and efficient response to the log4j vulnerability." The company also has a Security Consortium that includes security champions for each division, IT department, the CISO, legal, and other corporate units that communicate and collaborate on corporate and product security to create a holistic approach to security across Broadcom.

"A security champion program is a strong indication of a mature organization," according to Malisov. To be successful, these programs not only need to have leadership buy-in, but also support from the security team and other team leaders throughout the organization. Within an organization, anyone could be a security champion so long as security is a priority for them and their teams, effectively ensuring the organization itself becomes its own security champion as it strives for more agile development processes.