Do You Have Security Champions in Your Company?

Security champions are employees not from the central security team but rather a part of development team, testing team, QA team, operations, account team and even marketing team, for that matter, who has been designated to drive and play a vital role in your organization. They are versed in doing security assessments and is responsible for incorporating their security skills into their domain to find security holes.

The development team develops applications and makes them reliable, whereas the testing team assures the application’s performance and makes it bug-free. Every team plays a significant role to the growth of the company. The chief information security officer (CISO) team is responsible for finding holes or issues in applications from security perspective; however, in the digital world of today, the CISO team is not enough to assess the application. They are under a lot of pressure because they manage and are responsible for the security attacks. That’s why security champions are important.

Every team should have a security champion, and there is no limit to the number of security champions on a particular team. They also help other members to engage in establishing a security culture. Security champions act as a bridge between technology teams and in-house security teams, and perform many different tasks including internal audits, threat modeling, risk reporting, mentoring, security updates, security training, knowledge-sharing and spreading awareness among other team members.

Does Your Company Need Security Champions?

Anything can be compromised. You can’t let even small vulnerabilities go. You also cannot protect your company today against tomorrow’s threats with yesterday’s security solutions. Security researchers should be a part of every team to devise new ideas every day. For example, we often see in various applications that no validations exist at the backend, which can lead to XSS (cross-site scripting) or command injection. A security champion on a developer team would be aware of the consequences of those flaws and could guide (or write validations by his own) the team further to apply proper validations.

Does Your Company Have Security Champions?

The following is the checklist by which you can check if there are any security champions within your organization:

Does any member of a team get involved in regular security audits?

This is the most prominent question you need to ask to yourself. If the answer is yes, then you are lucky enough that you have security champions in your company. Security audits include reviewing applications, interviewing staff and performing vulnerability scans and code reviews to ensure no flaws exist. Although this task is also done by the central security team, it is good practice to secure your application at each level. Anything missed by any team can be addressed by another team (with the help of the security champion). By doing this, you are making your application more secure at each and every level.

Are your company’s different teams ready to accept any security challenge?

Security champions differentiate themselves from others when it comes to accepting any security challenge. Security champions not only work for the organization’s benefit, but they also engage others in the program. They are always ready to accept any challenge, but can ask the central security team for any needed assistance. Security champions don’t take security risks lightly and are always open to share their opinions/suggestions with other team members.

Does any employee participate in proposals/improvements programs and help define meaningful policies?

Security champions always think for the betterment of their organization by helping and providing relevant suggestions at the time of redefining policies. Each policy should be specific and action-oriented. Security champions can help in defining (or redefining) polices including mobile device email policies, acceptable use policies, confidential data policies, password policies, wireless network and guest access policies and incident response policies. Security champions always contribute their security knowledge and skills for the betterment of the company and peers.

Is any employee (not from the central security team) of your company proactive and a security enthusiast?

Security champions not only respond but also control situations and accept any problem as a new challenge. There is a need for security champions in every department within a company. Security champions always stay in direct contact with the CISO team and stay updated on the attacks—and ways to defend against them, including from the attacker’s perspective. Security champions have deep knowledge about information security and the latest cyberattacks, and are passionate to learn something new in the field of information security.

Does your talent acquisition team include security skills at the time of recruitment?

Human resources or the talent acquisition team should include some basic skills related to security. If the HR team has a security champion, it definitely will include information security as a required skill. Recruitment is the crucial process for any organization because everyone in the market wants the best match. Candidates should be aware of OWASP, its projects and also about CWE and CVE. Some basic security knowledge or skills also can make employees security champions once they jumps into the industry. The interviewer also should ask security-related questions, to check the general awareness of those being interviewed.

Does your team have security mentors who also conduct mini meetings?

Mentors play a key element role in any team. Security champions provide their guidance and vision to the whole team. Security champions often are experts in certain areas such as JavaScript, cryptography, access control or software development security and regularly contribute their efforts in information security. Mini-meetings help other team members get involved and learn.

Does your team have a member who helps in scaling central security team and write security tests for identified risks?

The workload on the central security team is exorbitant, so they can use support from other teams. Security champions can help in providing assistance and finding issues. Security champions also write security tests for identified risks and report to the central security team. Anyone with those qualities can be a security champion.

Does any employee of your company communicate, provide feedback and maintain interest?

Good and healthy communication is must for any organization. Security champions always spread information as well as take feedback from others—the most important quality of the security champion. Maintaining interest is also necessary. They also share recent AppSec news and articles to help others get involved and be ready for any security attacks.

By answering above questions, you will get an idea who the security champions are in your company.

No Security Champions?

Employees have access to customer data or deals with customers, which creates cyber-risk. However, we can educate our employees about security solutions and how to handle the customer data, and we have the capability to limit user access to our systems. Security champions are difficult to find, but it’s not impossible. Companies can hire security professionals from a consulting firm who will work as a part of teams, responsible for assessing, guiding, engaging and sharing their skills and knowledge. The organization then can assign a person from their teams to work closely with the security champions and be trained to become a security champion. The goal is for companies to eventually have their own security champions on staff.

If utilizing consultants and training existing employees to become security champions is not possible due to budgets or lack of time, companies can simply hire security champions.

For even more information about security champions and how to create security champions within your company, you can read OWASP’s guidelines.

Shubham Vashist

Avatar photo

Shubham Vashist

Shubham Vashist, from India, is an enthusiastic Information Security Researcher & Web application Security Tester. Having earned a Computer Science and Engineering degree, he has gained experience by learning, practicing and reporting bugs to application vendors. His passion is to secure the applications from attackers and make them reliable.

shubham-vashist has 4 posts and counting.See all posts by shubham-vashist