Good security engineers are hard to come by. What is a company to do? Not all companies can afford outrageous salaries to acquire one, much less a full team of security professionals. Even if those few companies can afford it today, how do they retain them?

The answer to this is not simple and is realistically beyond the scope of one simple article written by a SOC analyst. I do, however, have a suggestion to help.

The Human Factor

Everyone at a company effects, for good and bad, the security of the company for which they work. Clicking on phishing emails. Posting a file to a public Dropbox so you can work from home. Coding in that backdoor to make debugging an application easier. Putting convenience above security. These are just a few examples of how anyone can adversely affect the overall security of a company.

The worst part is that many times the person is not trying to be malicious. Their intentions can be good, but their lack of focus could breed horrible consequences.

On Security Champions and Why We Need Them

What if, as the security team, you could have people throughout your organization that positively affect the overall security? We’ll call them security champions. (Full disclosure: I stole the security champions term from somewhere but do not remember where.)

Security champions (my definition) are non-security professionals that promote and practice good security. These people help educate others to identify phishing emails. They do not belittle others for asking what might be considered simple security questions. They bake security into their development process and try to get others to do so. They think about security versus convenience. All without the security team having to tell them to do so.

Think of the time this could save you, (Read more...)