Security Champions – DevSecOps Focused Kickoff, Mentoring and Upskilling

Brief about Security Champions

We help you set up a Security Champion program in your organization. You select members from the development team to be the Security Champion for each team. We then conduct an assessment of the future Security Champions’ current level of cybersecurity and specific requirements, from which we knit together a program of mentoring and education through workshops and training sessions.

The goal is to educate team members so they can act as a “quality control” and help highlight and navigate around potentially unsafe design and development decisions.

These elements are available as one-off services or in a complete safety champion program:

• Workshop/training – we design and deliver training/workshops on relevant technical topics.
  Preferably physical meetings, but remote is also possible
• DevSecOps/design consulting – If you have a decision where you want an expert’s perspective on implementing security smartly and at a reasonable cost. We can spend a day or more together.
• Needs and self-skills assessment – We have built a template and approach to uncover the needs of your future security champions. It can be either only quantitative answers, but also with qualitative (open-ended) questions. We analyze the answers and summarize them in a summary report
• Help designing the safety champion program – If you don’t already have a program, we can help you design it using best practices and our experience
• Joint meeting facilitation – It’s beneficial for your security champions to meet regularly and help each other out. We are there to facilitate the meeting + maybe also facilitate a brainstorm or light activity
• Mentoring of security champions – In the form of regular (e.g. every 2 months) ~30 min online meetings where we can discuss issues they face in their team, their learning path to increase security skills etc.

Workshops for Security Champions

To ensure that Security Champions feel they have the necessary knowledge, the service will include a series of workshops to upskill employees. These typically take the form of 1-day face-to-face workshops, which will include lectures, group discussions and practical exercises in an informal setting.

The first workshop will often be on the topic “How to become a Security Champion”. The goal is to ensure that future Security Champions have the necessary knowledge to feel comfortable with the role from day 1.

Additional workshops will be held based on the needs assessment to provide Security Champions with actionable insights tailored to your organizational context and needs/wants. This may include:

• How to detect security issues in source code (using automated tools and manually)
• Hands-on workshop that walks through how attackers exploit common vulnerabilities to provide insight into how they work and how to protect against them
• “Security by Design” workshop showing how to easily incorporate security standards like OWASP ASVS as part of the design process in a non-intrusive way
• How to perform Identity and Access Management (IAM) securely and common pitfalls
• Capture the Flag (CTF) competition to gain hacker insights and build team spirit among security champions

Mentor and support Security Champions

Often, the Security Champion will face their own unique challenges. Therefore, we want to give them the opportunity to ask questions that are specifically related to their situation. This will take the form of “1-on-1 mentoring”. On these days, Security Champions can book a meeting with one of our security experts to discuss their specific problem or question.

To create a team spirit among Security Champions, we can also act as an impartial facilitator of Security Champions group meetings or participate in scrum and development meetings. A space needs to be created where Security Champions can discuss issues with each other. We can arrange group activities like working on specific security challenges, deciding best practices for communication in the organization, updating each other on the latest news and research in IT security, etc. The goal is to ensure that meeting and communicating with other Security Champions in your organization becomes a common practice, which will hopefully ensure the longevity of the program. 

Reporting

As the Security Champions program runs over a longer period of time, the material involved in the workshops will be reported on to give an overview of the knowledge needs identified during the needs assessment. In addition, the status of the Security Champions program will be reported through questionnaires. The outcome of the analysis will be shared with relevant stakeholders in your organization. For the qualitative questions we would achieve an overview of the skill level of the various security champions as this example graph:

Security Champions og Secure coding programs 

Depending on your ambitions within security by design, the security champion program can be part of a larger program addressing secure coding across all developers or it can stand alone. 

Either way, a security champions program is an effective way to kick start secure coding capabilities and let it grow from this chosen group of security ambassadors and out in your organization.

Here is an example of a Secure Coding program with integrated Security Champions line: