Understanding the Role of Security Champions in Organizations
Security Champions play a vital role in decision-making concerning security engagement, acting as a core element in security assurance processes within a team. They foster a security culture, reduce dependency on the CISO, and promote responsible autonomy and continuous security education in the organization. The concept benefits both the organization and the champions themselves by scaling security, engaging non-security personnel, and enhancing skill sets through training and certifications.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 Principle 3: Secure Management Support Artefact: Business case for Security Champions Security Champions Security Champions
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 What do they do? Security Champions are active members of a team that help to make decisions about when to engage the Security Team. They act as a core element of security assurance process within the product or service, and hold the role of the Single Point of Contact (SPOC) within the team. Security Champion VS Security Spike A training curriculum A community of security minded people
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 Benefits to your organization o Scaling security o Engaging "non-security" people o Establishing a security culture o Less dependency on CISO o From I had no time for security to I feel responsible for security The security champions concept should be regarded as part of an initiative, to enable responsible autonomy and continuous security education within your organisation
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 Benefits to the champion o Recognized roll = time to do this o Being part of a valued community within the organisation o Trainings and certifications on security topics o Increasing skill set (and thus market value) o Becoming a SME for the team/grid/topic o Responsible autonomy = security does not slow down the team
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 The role of CISO o Ensure management support for the concept of security champions (official status) o Facilitate the security champions program o Source of security knowledge for the community o Organising the (monthly) meetings together with the community o Contributing to and moderating the knowledge space
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 Building a security champions community 1. Identify teams 2. Define the role 3. Nominate Champions 4. Set up communication channels 5. Build solid knowledge base 6. Maintain interest
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 1. Identify teams By roughly plotting teams we can identify interesting candidates for security champions (topic based) Not science, based on experience Criticality Security Maturity
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 Low Low- -Moderate security impact Moderate security impact - Empowered/Mandated to make decisions - Document decisions - Consults other security champions 2. Define the role High High- -Critical security impact Critical security impact - Work with CISO on mitigation strategies or risk acceptance o Natural interest in security o Can decide when to engage CISO o Becomes a certified security professional Responsibilities o Act as the "voice" of security for the given product or team o Assist in the triage of security bugs for their team or area o Actively participate in the security knowledge space o Collaborate with other security champions o Attend (monthly) meetings o Ensure that security is not a blocker o Help with QA and Testing (e.g. security unit tests)
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 3. Nominate Champions Not appointing, but nominating o Most teams already have a member that is above interested in Security o Nominate them via capability assessment o SMEs (e.g. AWS or Azure or GCP customer engagement) can identify topic experts A nominated security champion receives goodies to celebrate his/her new status in the organisation. e.g. I m a security champion sticker and mug.
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 4. Set up communication channels o Space for knowledge sharing (i.e. Confluence) o Teams channel where members can meet/communicate o Monthly meet-ups with interesting presentations o Encouraging security champions to tell their stories o Weekly mailing list with security news o Creating working groups to work on improvements
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 Topic SMEs will be asked to provide support (e.g. AWS, Azure, API triangle) 5. Build solid knowledge base o Dedicated security champions knowledge space on confluence o Topic based: AWS, Azure, Mobile, Web, API, Containers, Serverless etc. o Generic e.g. secure development best practices, descriptions of common risks & vulnerabilities, links to policies and standards o Creating checklists o Monthly meet-ups with interesting presentations (external speakers) o Competitions among security champions (gamification)
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 6. Maintain interest o Provide continuous support o Provide with new learning material o Re-evaluate efficiency quarterly (ask the champions about their experiences) o Activities!!! o Workshops & trainings o Pizza sessions o Hacking days o Bug-bounties o Secure coding championships and awards o Organize meet-ups
https://owasp.org/www-project-security-champions-guidebook/ Licensed under CC BY-SA 4.0 Getting started Obtaining management support Officially recognizing the role and mandate in the organisation Start nominating security champions Setting up the knowledge base and communication channels Arrange swag/goodies Plan kick-off meetings with champions o o o o o o
