Most of us that work in cybersecurity are well aware that there are not enough people to fill all of the positions that we have opened. There is a severe shortage of trained and experienced people who are capable of securing the systems that we must protect. Application security engineers, DevSecOps professionals, security architects, you name it, there's a shortage.
We will never have the staff, budget or time to do all the security work we want to do.
One of the ways that we can address this is by scaling our security teams and programs. When I say scaling, I don’t mean what you do to a fish after you catch it. I mean finding a way to do more, with less. This can involve automation, creating self-service systems, and many other potential solutions. In this series of blogs, we will discuss how you can solve this problem by building a security champions program for your organization.
What IS a security champion?
A Security Champion is a member of a team that takes on the responsibility of acting as the primary advocate for security within the team and acting as the first line of defense for security issues within the team.
Or more plainly:
The person who is most excited about security on a team. They want to read the book, fix the bug, or ask security questions. Every time.
Tell me more!
High Fives for Security Champions!
Security champions are your communicators. They deliver security messages to each dev team, teaching, sharing, and helping.
They are your point of contact, delivering messages to and from the security team, and keeping you up to date on what matters to your team.
They are your advocate. They perform security work, for their dev team, with your help.
They also advocate for security, asking questions in situations you would have been left out of. Raising concerns, you might have missed. They are a peer for everyone on their team and can influence in ways that you yourself cannot.
In the next few posts, we will cover how to build an amazing security champions program! We will follow this recipe:
Recruit
Engage
Teach
Recognize
Reward
(Over)Communication
Metrics & Data
Don't Stop!
Conclusion
In the next article, we will talk about how to find the right people to become security champions.
If you want to learn it all right now, I have a conference talk on this topic already, which covers much of what these posts will cover. Feel free to watch it. I gave it at B-Sides Vancouver, an AMAZING community-led conference, close to where I live.
About
Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.