Security Champion Brainstorm
Problem Statement
Among engineering teams, engagement with the Security and the security quality of our applications can stand to improve through:
- Passion for security
- Foundational knowledge of security principles
- Knowledge of cybersecurity tools & processes
- Secure by design principles and execution
- Development of DevSecOps mindsets
- Knowledge of tech-domain specific security concerns
- Knowledge of product-domain specific security concerns
Strategy
Inculcate security culture in Technology engineering through the creation of a self-supporting community of security-passionate engineers within the domain/product teams.
Scope
- Tier 1:
- software engineers
- Tier 2:
- and SRE
- Tier 3:
- and technical product managers
- The dream:
- engineering managers and directors (the program would be adjusted for these stakeholders)
Program
Education
Tier 1:
- (ISC)2 Certified in Cybersecurity (free) - add to goalsCompany pays for first year of (ISC)2 membership?
- Security Journey membership (https://www.securityjourney.com)
- Expectation of progress against the Security Journey learning paths - add to goals
- Technical/domain-specific HackEdu training sessions (the two platforms are merging later this year)
- 2-3 days a month dig into an area of cybersecurity interest
- Add goals and report to engineering manager & Security Champions slack
Tier 2:
- Monthly meetings with speakers from within or outside the company (including Defenders Learning Journey topics?)
- Security Champions present topics at DPE/ST brown bags
Tier 3:
- Special sessions during tech weeks
- Sponsorship for conferences (black hat, defcon, etc)
- Paid certifications (CASE, CSSLP, GWEB, etc)
The dream:
- Sponsorship to online for Master in Computer Science - Cybersecurity and support for time away from day-to-day duties to make it happen
Community Building
Tier 1:
- Slack channel to facilitate discussion
Tier 2:
- Visible presence across Technology (see branding and communication)
- Quarterly off-sites
- Security Champion dedicated events (CTF, etc)
Tier 3:
- Security Champion hosted events (CTF, etc)
- Training/certification cohorts (CSSLP, etc)
The dream:
- Engagement or creation of industry-wide security practitioner groups
- Presenting at conferences
Coaching
Tier 1:
- Coaches from Security available in Slack to assist Champions' learning
- Champions available to peer engineers to either answer security-related questions or to bring to the group and respond with answers
Tier 2:
- Security Champions are coaching one another
The dream:
- Full-time coaches
Branding
Tier 1:
- A name: Security Ninjas (Is this cultural appropriation?)
- Stickers: Come up with a bunch of really creative fun logo stickers like GitHub (https://thegithubshop.com/products/octodex-sticker-packs)
Tier 2:
- A program website with information and success stories
- Ways to make champions digitally stand out
- Customization for profile images? (Active Directory/Slack/GitHub, etc)
- Colored circle around profile images?
- Badge like LinkedIn "I'm Hiring" badges for profile images?
- Create logo images (from the stickers?) and an app that could swap the person's face onto the character!
- What else?
Tier 3:
- Ways to make champions physically stand out: t-shirts and other items
Communication
Tier 1:
- Slack channel with participation from Security (see Community Building and Coaching)
Tier 2:
- Monthly email reports to champions and their managers
- Inclusion in weekly Technology newsletter
Tier 3:
- Monthly program-specific emails to all Technology
Retention
- Set an expectation that involvement in the program takes commitment and allow for a no-shame way to opt out after a period of time
- Incentivize participation via swag, fun events out, etc...
- Digital and physical distinctiveness gives a sense of pride and belonging
- Reward the value-add via gift cards for champions who assist engineers ahead of Security needing to be involved, who write articles, or advance security culture in other ways.
- Make it highly visible and easy to achieve!
KPIs
- Total # of participants
- % of engineers participating
- % of teams with a participant
- Can we measure the number of defects or Security findings per team and demonstrate improvement?
Challenges
- Finding a team of volunteers to lead the program
- Manager buy-in to support the extra time commitment from Champions
- Coaching must be a safe space for Champions to learn from Security
- Finding a way to make it self-sustaining
- If it takes off, how do we hold back the masses? Do we?
- Could we get a near-100% participation? Would that be bad?
Recruitment
Phase 1:
- Volunteer/voluntold participant from each team under our director
- Bring in other like-minded directors?
Phase 2:
- Invitations to the remainder of VP org
Phase 3:Roll out to all Technology engineering
Source
Framework Credit to Chris Romeo from Security Journeys