Ah, Security Champions. They make everything better. When building a network of Security Champions, you want them to take advantage of and advocate the usage of the Secure Code Warrior® learning platform. These superstars are already among the ranks of development teams just waiting to be discovered.
Security Champions help promote the shift towards a positive security culture within development teams. Not every company chooses to use a champion program, but we’ve noticed much stronger results for those that do. Just saying.
What is a Security Champion?
It's important to start with a defined program that aligns with organizational goals but also clearly outlines expectations for future Warriors.
They’re people with a training-positive attitude that are passionate about upskilling themselves and others. They’re open to new ideas, learning opportunities, and thrive on helping their fellow teammates.
Ideal security champions are:
- Positive and approachable with great communication skills
- Passionate about security
- Interested in building secure coding skills (their own and others)
How do they make a difference?
Because they’re working at the heart of development teams, they have a unique perspective and can play a valuable role in building engagement around training by:
- Helping identify vulnerabilities within their teams or applications
- Encouraging peers to participate in tournaments, training, and assessments
How to Support your Champions
Now that we’ve painted a little picture of what a Security Champion is, it’s important to think about how you’re going to support and encourage them.
That can be through things like:
- Monthly Champion Lunch & Learns
- Regular email or chat communications
- Security Champion Quarterly Business Reviews
Remember, since they’re going to be a developer, that means they’ll be incredibly busy so think about ways to fit with their schedules.
Cool incentives also never hurt. You want teams to know who their go-to champion is, plus you also want to show your champs appreciation for all the hard work they do.
Here's a few ideas customers have used before:
- Custom apparel (t-shirt, hoodie, etc.)
- Event vouchers (movies, food, beverages, etc.)
- Champion themed accessories (mug, mouse pad, trophy, etc.)
- Highlight achievements in the company newsletter and/or linked-in.
- Recognize accomplishments during team/company meetings
How to find these awesome people
Once you’ve launched a new security training program, there’s a number of ways to find Security Champions that can help make it really effective, you just have to be on the lookout.
This is often the first opportunity you might get to find a champion, especially if a tournament is part of your training program kick-off.
- Once a tournament has been announced, look for particularly excited or interested developers; ones that are asking questions and engaged in the idea of learning
- During tournaments, look for someone that’s encouraging those around them
- Watch the leaderboard! Though this isn’t the most important aspect of a Security Champion, those that are doing well have often sought out security training in the past which means they have good awareness and may be interested in helping their peers
General Recruitment Opportunities
After a successful tournament, you’ll likely have a better idea of what to look for and even possibly some candidates in mind. Other things you can do to recruit a Security Champion are:
- Consider sending a survey to your development teams. This method lets interested parties nominate themselves for the position
- Nominate developers that are particularly active in the SCW platform. Approach them with the idea of becoming a Security Champion and see how they feel
Other Tips and Recommendations
Here are a few other little tips we’ve found helpful to consider for a Security Champion program.
- Have at least one champion per geographic region or programming language
- Go with a reasonable ratio of champions to developers (1 champion per 50 developers)
- Develop a ‘Security Champion’ persona so you have a good idea of how to find future or additional champions quickly
- Once a Champion is chosen, leadership should send an email to development teams to acknowledge the selection
- Invite Security Champions to a kick-off meeting to review organizational goals and how they can help or suggest ways to achieve them
With solid Security Champions in the mix, everyone can look forward to better engagement and overall security positivity at ground level where it matters most.