Building a Grassroots Security Champions Program

Chris Romeo, CEO and Co-founder of Kerr Ventures, and Dustin Lehr, Head of Platform Security at Fivetran, joined me for a live LinkedIn session. If you missed out, here’s the recording and my three key takeaways.

Key Takeaways

#1: A Passionate Security Champion Leader is Vital

A sustainable security champions program requires a skilled, motivated individual to act as the program’s backbone. This individual needs enough technical knowledge to maintain credibility with engineers while effectively navigating conversations with executives. 

There are multiple ways to get started. Chris prefers generating momentum with a grassroots approach, while Dustin prefers to get executive support early.

Once you’ve established a program, keep the momentum going and create a succession plan for when the leader departs. The current leader should mentor the individual(s) likely to take over the reins. A steering committee is another effective way to keep backup leaders involved.

#2: Design your Security Champions Program for the Champions

Employees devote many hours – typically voluntarily –  to security champions programs. Morale and participation are essential. To encourage participation and engagement, it’s crucial that the champions feel like they’re growing as professionals.

Investing in your champions will vary by organization, but there are some best practices. Dustin suggests SAPS – Status, Access, Power, Stuff.

Demonstrating your investment in champions means offering rewards fitting into these categories. And while the program should positively impact the company in the long term, the shorter-term outcomes should improve your security champions’ lives. Continuous investment will keep program morale high.

#3: Security Champions are a Long-Term Investment

If you expect to overhaul your company’s security culture in a matter of weeks, then change your expectations.

Fostering a security-conscious culture takes time. Sell the vision to upper management, but ensure they understand it may take a full year to see a return on investment. This strategy will create a paradigm shift in the company’s ability to reduce risk and keep customer data safe. But it can’t happen overnight.

Continue Learning with Dustin & Chris

If you’d like more detailed advice on security champions programs, check out Chris’s Security Champion Framework to help create your maturity model and Dustin’s Security Champion Success Guide for a detailed walkthrough on building a security champion’s program.

You can keep up with Chris via The Application Security Podcast, Threat Modeling Podcast, and The Security Table Podcast.

You can keep up with Dustin via LinkedIn and his meetup group, Let’s Talk Software Security.

Did you find this blog helpful or interesting?

Click the social media button of your choice to share the blog with you friends and colleagues.

See a Live Demo of the Bionic Platform

CrowdStrike Bionic

Have you heard the news?

Bionic to be acquired by CrowdStrike to provide the industry’s most comprehensive cloud security platform. Together, we are creating the industry-defining cloud security platform, fully integrated from code to runtime.