Engage your champions

In this article, we discuss how to get security champions revved up about security once you have found them.

Tanya Janca
August 9th, 2024
Share

In the previous article, ‘Recruiting Security Champions', we covered several ways to find, attract and recruit people to your cause. In this article, we will talk about how to get them revved up about security once you have found them.

Engage:

To occupy, attract, involve – in security activities!!!!

To participate or become involved – with your champs!!!!

If we want IT professionals to join our security champions programs, we must make it interesting and appealing to participate. We want to motivate them; to do extra work on top of their regular job, to care about security, to learn a lot of new things, to work with us. It needs to be good.

Photo by Redd on Unsplash

Below are a few ideas of how you can make your champions feel engaged.

If possible, bring them on a security incident that has to do with software. Teach them what it's like to respond, the consequences, and just how much damage insecure code can cause.

Share (appropriate) secrets with your champions. If you are going to share quite sensitive info, inform them of the concept of ‘need to know, then ‘Deputize' them onto your team for that one meeting.  Being vulnerable and admitting mistakes is a great way to get buy-in, and interest.

Let your champions see everything first. New tools, documents, policies, changes, etc. And ask their opinions. First, because they will likely have great ideas, and second because it makes them feel like they matter.

Create a mailing list for your champions to tell them new security stuff. Send them links to podcasts, articles, events, or anything else that you think is relevant and they may find interesting.

Meet with them 1:1 once every month, and have a pre-set list of questions. Potential questions (thanks to my friend Ray at Hella Secure Blog): What are you working on? What are you going to be working on next? Do you need any help? These questions will spark conversation and led you down the right path. That said, when you ask questions like this brace yourself for potentially bad news so that you can play it cool if they reveal something that makes you cringe.

Hold team-building events, let them know each other. Having a friend on a team always makes it worth coming back.

Invite them to join security communities, such as OWASP or We Hack Purple Community (with of which are free to be part of!).

There are many, many ways you can make the champions feel engaged, and one of the best ones is to give them training, which is what we will talk about in the next article, ‘Teaching Security Champions’.

Photo by Leon on Unsplash

About

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.