As mentioned in the previous article (Recognizing & Rewarding Your Security Champions), the most common reason for failure of a security champions program is the security team losing steam, and/or the champions losing interest. In this article, we will discuss a few ways to avoid this. The best way? Communication.
To start off with, pace yourself. Often when I speak to security teams who have a failed program, they tell me how they started off very strong. “We gave them 2 different trainings, 2 workshops, and 3 lunch and learns, all in the first three months. Then we were exhausted. We haven't done anything with them in over a year.” This scenario is far too common.
To pace yourself, I suggest meeting with each champion once a month, for 30 minutes. Then hold one lunch & learn and send one email to the champions. This might not sound like much, but you must remember, they are already doing a full-time job for your organization.
In my 1:1 meetings I like to ask the following questions (adopted from Ray Leblanc's Security Champions article on Hella Secure blog):
What are you working on?
What are you going to work on next?
Do you need any help?
Each of these questions is open-ended, with the hope that it will prompt a meaningful conversation. I usually take notes during the meeting, and then send them after to both of us, with any action items for either of us highlighted in bold. (Note: I've used this technique to get many of my previous bosses to do things for me. Set a reminder for a week from then, and then reply-all to that email chain and ask: “Any updates on these action items?” It works like a charm!)
In your lunch and learn (which does not need to be at lunch time, or involve food), teach them something you want them to know. Do not teach them things they do not need to know, unless they asked for that topic specifically. During this session you or a teammate can teach, or you can show them a training video you like, or even a recording of a conference talk that really hit home for you. If you show them something pre-recorded, ensure you watched it first, you don't want to waste anyone's time with death-by-powerpoint. The more fun you can make these sessions, the better. If you're up for it, invite all of the developers and let everyone learn something new!
Photo by Greg Rosenke on Unsplash
Ideas for lunch and learn topics:
The specifics on how to apply policies, standards and guidelines. This could be a secure coding workshop, or a threat modelling session.
Talks about the top vulnerabilities that you are seeing in your own products, including the risks they pose to your specific business model.
Workshops on how to use the tools that your team wants them to be responsible for. Especially how to configure them, how to validate results, and where to find information on how to fix what they find.
If they are responsible for design or architecture, give them secure design training.
Tell them about a security incident your team had, and how it could have been prevented (assuming you are allowed to share this information).
Hold a consultation on the new policy, standard, or guideline your team is considering publishing. Ask for their feedback, then adjust your documents accordingly.
Remember to take attendance (for metrics) and take notes of any questions for you to follow up.
The monthly email:
Sometimes you just don't have time to do a lunch and learn event or hold 1:1s, but you still need to send a monthly email. The monthly email lets the security champions know what's going on, and that they still matter to you. The program is still running, because you sent an email. If you don't send this email, and you haven't touched base in any other way, this leaves a space where your program may start to disappear.
The monthly email does not need to be fancy and doesn't need to say a lot. Generally, the monthly email says:
What events are happening this month at your org (lunch and learn, all staff, any other meeting they should know about)
Any updates your team has (new policy, new tool, project updates, etc)
Anything interesting from the news that they may find valuable
Any local security events they may be interested in
Any podcasts, videos, blog posts or any other media that is relevant and you feel relates to them, about security (of course)
I live in Canada, and in Canada we are a country of immigrants. This means we have many, many different religions represented in most workplaces. In December, there's Hannukah, Ramadan, Christmas, and more, and often people take time off for these special holidays. This means having a large meeting in December is darn-near impossible. This is the type of situation where you just send the monthly email! It could say something like the following:
Hello Security Champions!
As it is December and many of you will be off celebrating various holidays, we are not going to have any events this month. We also want to wish you happy holidays, and we hope you enjoy all the snow we got this past weekend!
In January we are going to boot the Champions program back up with a lunch and learn on XSS. As some of you are aware, we've found it in about 1/3 of our custom apps, and we want to stomp it out in the new year (with your help of course!) An invitation will arrive later this week.
In the meantime, please check out this XSS Deep Dive by Tanya Janca. We're going to cover this topic a bit differently than she does, but it gives you a good idea of what we are up against.
Have a great December folks!
Sincerely,
The Security Team
My hope from this blog post is that you remember to continue to communicate with your champions. Don't let your program slip, it will disappear faster than you think. When in doubt, send them an email and check in. Up next, we will discuss Metrics.
