Teaching security champions

In the previous article, we talked about how to engage your champions. We want them interested, revved up and ready to go. You are in a room full of brand-new security champions and they are itching to learn all about ‘cyber', what do you do? What do you teach them? How do you impress them?

Tanya Janca
August 13th, 2024
Share

In the previous article, we talked about how to engage your champions. We want them interested, revved up and ready to go.

You are in a room full of brand-new security champions and they are itching to learn all about ‘cyber', what do you do? What do you teach them? How do you impress them?

Only teach them what they need to know. Nothing more.

As someone who creates security training professionally, I have to say, I've seen a LOT of filler. Extra content that just does not need to be there. Software developers do not need to know the history of Diffie-Hellman, or the difference between symmetric and asymmetric encryption, unless they are building encryption software. So don’t try to teach it to them unless they have a keen interest and have asked about it.

What they really DO need to know is:

What you need, expect and want from them, as champions.

You should define the goals of your program and share them with your champions. Share your plans for them, as much as you can. Give them timelines, training information or anything else you have. You need to make clear what you are expecting, or you may not get it.

Technical topics for teaching your security champions:

  • Formal training on secure coding, with labs!

  • Threat modelling

  • Secure architecture (whiteboarding)

  • Code Review

  • How to fix the bugs they find

  • Repeat yearly as a minimum

Topics specific to your organization:

  • Which policies, standards and guidelines apply to them

  • Help them create missing guidelines

  • Teach them how to be compliant, help them get there

  • Their role during an incident

  • Job shadowing

Hold consultations to let them provide input on the policies that will affect them. Trust me, their feedback will be priceless AND it will make them feel heard.

The last topic you need to ensure they learn is tooling. If you expect them to use a tool you need to show them how, what the output means, how to validate the results, how to install and configure it. It is also your job to either help them pick excellent tools or involve them when you are choosing tools for them.

In the next article we are going to discuss how to recognize your champions.

About

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.

Featured posts from the Semgrep blog, written by our engineering team

July 31, 2024
AppSec guides, not gates: Introducing secure guardrails with Semgrep
Isaac Evans
May 21, 2024
Rapidly deploy code scans across your organization with Semgrep managed scanning
Pablo Estrada
May 16, 2024
Overrated and underperforming: transitive reachability analysis
Kyle Kelly

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.
Get started in minutes Book a demo