Security champion initiatives: 3 reasons they go wrong
Poorly implemented security champion initiatives can do more harm than good, so here are some of the common pitfalls and how to avoid them.
Written by Keith Batterham
As discussed in a previous blog, security champion initiatives can be a great way to spread security awareness and promote best practices across an organisation. They empower non-security volunteers to act as liaisons between their teams and the security team.
A well-designed and executed security champion initiative can help reduce security risks, foster a security culture, and bridge the gap between security and development teams. Not all security champion initiatives are, however, created equal.
1. Not clearly defining goals
One of the first steps in creating a security champion initiative is to define the vision and the goals of the initiative. These should be aligned with the business objectives and the security strategy of the organisation. You need to address questions such as:
- What are the desired outcomes?
- How will the success be measured?
- Are the roles and responsibilities of the security champions clear?
Without answers to these questions, the initiative can become directionless, confusing, and ineffective. Most importantly, once clear goals have been established, you need to communicate them to all the stakeholders.
The roles and responsibilities of both security champions and the security team should also be clearly defined and documented. Expectations and incentives for the security champions should be transparent and fair.
Also, remember to track the progress of the programme and measure its success. A good place to start would be the number of security risks identified, security incidents reported, and the number of security controls implemented.
2. Leaving your champions in the dark
Security champions are not security experts, and they need to receive additional training and guidance to perform their role effectively. They also need to have access to the security team and the security tools and resources that they need to fulfil their tasks.
Failing to provide sufficient training and support for the security champions will leave them feeling overwhelmed and demotivated, which can result in low engagement.
To avoid this, you must invest in the training and development of the security champions, and provide them with ongoing support and feedback. The training should be tailored to the needs and skills of the security champions, and cover topics such as:
- Security fundamentals, security policies and standards
- Security tools and techniques
- Security best practices.
Support can take various forms, such as mentoring and coaching, as well as recognition from the security team and leadership. If security champions feel they are not being supported, they may become discouraged and less effective.
Remember, if security champions are not properly trained or empowered to raise concerns, they may not be able to effectively identify and mitigate security risks. This can lead to an increased risk of security breaches.
3. Building walls rather than bridges
A security champion initiative, if done well, can enhance the integration and collaboration between security and other teams, and embed relevant security-aligned practices into their workflows.
A poorly integrated security champion initiative, on the other hand, can create silos and conflicts. This can disrupt the development process, causing bottlenecks, rework, and missed deadlines. It may even isolate the security champions from their teams, making them feel like outsiders or spies.
To avoid this situation, I recommend the following:
- Security champions should be embedded in their teams, and act as facilitators and advocates for security, not as enforcers or auditors.
- The security team should work closely with the security champions, and provide them with timely and constructive advice and assistance.
- The security champion initiative should align with existing processes, and leverage the existing tools and workflows to implement security activities and controls.
A security champion initiative can be a powerful way to improve the security posture and culture of an organisation, but only if it is done right. A poorly implemented security champion initiative can have detrimental effects for all teams.
Taken to the extreme, the organisation’s reputation for security can be damaged if the security champions initiative fails. This can make attracting and retaining customers and partners more difficult.
Here are some additional tips for a successful security champion initiative:
- Involve security champions in the planning and implementation process: This will help to ensure that the initiative is designed to meet the needs of the organisation and its employees.
- Provide security champions with ongoing support: This may include providing access to resources such as security training, tools, and expertise.
- Recognise and reward security champions: This will help to motivate security champions and encourage them to continue contributing to the initiative.
Make sure your security champions initiative is done right and get in touch.
Our specialists have the answer