If you want to scale your software security program, you absolutely need to have security champions. Security champions are those folks spread throughout each of your teams – engineering, QA, devops, etc – that are both regular team members, and also the local representatives of the security team. They can bring additional security perspectives into the team’s internal workflow, engage with the rest of the team about risk, act as the local point of contact for security issues, and escalate to the security team when needed. It is a great way to scale security efforts beyond your minimal resources, and integrate much better with the product teams. However, if you want your champions to succeed, and to continue to do so over time – you can’t just throw a handful of cybers at them and expect them to know what to do. Unfortunately, many organizations have tried this path, and failed. You need to thoughtfully build a Champions Programme that will encourage, support, and maintain your champions. You need to make clear what you expect from them, and ensure they have all the resources they need to meet these, whether time, budget, or access. For that matter, you need to be able to recruit the right champions in the right place, and empower them to have the massive impact you know they can. This course will teach you how to customize process for creating, initiating, and running an effective Champions Programme, and be able to succeed in doing so.
The course will cover the following topics, combined with some hands on worksheets. Students will apply the lessons to create a process outline they can apply at work, while building out the information they will need. We will have open dialogue to discuss practical issues and challenges students may face (or have already faced). Day 1: - Overview (1 hour) – The course will start with an introduction to security champions and their benefits, as well as what a Champions Programme can look like. We will discuss some challenges, and layout a high level process. We will also discuss the OWASP Security Champions Playbook. - Initiation (1.5 hours) – How to kickstart a programme from nothing, and what you need before getting started – list of team requirements, mapping of needs, executive buy-in, and of course budget and a scope proposal. Students will produce a programme plan. - Role Definition (1.5 hours) – How to set up the actual roles and associate with teams, their responsibilities, tasks, and time demands. These might be adaptable based on different context and requirements. Students will be able to list the attributes they require for the role (or roles). Day 2: - Selection and Recruitment (3/4 hour) – How to locate and recruit champions, including a nomination and selection process, as well as incentivization considerations. Students will outline a recruitment plan. - Knowledge Management (1 hour) – What kind of training plan is needed and how to optimize this, both for onboarding new champions as well as ongoing trainings. We will also discuss how to persist this information and “organizational memory”. Students will specify a starter training plan that can be applied in their context. - Communication Processes (1 hour) – Design process to maximize information sharing and escalation as needed. Students will have an initial process for escalation, and discuss peer-to-peer sharing of information. - Programme Maintenance (1 hour) – Your security champions are effectively a meta-team – and like any team, you’ll need to manage them carefully. We will discuss human interfaces, team management, how to keep up interest and motivation, and how to measure the programme impact. Students will receive tips around team culture, and propose a process to iteratively improve the programme itself. - Summary (15 minutes) – Wrap up and questions. Learning Objectives Upon completion of this training, attendees will know: 1. How to define a Security Champions Programme 2. How to negotiate for the resources to get this started. 3. How to keep the Programme running and continuously show its value.
Speakers
Toreon
Steven Wierckx is a software and security tester with 20 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design, Steven shares his passion for web application security through writing...
Read More →
Tuesday July 20, 2021 12:00pm - Wednesday July 21, 2021 4:00pm EDT
Zoom