What the hell is Security Champion?

Eva Belyaeva, Security Vision

Who it is

Many processes, articles and corporate legends appeal to the notion of Security Champion, sometimes claiming that a person with this role is capable of doing the impossible (as we said in our article about the confrontation between development and security). But who actually hides behind this notion, what tasks does it solve and what is the overall meaning of its existence?

It varies from place to place, but if you search for a definition among international resources, you may be very surprised to learn that Security Champion is a proud title of one or more people who proudly carry the banner of information security in a company. That is, roughly speaking, it is an accessible and pleasant entry point for every employee into security, processes and practices within the company; the range of tasks of such specialists, as it turns out, is very wide - from risks to compliance, from phishing emails to secure development.

And that's not the case with us?

A difference in approach

It's not like that with us. To put it briefly, in our realities it is as if one of the possible vectors of the Security Champion's role was taken and adapted. And then they also reworked the position of such a role within the company, goals, objectives.... Let's see what is similar and what are the differences.

Outside of our realities: a champion becomes either a security specialist or absolutely any specialist whose current position together with information security skills can put him in several positions at once: a mentor, a leader, a kind of question and answer bureau, place him in the environment of developers, try on the role of a risk manager, spread the postulates of compliance to the masses, and, finally, shed light on IS in the company, which was once called the fashionable word awareness.

What is surprising is that there are a lot of companies where the champion is anyone but an employee with clearly defined responsibilities and a dedicated position. It turns out that such an employee is more like a Pokemon who plays roles in the company from a mascot to a spiritual mentor and a staff psychologist in one person. The champion is the one who is trusted by everyone and does not hesitate to ask a question on IS without fear of being ridiculed. Such a specialist should burn with security and share his knowledge with others at the call of his heart.

In our country, to put it mildly, this is not accepted at all. In our reality, the term Security Champion is usually firmly associated with development. And if you ask companies who their champion is, you will be more likely to hear either an application security specialist who knows about secure development or a very IS-savvy developer. The range of our champion's capabilities is also broad: from secure development to secure software development.

And who has it like us?

What is interesting is that, for example, Adobe or ABBYY also have a champion embedded only in the development team and not found in other processes within the company. That's all for now.

So what do such people have to do officially?

Skills and tasks

Let's take a closer look at the skills cursorily listed earlier. Most often, the range of official and unofficial (more on this later) tasks of a champion may include: conducting trainings, teaching, answering questions, and individual cyber exercises. Most often this comes in a bundle of regular audits and training sessions on employee response in the context of phishing and malware. Development is less frequently mentioned, but it is also on the list. The conventional wisdom is that when an accountant or marketer has someone to consult with, they are less likely to click where they want, more likely to consult and ask information security questions in the context of their usual activities.

In nature this is called mechanism of incidents prevention, risk mitigation and other beautiful words.

The skills of a champion should ensure that IS is integrated into all aspects of the company's processes and culture, preparing it for possible threats. Constant communication between the champion and employees within the company builds trust, discussing specific incidents and trends in IS raises the general level of awareness.

Questions of a diverse nature come to the champion in the course of his work: cyber hygiene, training, knowledge of new technologies, security of devices (both work and personal), currently popular threats and vulnerabilities.

And importantly: employees can turn to just such a person to report an incident, anonymously and promptly.

That's why champions are those who care about IS in general and who are ready to show by their own example that following the rules is neither stupid nor scary. Over time, communication with the champion may become informal; some employees consult with the ‘person who knows about IS’ outside of work; in other words, a kind of ‘youzprogrammer’, only ‘youzchampion’.

Importantly, this person is involved in almost all processes within the company - no matter how you look at it, IS is important everywhere. Marketing, support, human resources, front- and back-office, infrastructure - all this needs a personal consultant who is ready to come to the rescue at any moment.

The champion is most often mentioned in risk management processes: with IS knowledge that only supplements his or her core functionality, such a person is able to competently assess risks not only from his or her own position, but also to overlay them on other practices. He or she can both help prioritise risks and develop mitigation strategies, as well as embed IS practices into all the processes available to him or her.

That's the kind of person we have: Development

Sounds sadder than all of the preceding, but it's not really all that unequivocally sad - if it's evolved to the point where it exists now, then that's the business need. Regarding integrating the champion into the development process in all realities, opinions and goals are converging, and that's what matters.

A champion in development is an ambassador of best practices and approaches among, however surprisingly, developers. Such a person knows all or nearly all about the latest cyber threats in development, about secure development, about...

It is more or less clear with methods and approaches in general: the champion knows exactly how to do good and how not to do bad, how to apply secure development methods in practice and even how to test code; he/she knows something about pentests, has mitigated risks at least once and most likely participated in a bug bounty programme.

Such knowledge would be useless if the champion knew it only in theory; the ability to use tools of both a security engineer and a developer is a basic skill. Close familiarity with statics and dynamics, the ability to ‘prophase’ an application and mark up code, correctly describe bugs, hangs or even crashes, help in reproducing and sometimes even fixing critical software problems - these are the daily tasks of this position.

With such tasks, the only thing to do is to integrate into the product processes, conducting application testing, sometimes even arranging a full-fledged code-review, and sometimes even - teaching developers the principles of security in their area of expertise.

Rarely, but not always, a champion may interact directly with the IS team to make sure that additional risks associated with software releases are also considered. Most of their time may be spent on software certification and trusted development, as this area lies at the intersection of IS and IT.

Place in the company

Well, it's time to talk about a little strange and surprising things in detail: who really is the ‘sheep and reaper’ in foreign companies? The very handyman, involved in the whole ‘inside’ and ready to be on call 24/7, loaded in addition to his duties and additional completely... free... for free. Perhaps it's some kind of conspiracy or something, but the mention of Security Champion comes along with a clear indication that the position is more of a volunteer one.

Companies believe that a person is thus additionally encouraged with a wider range of responsibilities and sphere of influence, and that it is possible to realise all this quietly outside of working hours. Even more than that, one interesting study was mentioned, which found out that if a person combines his duties with those of a champion for more than five years, regular recycling becomes part of his personality, he can no longer imagine good and productive work without them, they give him the energy to fulfil his direct work duties.

Take note: if you want someone to recycle for free - just add him for five years the duties of a counselling IS psychologist, the result is guaranteed.

In contrast to this position, we have a different approach: a champion is a separate position, spelled out in the employment contract and a narrow range of responsibilities clearly defined in the job description.

Where champions come from

And how do you get such a champion in your company? Actually, it was briefly mentioned before: everyone tries to grow a champion within their own company in one way or another, only if they have anything but inherently security plus security skills, we have variability.

In our case, a developer or security guy is taken, security and development skils are added. Voila - there is a person who exists between two worlds, ‘a friend among strangers, a stranger among his own’.

Both here and there, becoming a champion requires from a person a combination of certain skills and competences - he/she should be well-skilled technically, be a leader and a competent manager (sometimes), and, of course, ‘with a burning eye’ and devotion to IS. Problem solving, conflict and non-standard situations skills will not be superfluous either.

Certificates for such a position will not be superfluous, although they are not obligatory. The same CISSP, for example, is mentioned quite often, but not in all materials.

What you cannot do without is the intention to stay abreast of trends, constantly update your knowledge, upgrade your skills and contribute to IS in general.