Do security champions programs work?

Whether you have read about Spotify guilds, Adobe's karate style security champion belts or just played around with a program of your own, Security Champions programs have become a defacto part of application security.

But are they working?

In the unlikely event that you read that introduction with a blank look on your face, Security Champions programs are a common tool used by software (and security) teams worldwide to help engage non-security-specialists in application security activities and embed security skills and expertise within the development teams themselves.

They emerged about the same time as the often quoted “Spotify” video about how Spotify embraced a new form of development organisation based around squads and guilds. In this model, a guild was a group of people who had a shared interest in a topic (such as security) and met regularly to discuss it (and bring skills back to their teams. (Related: Everyone has always watched the first spotify video but did you know there was a second one that talks about the challenges they faced? 

As security was often a skill needed in teams but relatively specialist, it was a natural fit for a guild. This, with time and organization language choices became what we now know as a security champions program.

Formality of programs ranges from highly structured programs such as those within Adobe, Spotify, Netflix et all, through to more ad-hoc programs which either self-manage or have naturally emerged from an individual team or group.

This is such a ubiquitous practice that even searching for security champions programs will find you dozens of gated marketing links to playbooks, whitepapers and operating guides. We have definitely come a long way in seven years. Consultants will help you run them, podcasts will tell you how and conferences globally still try to spread the gospel of the security champions program.

While we spend a lot of time and webspace talking at a high level about security champions programs and how to run them, we spend very little time talking about the challenges organizations (and secure development leaders) face when putting them together.

It is fair to ask then… are they working?

I am a believer that nothing is perfect and that things get better and stronger when we talk about the challenges as well as the benefits. So what are the common challenges with security champions programs and what questions should we be asking about our programs (if we have one).

This is a huge topic and I will no doubt dig into some of these issues in much more detail in future newsletters, but for now, let’s take a look at the common questions secure development leaders ask. I have also included some self-reflection questions you could use to look at your own program.

Are the right people involved?

Spoilers, my next post will be entirely about the relationship between enthusiasm, time and energy vs experience and expertise but for now let’s keep it simple. Security champions programs can be opt-in (people choose to join them) or selective (you choose people to join). Either way there are challenges. Ensuring you have the right people, in the right teams with the right level of engagement is not a simple feat. What’s more, as an ongoing program, you need to ensure this balance is maintained as time passes and your teams move around.

Questions to ask:

1. Do I have representatives from all software teams?

2. What do I do if someone moves or leaves?

3. How to you bring new people in to your program?

4. How do you preserve your program knowledge if people leave?

Is my program action-focused or knowledge-focused?

Forgive me if I get philosophical here but even Aristotle draws a sharp division between knowledge that aims at action and knowledge that aims at contemplation. To put it simply, you have to be honest with your program, is it about sharing skills, connecting and talking or is it linked to taking action and creating application security outcomes across your teams.

There is nothing wrong with a program that is just a way to connect and communicate. Culture needs this to grow, but we must acknowledge that without action, we will not see that culture lead to change in behaviour, something that security champions programs aim to achieve.

Questions to ask:

1. How do I track what activities have occured as a result of my program?

2. How is activity tracking over time?

3. What is the balance between discussion and action?

4. Are all champions equally active or do certain champions take a more passive role?

Is my program sustainable?

As well as being a big focus from an environmental point of view, ensuring all aspects of your application security program are sustainable is essential. A sustainable program is one that can run for a long period of time without significant effort to maintain momentum. It should be free from key person risk (will it still run if you go on holiday) and not require significant time or money to run. Common challenges occur with security champions programs when large incentives need to be offered to get participation or if one person’s excitement and interest is main driving force. In either situation it is highly likely success will be short lived or quickly lost.

Questions to ask:

1. If the program leader was unavailable, would the program run?

2. Do we have budget and time to commit to this for more 12 months?

3. Do I need large incentives to get continued participation or will other forms of recognition work?

4. Is my program considered important and impactful?

Focusing on ongoing impact over initial implementation

Whatever stage your program is at (even if it’s just an idea or item on your backlog), the questions in this newsletter are an important tool for really challenging your program and ensuring its built to engage the right people to take meaningful action over a long period of time.

Afterall, our software takes a long time to build and will operate long after we have moved on, it makes sense that our security champions program needs to be built carefully and for the same sort of long term impact and longevity.

Until next week.

Laura

P.S You'll have to forgive me, dear readers for my 2 week gap. Last week I turned 40 and in gave myself a well deserved day off from all things security.

Missed the last Webinar?

In February 2024 we took a look at the cultural changes happening in software development teams and how they impact your application security program. Check it out and let me know what you think!