Discover hidden security talent: How to harness security champions

Want to scale your organization's security function by leveraging your existing talent? Here's how
1 reader likes this.

Amid sweeping layoffs in tech, how can you increase your organization’s focus on security without adding headcount? Implementing a Security Champions program can identify security talent and empower your existing workforce through security-focused cross-training to reduce risk.

When I joined Jotform as head of information security, I quickly discovered that my security team needed a presence on each product team. Our engineers are often the closest to any security issues that may arise.

Even with a strong group of security engineers, most companies can’t envision placing security-specific personnel on each product team. What are security champions? Simply put, they are employees who work in non-security departments across an organization and play an overlapping role focused on security.

[ Related read: Why 2023 is the time to consider security automation. ]

Once security champions are trained and energized, they can deliver value for the security team in several ways:

  • Ever-present security mindset on the engineering teams developing our key products
  • Point of contact for the security team at the working level
  • A resource who can share updated security messages and teach teammates new security techniques, elevating their own standing while benefiting the whole team

At Jotform, our program is paying dividends, but it didn’t happen overnight. First, I had to step outside my security background and convince the company, notably executives, that time spent by security champions was worthwhile. Only then could I start training my recruits on advanced security issues.

Those steps are necessary for any security champions program to be successful. Here’s how to accomplish those goals and make your own security champions program thrive, along with some additional helpful tips I learned.

Lay the groundwork for success

Most often, gaining executive buy-in comes down to assuring company leaders that the program will require a relatively small time commitment and explaining how the company will benefit. Additionally, for heads of product or engineering teams, there is the compelling benefit that their engineers will produce fewer defects after being trained as security champions.

After you get buy-in, invite your company’s engineers to an informal lunch-and-learn session. Teach them the basics about securing their code against a typical web-based attack such as cross-site scripting. The lunchtime setting will get your message across without being overbearing.

To close the session, end with an exclamation point: your best pitch. Focus on what the security champions program can do for them rather than what it will do for the company, as the latter aspect will be obvious. Overall, the message should be simple and powerful: Offer to provide basic, helpful knowledge to make them better engineers and help improve security.

Offer to provide basic, helpful knowledge to make them better engineers and help improve security.

A framework for training your champions

To empower your champions, you must upskill them while being mindful of their time. Spread training sessions out over six months or so. I found that a bi-weekly 90-minute Level One session focused on a particular topic, allowing additional time for discussion, is about the right amount.

You will likely lose some people, but once your first six-month program is completed, you can initiate your Level Two program spread over six months, putting what your champions have learned into action.

When your program starts, and you have your first session, hold a brief roundtable discussion to ensure everyone is on the same page. Think of it as an intro to a college course and make it interactive. When I asked each volunteer about expectations for Level One, some said, “to sleep better at night.” Others said, “to raise awareness within my team.” Both are goals I share. Additionally, at least 20 reiterated that they wanted to learn and become a better coder.

During Level One training, present one topic for each session, such as SQL Injection, and provide material showing the do’s and don’ts of that situation. The progress may seem slow, especially if you have pressing needs. But each session will bring you closer to having a team of security champions.

During the entirety of your program, and especially in its early stages, remember the spirit of your initial lunchtime session. Entertain questions and have lively discussions involving real examples. This is the essential part of your training, as everyone learns from each other in a collaborative environment.

At the end of your six-month Level One program, invite a portion of the group to continue to Level Two. Ask your champions to utilize their newfound skills and give something back to your security community by performing code reviews, identifying existing vulnerabilities, or contributing to security testing or coding standards.

As you build your security champions program, remember that you can have security champions in other departments, too. It may be as simple as finding finance people who can identify phishing emails or customer support people who independently read up on GDPR and ask questions about data privacy.

The bottom line

Security champions can improve security by sharing knowledge, empowering more employees, and creating a broader reach for intelligent security dialog. Altogether, your champions can have a tremendous positive impact by reducing overall security risk to the organization, which will help the entire company sleep better at night.

[ Learn how leaders are embracing enterprise-wide IT automation: Taking the lead on IT Automation. ]

As Jotform's Head of Information Security, Johannes is responsible for the strategy and implementation of the information security program that safeguards the data entrusted to Jotform.