The Four Tribes of Security Champions

So, hi everyone. Thank you so much for coming. Please give a round of applause for our first uh speaker today, uh Marissa Fagan, head of product at

Catalyst. Just a smaller reminder before she starts, you see a QR code in the screen. So, if you have any questions, uh we'll take Q&A at the end of the session if you have any time uh left. So, please scan the QR code and leave your questions in uh Slido. All right. Hello, San Francisco. This is awesome. This conference is awesome. This is my hometown. So, thank you all for flying out here so that I don't have to buy a burner phone so I can get on an airplane. Much more convenient for me. So, I appreciate all of you for being here. Um this talk today is something a little bit different than what we normally talk

about. So uh first let me introduce myself for for anybody that um is interested. But really this is just an excuse to have the biggest picture of me in history. This is insane. Um I have been I like to say building bridges u sometimes out of breadcrumbs for engineering and security and trying to bring these two silos together for decades and sometimes it's uh it you know it works well and we really get these leaps forward and this security champion program is catching on in that way. It's really exciting to be doing this right now. Um, but I've been doing it for a long time. I managed the security champions program at Salesforce in 2015, at Synopsis in 2017,

um, started at Atlassian in 2020, and then grew the program into a team. Um, now I am the head of product at Catalyst. So, I've taken from a practitioner, joined the dark side, and now I'm a product manager. But it's all been a very exciting evolution of a way to iterate on this idea and really refine it as a craft. So I'm super excited to talk to you all about this. Um, and a big shout out to my friends at OASP. I'm also a contributor to a project called the security champions guide and we're trying to create a kind of neutral um best practices statement that is crowdsourced by practitioners in the industry. So, if you're here today

because you are such a practitioner, please find the OASP security champions guide project and join us. Uh, it's a really fun group of folks. We all get to go to Barcelona in May to um present our work at the AppSsec EU conference. So, I would really love for you all to join us in the OASP project. Okay. I was about to say so this talk will not cover what is a security champions program but I hope if you don't already know that this talk will explain it by the end after we're done you should have a pretty good feel for what is and is not a security champions program. Um we will not be covering best practices such

as creating a vision and mission delivering rewards and recognition tracking behaviors in a system gamification preparing champions for responsibilities. I know that's scary. uh rolling out apps sec practices is beyond the scope of this talk and we won't talk about metrics. We will also not be talking about measuring the impact of developers make on security goals. Reducing the percentage of vulnerabilities in prod growing thriving collaboration that bridge I was talking about security and engineering are finally working together. All of those concepts and more are covered in other talks this week. If you are interested in those, please check us out in the RSA talk, Champions of Change, Successes and Setbacks of Cyber Ambassador Programs. We have uh Dr. Jessica Baker. We have

the venerable Tanya Jenka. We have Heather Reed and myself all talking about our hard one lessons learned about how to do security champions programs the most successful way. But today I want to talk about research that has been done to bolster the concept that these are valuable programs. I would say essential programs that you cannot be without after your apps program or your company reaches a certain size. You have you have outgrown doing this peace meal and manually and individually one by one and having just like good friendships and relationships. You have grown into needing a framework. You have grown into needing a structure, a reliable structure to track goals and progress for the relationship between

developers and the rest of the I'm sorry, between security the rest of the company between security and developers. You need structure. However, we've come to the point where people have become familiar with the term security champions. I took a very informal poll of three people earlier and we found that everyone has heard of the term security champions. Now, now what's happening is people are are losing the thread that security champions is actually a lot of things in kind of different um what's it? there's a matrix of things that can be security champions programs. And so I today have created a diagram out of this chaos. And really I was inspired by three things. The first one

is a paper put out in 2017 by Gary McGrath, Sammy Migz and some of the team at I think Sigital at the time uh put out a paper called the four CISO tribes and they introduced the idea at least to me that CISOs are not a monolith that actually whether they come from certain backgrounds or they have been inherited certain types of companies there are like four different approaches for security programs and they called them security as an enabler, security as a technology solution, security as compliance and security as a cost center. And they found through more elaborate deliberate research than I have done, they found that um the practices chosen by these chief security

officers really skewed towards an approach. They took an approach that was very compliance focused and they did not you know like see security as an enabler. These are styles that impact everything. So really interesting paper published in 2017. Give that a look. But even before that um as a young budding security practitioner there was a book published in 2016 called people centric security by Dr. Lance Hayden and Lance created something that in the security awareness and culture space really was definitive. He created a framework that really put words to paper what we were all kind of feeling and assuming which is that culture security culture specifically can be different in each company but it's it comes from a

structure. comes from the pieces that make it up and that can be defined and he created this sort of matrix here. Um I will go about I will go through this a little bit more in detail in a second but this was like radical for the security culture space 10 years ago. Um because it gave companies that have compliance-driven cultures. It sort of gives them permission to do things that work for them. And the best practices that work for an an autonomy culture, I call it a cowboy culture, that is not going to work for a compliance culture. And neither one is wrong. There are quadrants of best practices that suit each of these spaces. And so if you take

one thing away today, just what I hope you'll take away is that the this is much more complicated than it seems. That it requires a certain introspection. And I'll talk a little bit about how to like introspect and ask yourself the questions, what is my security culture? It's not what do I want it to be? What do I wish it was? What is it now? It exists now. Every culture, every company has a culture. It's the it's comprised of the beliefs and the actions of the people, especially when they're not being forced to do something. What are they kind of motivated and self um self-escribed to do? It's the the culture exists. And so taking an honest

look at what you have to work with. The next thing um starting around the same time I started in 25 2015 to do my own work and my own research here. So I have about 10 years of research and observations and working with several companies of what are the quadrants of security champions that can be mapped pulling through the concepts of these two other bodies of work. So, are there types of CISOs that have landed at types of culture companies that need a certain type or approach for their security champions program? And if you get that recipe correct, guaranteed success. A lot of people are getting the recipe wrong and feeling like they're failing. And I'm

here today to say let's try to tweak it first before you give up on the concept and say this is a um a prescribed failure. Okay. So yeah, this looks about as janky as I thought it would. I took a photograph of a book. I don't have a scanner. Not that that would have been any better. Um you can see it's like a bent very clearly out of a book. Yeah. I just wanted you all to know that I paid my $25 to Lance in order to to publish this here today. Um, and also I've I've spoken to Lance about this and we we have his blessing to take this work forward. So, working from the top left, um, I

just I I just want to spend some time with this because it's just so good. Like thinking about where do you fit in this? um you can see already that it has prescriptive suggestions for what you should take forward and what you should emphasize. So a process culture you might work on defining your policies so that people have a guide that they can reference a compliance culture those policies are not quite good enough. You need to be checking are you enforcing those policies? is you have an audit culture and um partnering with the audit team would be a fantastic way to capitalize on your um identifying which culture you have that you have found the sweet spot of how to find

success. Uh a trust culture you can just kind of assume what this is like do we trust each other? Do you empower people? communication participation commitment, having people sign up, volunteer, join the mission, that sort of thing. I think the point here is that some places are like that and some places are not like that and no, neither of them are wrong. And then you have the autonomy culture. This is the get done culture. Um, I think I also called it the cowboy culture. like people are running in a direction and security the last thing they want to be is the friction that slows that down. So how can you meet people where they are? How do you capture that excitement

and then kind of redirect it in the way that is helpful for security without putting any roadblocks in and frictions and the security knows that um we try not to have to do so um I'll leave it there. Check that out. But think about this um in your mind what already feels like it resonates. This is going to be the lens through which you pick all of the rest of your program decisions. So this is the enormous diagram. Um and you can see that I have similarly to how um Lance's competing cultures framework works. A single program will not have more than one area that it lands in. So on the top we have sentinels and these are programs that

emphasize security practices doing the work having responsibilities. Is it doing threat models or is it um mandatory certifications? These are things that are what consultants call security practices. Those are um in enabled for champions to do as well not just the security team. So everyone has security responsibilities. And then left to right is it corporate security. Another way to think about this is the security awareness side of things. Um commonly called security culture, but it's the whole company. And I also wanted to call this side like detection and response. That's a partner for this group. Um so corporate security detection and response. I don't know exactly how your how your teams are all laid out, but you get the idea here. So,

this is like companywide awareness focus, but you can also have security practices that are rolled out at a company level. So, um like mandatory MFA, using a password manager, those things that require setup and doing, that's one example. But I also have up here um at Lassian as an example, a program that I worked in a few years ago is um a a piece of that program that is really interesting to share is they have a major incident response training. And so incident response managers are kind of a a little community of maybe 30 people and they have um activities and they do this training, they get certified and it's not just a onceanddone thing. They're part of now a

Slack channel where they can um get further validation from each other. The point is to keep them warm. You want incident managers to always be ready to do a tabletop because the real thing um these are people that are not on the security team. They're in engineering. They're in infrastructure. So they might not have the daily affirmations that we all get that security is important. They might need uh some kind of structure to keep them warm on the topic. So incident manager training is the start. It's the opening of the door but then they get added to a community and we called them the you know security champions um because they had taken an additional

step to be more trained more bought in and ready to partner with the security team. Um on the other side where AWS is sitting today, this is where a lot of us are most familiar. The practices and apps section is probably the most predominant thing that that I talk about. It's the developers are doing threat modeling and this makes some people nervous. So this is the whole point of the talk is you don't have to have your developers own threat modeling to have a successful champions program. You could also go down and have developers engaged in a program where they're learning, they're doing brown bags, they're doing CTFs, they're participating in a community, they support each other, they're in a Slack

channel, and they're a point of contact for the security team if needed, if something goes wrong, if they live, if they're working in a high-risk area, that can be an additional thing, but it doesn't have to be table stakes to be a security champion. You could have a learning focus or an awareness focus that's kind of also a perfectly good program um that can have longevity and really have some exciting impacts. And then on this side we have the fan club. Um I hope by the end you'll have come to grips and forgiven me for all of these poorly named sections. Um, the fan club is just it I don't mean it to be um I don't mean it to be a derogatory.

It I hope it doesn't come across that way, but what I really meant was the logistics of a fan club. You've got certain things that are explained. This is like sign up for a membership. This is how you become a member. These are all of the benefits. They're really like tangible and fun little things. You get a sticker pack. You know, if you join a celebrity's fan club, you have something in common with everyone else that's joined. You have a shared interest and it's just a fun thing that has this like logistical structure that's really easy to set up and you just, you know, copy and paste from every other fan club you've ever seen. It's a a pretty good

model. and uh RX a company that has posted about their program and um posted about the the kind of structure if you wanted to look up the uh security awareness and also awareness and learning quadrant security champions program style. At this point I would like to point out that there are not a lot of logos on this page. It was incredibly difficult to find companies that have posted publicly either a blog post or a paper about their program. So for all of you here that are like where's my logo? I have a really great program. It should be the magic most magic of the magic quadrants up into the right in the corner up there. It's not here. It's

because your team hasn't published anything about it and I couldn't find it. So you didn't get to be in the very scientific um diagram. Please publish more about your programs. There is a call for artifacts that the OASP security champions guide project is doing. We will host your documents if you don't want to publish it on your own blog page. You could also submit to OASP anonymously. So, if your PR team is what's stopping you from publishing, let's let's get this information out there because now is the time. There are a lot of people coming to us asking how do we do this and how do we do this for free? And that's where OAS comes in, but we can't do it without

your crowdsourcing support. So, let's go through them all in a little more detail. the apprentices um that top right the teams are expected to participate. So individuals might be volunteers but the engineering managers have an expectation that they are going to nominate someone. This is where you get a heat map of sort of coverage across your organization. How many developers, how many teams support a champion. This is where you can get some sort of risk management data. If you have this requirement for teams to participate and you can put in responsibilities if you have a trustworthy reliable connection such as something that is written in a job description to participate. Uh like I said threat modeling is usually found

here in this style program. a lot of shift left activities and the the why for this style program is that people are incentivized to do application security practices. The learners um these are still engineer and developer focused. It's the appsc side of the quadrant but these are volunteers with minimal requirements. Um they are just um in it for their own personal growth. there aren't a lot of uh team requirements laid on top of this. So, skills growth, learning, get a new certificate, um practice a CTF with some fellow interested people. This is a lot more of a knowledge sharing community. Um and also, I'll say it a few more times in this talk, this is a great

style for a champions program. Perfectly valid. The fan club, as I was mentioning, is totally optin. These are people that are excited about the idea of it. They find you. They have signed up on your sign up form and they want the fun stuff. Um, you will find representation from all parts of the company because the concept of security is interesting to a lot of people, especially these days. Security and privacy, everything woven together. These are people that are going to find your guest speakers really interesting. Security Awareness Month is um a great place to source folks for this type of program. Like I said, security awareness focus um if that's a differentiator that makes sense to you. And the why is

you're promoting a shared sense of responsibility for security. In a very general way, security is everybody's responsibility. Um and I put brown bags as kind of where you see this. the sentinels um the doing the practices side of the awareness program. So you have sentinels across the company that are willing to do more elaborate practices. So, if you wanted to um beta test a roll out for a new zero trust solution, you would be able to lean on this group of folks that kind of they're early adopters. They feel like techsavvy. They're in the know, but they're not necessarily developers. They could be anywhere across the company. Um Essentinels um all parts of the company. This is the

see something, say something mentality. It requires a little bit of extra effort. It requires like opening a ticket to report issues. Um so it's a little bit more high stakes than the fan club as far as um what you get out of it. Um you should still look into rewards for reporting. Um I said we wouldn't talk about gamification today, but this is the sort of mentality. um you're looking at Splunk, you're looking at your different um endpoint detection systems, you're associating events to people. All of that can be rewarded. You don't have to just keep that information to yourself. Tell people, I have been tracking what a good job you've been doing. Here's some

sort of reward. Uh rewards also outside of the scope of this talk, but there is an excellent resource called SAPS. Um, SAPS, if you're thinking rewards have to just be t-shirts, have I got news for you. Uh, SAPs can be anything. Uh, access and like responsibilities, power, that sort of thing. Those are rewards, too. And, um, really important to flesh those out and create a document where people can understand what's in it for them. A confluence page so it's all very clear. Oh, and then uh as I mentioned that was the incident response training that at Atastian um it's that kind of program a sentinels program. Okay. So how how do you find which tribe is your tribe if you've

already got something going and you want to just like gut check that you're on the right track. The first step is why I sp spent so much time with Lance Hayden's um competing cultures framework is because it's time to have an honest look and interview people and do a little road show and go around. Get out of your ivory tower and go talk to people and find out what kind of culture you actually live in. The it's very important to align the culture with your program's goals. The next thing uh I called it benchmarking um maybe just for the SEO value, but it's really just like figuring out which are the actions and activities that

align with which problems you really need to solve and those are going to come from the overall security org program goals. What's what are the outstanding things that the security team is trying to solve? Those should be what you focus on. If training is not bubbling up to be a security org goal, um I I would just encourage you to ask what are what are things that are security on the security org leaders radar and then take a base level measurement and then see if you can improve those numbers and then right fit your metrics. Um, in my travels I see a lot of people that are not quite picking the right metrics. Um, and that's a

little outside of the scope for this talk as well, but just know that the more effort you put into the metrics um, the more it will be worth it. Think about um, doing some research about other companies and what kind of metrics they're using for their security champions program. In conclusion, the real framework is the friends you've made along the way. I also wanted to call this the framework has been inside of you all along, but that also didn't seem right. Um, I wanted to just say I called this talk a framework talk because I thought it would convince you to come into the room, but you don't need a framework. You need an honest look at yourself. You

need an honest look at the organization. asking hard questions and being prepared to get the answers from the people in your org that maybe security doesn't have the best reputation right now and there are things you have to do in order to repair that connection and break through those silos. Much more important than dogmatically picking some framework that um you saw at a conference is to just do the work and be with people and make friends. The key takeaways, there is no one-sizefits-all approach. There are at least four approaches, potentially infinitely more. I would encourage you to match your culture to the security culture. Match it to your organizational culture. There are frameworks you can read to be to do that

successfully. But be honest. It will be a difficult exercise um that I don't think the security team has often had to do. But take a look in the mirror and ask what impact does the security team have on your actual culture. Right? Metrics matter. Focus on focus on work being done. Focus on impacts that are being made. If it happens like if nobody knows that it happens, it's not it's not an impact that you should be measuring. It works if you work it. There is no magical key to success and no perfect framework. Just keep working at this. Evolve over time. Start small. Keep chipping away at it. And join this community of people that are also

chipping away at it. And let's knowledge share and do it together. Um I would really appreciate it if you all put your questions in the slido regardless of the fact that I talked too long. I will go in the Slack channel and answer all of the questions. I will post a link on my LinkedIn. Please follow me on LinkedIn and answer all of the questions there. So, you can find it um at your leisure later in the week. Uh if you would just grab the um the slido link now, we'll catch up later on on the questions. Thank you so much, Marissa, for the presentation. Please give her a round of applause.