Building an Effective Security Champions Program

Hi, I'm Tanya Jen from Zamrp Community and I'm here at Bides Vancouver Island and I'm here with my friend Liam McGovern. Can you introduce yourself a bit? I absolutely can. My name is Liam McGovern and I work for a company called Cribble. I'm a product security engineer and I've been very lucky to know Tanya for quite some time now. Yes, we got to work together. I convinced him to move across the country to Vancouver Island because Vancouver Island's amazing, isn't it? I'm very lucky to live here. It's incredible. But the reason I wanted to interview him is because he also thinks security champion programs are awesome. Can you tell them what that even is? A security champions program.

Oh, yeah. Yeah. So, it seems like security champions programs have a different definition depending on the organization that you work with. where I'm working now, security champions is really just a group of folks who get together and we aim to discuss topics related to product security, application security, whatever you want to call it. At Cribble, when I first joined, they recognized that security was something that a lot of people were interested in, but they didn't really have a space to talk about it. So, it was pretty easy to convince leadership that we need to employ a security champions program. In the early days, it was really just a bunch of my friends kind of getting

together. And I think that's how a lot of these programs start. And then over time it organically grew and we would cover a variety of different topics. In the early days I really wanted people to be engaged and interested in the security champions program. So I would find a vulnerability hopefully in our product that we had resolved and go into detail about how we identified it, how we remediated it, and how we're going to prevent it from happening in the future. And my intent there was so that we would have content that folks would be naturally pulled into and find it interesting. But over time, I kind of sneakily manipulated them into learning about threat modeling and a variety of

different topics that if you don't know otherwise seem a little bit boring. But yeah, is there is there specific areas of of security champions that you want me to dive into a bit further? I want to talk about the benefits because sometimes I'm trying to convince companies that you can do that and there's in my opinion many benefits. What are some of the ones that you think are important? I could talk about metrics and maybe I will, but I think the most important thing would be through this program, we've had the opportunity to make security cool. And that's kind of intangible and hard to measure. It's the moments I get from working with people who have been security champions or who

have met me otherwise where they say stuff along the lines of, I'm used to being told I can't do things, whereas you guys are patient and I kind of understand where you're coming from. And I feel like that's come from being in front of people and having these sessions where we're we're teaching them in a not super formal fashion, not in a fashion that's like you need to do this, like here's the stick, so to speak. It's it's being able to get to develop an atmosphere where people feel as though like security is not scary. It's an open discussion. You can come and chat with us about it. So I feel like that's the biggest benefit. Secondarily, we do try

to make sure that if they identify a security issue, we've got metrics on that so that we could say, okay, look, you know, now these people who weren't previously in the program who had not found any vulnerabilities, they have found vulnerabilities and we can correlate that with their presence in the security champions program. I do feel like it's a bit challenging to identify metrics that are associated with security champions. We can say participation in events and try to say, "Okay, that's the hockey stick. You know, it's going up and to the right a little bit, but it can be difficult sometimes to communicate the value of it, but frankly, the most important thing is being able to work with people

and see that they're more disarmed and open to discussing security things. They're interested. That's the most important thing when it's successful." It reduces friction, improves the security culture, and it builds trust. Seems accurate. One of the things I've seen with security champions programs is it can reduce absenteeism and increase morale for the people that are security champions. Have you seen anything like that? Honestly, I don't think I can speak to that. I don't know exactly when someone's out of office. Hopefully, it's improved morale. I can't say that when we started the program morale was horrible and that morale is amazing now. It's been pretty good consistently. So, I can't speak to that. I don't have

evidence that it's gotten any worse. I'm sure that's the case. I think just being able to see people excited about security and if that's not increasing morale then I don't know what it is. Okay, that's awesome. So another thing I see the value from an organizational perspective for having a security champions program for you as a product security person. How does it affect your job to have champions that you can count on? Like you said champions you can count on people that you can reach out to when you have a concern. Make sure that before you go and publish this ticket that may have some sort of ramifications, whether it's like a P 0, a blocker, it's going to mess with the

build, it's going to mess with release day, someone that you can reach out to and confide in and say, "Okay, am I crazy? Do I actually understand the risk that's associated with this? Do you see this much risk?" And then by working with those people, you have some who will back you up and advocate on your behalf when you want to say, "Actually, this is a really big deal." And it's not that we're anticipating an adversarial experience. It's more so just that you have some people who deeply understand the product, who are the subject matter experts and you can work with them to make sure you're communicating clearly in a way that the audience is going to

understand here's the impact of this vulnerability or whatever it happens to be that you want to move forward. Okay, so that's awesome. Imagine my audience is like this sounds great. I want to do a program where do I start? I think the right answer is to make sure you have your management buy in. Whatever the leadership is in the company, the people who you're going to be asking for their employees time or their time, make sure that they're on board. If they're not on board, you can end up with some tight situations. I think that's the first step is just sell them the idea. Hopefully through through watching this and other sessions like this, you'll be bought into the idea.

Hopefully, you get to the point where you're pretty motivated and excited about it. Share that with them. They're willing to understand how you're going to save them money, save them time, improve morale, reduce cost. So, it's really important that you get that leadership buyin and then try to have a vision that you can sell people. You can approach them and say, "Hey, this is what it's going to look like. This is what I'll be asking for from the people who participate. This is what you should expect." Just follow the plan. I think you have a really good article about putting that plan into place. Go read the article. Go do that. Just making sure that you've convinced the right

people. The next part will be coming up with the sessions. Making sure that you're continually engaging. Having a cadence that works for you and the organization, you're not going such a long distance in between sessions, forgotten about it, or said, "Oh, you know what? I don't care as much about this." Trying to time things so that it's not, at least for us, correlating with a release or some deadlines that a bunch of people have. Trying to make sure you can get as much attendance as possible. The follow-rough execution is, as with anything, very important. Liam, you rock. Thank you so much. Thank you for having me.