The Security Godfather: Empowering Champions to Guard the Family

So, let's continue to the last talk of today. Mike, the stage is yours. Good luck. [Music]

Hello everyone. Thank you for joining me on this um presentation about the security godfather, empowering the champions to guard the family. I hope that you are just as excited as I am about this topic because today you will learn the family secret on how to create a security champion program and the best practices of it. And together we can rise as champions to guard the family and making sure it is as untouchable as the family of Coriona. Let me briefly introduce myself. My name is Mike Fabel and I will be your done for today. I've come a long way in this family business. I started my career as a software engineer. Performed that duty for seven years.

After that I became a business analyst. From there on I ro to in the ro of IT manager and currently I'm exploring the fields of cyber security for three years. So when it comes down to dev sec ops I should be knowing what I'm talking about because I've seen all perspectives and when it comes down to my personal mission it is about putting the people before technology because most of the time we invent great tools to make our solutions better and safe. However, they don't always fit in the way of working of our colleagues and that makes them less effective, less efficient and that's why this presentation is inspire uh that inspired me to make this presentation to focus on

the people than the processes then the technology because that will help in the end. But enough about me that is not where you came from. Let's start with the real topic. In this world where threats are lurking in the shadows, analyzing our behaviors and waiting for the right moment to attack us where we are at those vulnerables, most vulnerables. And that's why we have to unite together to safeguard our cherious assets like our solutions, our data, our people and our very own reputation. It is just like Don Fito Coriona taught us the importance of legac uh strength, family and loyalty. We must you consider our legacy and the future that we are building together. Together we can build

a empire that is strong and united. In Italy we have a little saying that uh is as follow. The world is currently so tough and cruel that everyone needs a second father to look after them. And that's why they have the godfather or better in your organization. It is the person behind the driving force of a security champion program. bit later on uh about how can you create such a program. Just focus now on and take a moment about why such a program matters and what the benefits are in application security or dev sec ops. There are a lot of activities that has to be followed in accordance to being uh following the best practices but also

being compliant and we cannot expect from our teams to know all these activities and spread out guidance and that's why we should give them clear directions on what kind of activities they should be doing, how to do those activities and also when

um uh and also And this is where security champion programs becomes essential. It is an effective way of empowering and introducing those initiatives to your teams. And to make this a little bit more concrete, you might be familiar with SAM, the software assurance maturity module. Actually, you see here an outline of those modules. And SAM is a powerful maturity module that outlines all the key activities that an organization should be doing in accordance to following the best practices and enhance their software security assurance. And Sam has uh categorized all those activities in five business functions. Every business function contain three best practices is divided in two streams and every best practice and stream has one activity that uh

contains three objectives. And this can be quite overwhelming especially when you realize this is just the starting point of your abscops journey. And a lot of people ask me always, Mike, where should I start? I always say start with the organization and culture activity in the best practice of education and guidance of the business function of the governance. Why would you say? Let's take a closer look at this activity. Then we can see it is closely related to our software security champion program and the first goal already set out. We should identify a security champion in every single team. Really great, right? Then the second objective is about formalizing this role into the organization. Uh making sure there are

specialized security training for developers uh architects, product owners and everyone involved within the software development life cycle management and um also creating a group of people who can help those champions out with questions uh but also validating the architectural choices that we are making. And the last objective is about creating a community, a space where people talk about security, helping each other, uh supporting each other across teams, divisions and truly levitating the collective knowledge of the organization and reaching this level puts you in the wide sweet spot of creating a successful engaging security champion program. So uh now why is that? Why should you focus on this activity first? I always said you're creating a community out of your

security champion but that will make sure your software security posture. Your security posture in general will mature way more faster than ever. Why would you say? That's actually because of the simple fact of having those security champions. To go a little bit more in detail here, a security champion is a trusted represent of their teams. They can give you valuable insights about what is their actual way of working of those teams and how they want to work. So whenever you come up with a new initiative about an activity and tool and technique that you want to introduce, you can have discussions with all these security champions and uh get value insights about hey how to make it

more fit in their way of working and also because you have these discussions they will see the added value of those tools because they are security-minded and they can advocate it to their teams that this this is something we truly need and that saves you also some time uh because they speaking also better the language of the developers um because they see the added value it fits in their way of working they are highly likely to actually use your initiatives and are being applying within their way of working and it will also make sure that because they see it they want to use it they're highly likely to contribute on it even more so now you have created something amazing

You don't push top down with your security initiatives but actually enabling the change from within and if you truly use those uh yeah feedbacks from them and listen carefully to them they will come up even themselves with new initiatives. So you now have a top down enabled from the within and then bottom uh bottom up approach. That's really great because then uh when we take uh look back at all those activities you should be doing they will mature way more faster than ever because they become more effectively. Everyone is contributing on those activities and also your teams are being reached out way more faster than ever. Really great. So now that we understand a little bit

about why it matters to have such a program and the benefits of it, let's see how we can create such a vibrant engaging security champion program. To create a security champion program isn't a task for a lone wolf. It is a task that demands the strength of an united family. You should surround yourself with close allies that believe in your cause. Best practices shows that that there's around six to nine people and they should have all different unique uh expertise and preferably having different backgrounds. So when a good champion come you have a broader knowledge bank in your family but also uh you have a better reach in the organization. So you can implement it

way more faster and you can approach other teams much more easilier and seek out help. Um and you can see think about for the people together in your family about software uh architects sras platform engineers uh auditors education and guidance. try to see the try to get the whole uh software software development life cycle management in your family. So, but remember gathering a group together in a room doesn't forge a team. A man who doesn't spend time with his family can never be a real man. So, invest in those relationships. Engage in team building activities. try to get to know each other uh and not just on the realm of the business but also on a personal

level. Try to discover their hobbies, passions, interest, how their lives look like outside of work because this will make sure that you understand each other deeply and how everyone will eliminate in certain situations. So you know where it's coming from. You respect and accept each other. And it is also strengthened the bond of trust. And these two are very important in having a cohesive team. And trust is actually something funny. Most of the time we always say here you have my trust or I give you my trust. But actually trust isn't handed over. It has to be earned. It grows in environment where everyone feels understood and being valued. And in addition to those deep personal

connections, uh we should also try to get to know what each strength and weaknesses are. So we can use this knowledge to truly use each talent effectively. So everyone has the biggest amount of impact and added value that everyone can uh leverage. So they will be more understood and have an added value feels better means more loyalty and more trust in the program and that's really great. Yet you must remember you might brought these people together with your initial idea about a security champion program. Yet uh true unity isn't is forced from a common goal. No one will follow you when the vision only belongs to you. So we have to evolve our vision into a vision

that belongs to everyone uh a shared dream call it the vision of the family and to craft a clear compelling vision we should consider the following five components imaginable desirable feasible focused and communicatable. Starting with imaginable, we should uh create a convey a clear picture of the future state how a security champion program will looks like when it is being implemented. Uh so you can could consider drawing a picture of a security operation matur uh module what shows case how the responsibilities and um roles are like software uh security um architect IT lead product owners and how they will work together and where the responsibility ends and starts from each other and also describe why having

a security champion program is better this initiative than doing things the old way. Sometimes a new initiative isn't always a step forwards. Sometimes it's always a backwards. So whiten down why it is important because then we can look at the desirable what is our security champion program uh appealing to the long-term interests of those who have a stake in the organization. Think about senior management C directors and we should describe clearly on a business level about the advantage of having a security champion in the development teams than just uh yeah focusing on shift left or better said expanding to the left because when we shift left we forget about the later stages. When we expand to the left we do both the first

and the later stages but that's a discussion for another time. Make sure you really describe it well. What is the benefit of having it in a development team? Then just not just the shift left expanding left situation. Then feasible. We should describe realistic and attainable goals from our security champion program. What is it what we want? How are we going to achieve those goals? And why do we want those? And this can be things like we want to spend an x amount of time on security. We want to have an x amount of time of uh sorry x amount of meetings with an security topic in our organization. We want to reach a certain level of knowledge in the organization

or we want to improve our CI/CD pipeline to an 2.5 out of three maturity. All real great goals. Look what is uh the goal for your you can have multiple ones and it would be really beneficial for you if you can tie those goals up to the overarching security goals or the IT development goals or even better the business goals and this will go a long way when you have to gather seek investors but that in a little while more about it then we can see about focused a vision should give you some guidance in decision making. So what are the boundaries of a security champion? What is the commitment towards the program by senior

management? What can we expect from au security champion? Uh what is their role? Is it to the role to safeguard the entire organization or just a part of it? Which part of it is it then? And what is their role within the development teams? and what is the comparization and also with security experts. Think about it, write them down because this will help a long way in decisions. And then the final thing is about communicatable. If a vision isn't communicable, it is just a fake image in your head. But that's actually not what I want to talk about here. You have to write down your vision at two levels. one very exopically very in detailed so

you know exactly what when why how it is going to be uh be your secure program but this one isn't really great to show to senior management or C directors or just someone you met at the coffee corner that you want to tell about the amazing thing you are working on and that's why you should try to create a picture that showcase how a security champion is enabling the IT goals, security goals or again better the business goals and this will go a long way within the organization. At the end it is this shared purpose vision and the family bond that will make sure your security champion program becomes formidable, successful and one that stand the test

of time. So now that we understand how to create a vision, what components you should have in it, we can start with the next step and that is about gathering the time and resources we need to implement for our security program. So we need to seek for investors aka our senior management. But before we approach to them, we should try to learn about them. What are their preferences? what kind of the what is their decision making style and we should seek a consieri a trusted advisor who can get us valuable information about senior management who actually knows what kind of person is it. So we he can tell us about what type of language we should

resonate or which one to avoid and how they actually running their business and these small details will make sure we can tailor our approach effectively. So we can make them an offer. They can't refuse. And for those who are familiar with the Godfather, rest be assured. I don't say we should threaten them with our lives or put an animal head at their night at their bed. I'm just talking about a genuine offer that is so great that they can't say anything else than yes, I want this. No, no, I need this. So great. Currently we have a core family who united and a strong bond and we have our investors on board. Now we should think really strange

strategically about our program. What kind of program do we want? What kind of program do we need? Uh what for persons are we looking for in our security champion role and what kind of mandate knowledge skills do they require? Where do they start? where they'll stand etc. It would be really great if we can create a targeted profile a persona about how the ideal security champion would look like because when we have this we can create those great champions because in your organization probably you don't have it right now. So you have to educate those great champions and that's really great because that means you can create road maps because we all know great people aren't born great they

grow great and when building a security champion program the hardest task and maybe the most important one is identifying the right person to fulfill those uh job duties of the security champion because this role shouldn't be taken lightly. This isn't just any skilled developer. This someone who is going to help you being in charge in the creating a culture of software security posture enhancement within your organization. It is someone who needs to be inspiring can help others being a mentor. But how does this persons look like? What is the ideal security champion? Luckily for us, Don Fitoiona gave us 10 attributes. Every champion should need five core and five soft attributes and let's focus on that

part now. Starting with the core attributes, curiosity and eager to learn. HQ champions should be naturally curious and eager to learn and try to understand the complexity of security and don't just follow the best practices. It actually wants to understand why this approach is better than others. and in which situations is this in the case of and they know that security IT development are constantly changing fields so they have a natural uh passion about uh learning new things is essential and then we have the technical expertise in software development a security champion is often typically a software developer but it doesn't have to be and that's why they should have at least at least a strong

knowledge in general programming uh fundamentals but also they should be uh familiar with the program language use within the organization and they should have hands-on experience with software development itself and additionally they should be very well versed within the security aspects of the software development life cycle all the way from the starting point when you are creating your epics features user stories to secure code writing to code reviews, deployment and even all the way up to the maintenance and uh operations part is important to know. Then we have security awareness and knowledge. While security champions doesn't have to be a full security expert, they should have at least a strong knowledge in key principle security concepts like

vulnerability management, threat modeling and availability uh yeah secure software uh secure code practices and they should be familiar with concepts like OAS top 10 u common attack uh attack common attack uh threats like SQL injection, see uh SQL injection, thread prefers attacks, brute force attacks and man in the middle. Then ability to spot and communicate risk and security champion should be able to spot uh vulnerabilities in the codebase but also on a process level as early as possible and see the associated risk with them. And maybe more importantly, they should be able to communicate it to technical people, but also non-technical stakeholders and making sure security becomes relatable and understandable. And the last one is

about empathy. Uh security champion should have a genuine empathy towards their development team because they are on continuous uh tight pressure of delivering features with an high quality and with tight deadlines and empathy will help them to make sure they can introduce security measures without um yeah make without doing adding friction to it towards them and making sure they see why it's uh why it is beneficial for them in the long run. Now these are the core attitudes. Now about the soft parts strong communication and mentoring skills. A security champion should have be able to communicate risk easily and security terms. In addition, uh it should be able to communicate, educate people about all those security controls, measures, best

practices without making them feel overwhelming and going defensively. It should lead by example and uh offering guidance and mentorship and they should also be approachable. Then we have about collaboration and teamwork. A security champion is going to be a team player. It has to collaborate with a lot of people. Think about architects, the development team, other development teams, product owners, security experts, IT leads, and they should be team player for that. but also because they are collaborating with bridging the gap between development and security and trying to create a culture where security becomes everyone's responsibility. And then we have a mindset of problem solving. A security champion should think critically and quickly come up with security solutions

when a issue arise and they should be able to handle situations where security might be in conflict with uh the IT goals and negotiate uh effective solutions. So everyone all stakeholders are still happy and know where we going and there's no bad negatives. Then a security champion is has to be a leader and an advocacy and they are the go-to persons when it comes to security concerns within the project. uh so it is essential that they have the ability to inspire their teammates and uh in such a way that it doesn't come across as heavy or obstructive. Um they should lead by influence inspiring their teams to take security seriously and show them how uh

the best practices can help them and has an added value towards the solutions and the quality that we are building. Then we have okay uh I think one I covered this one earlier sorry then in conclusion ah sorry I've forgot one about the core hands-on experience with security tools that is one uh additionally a security developer should have uh be familiar with security tooling like sca sust dust secret scanners filibin dementure etc uh because this will give them a posture of how good their solutions are in security wise and they can guide their team in fixing those vulnerabilities easily and also they should be able to uh automate these scans in CI/CD pipelines. So they have more time about

the guidance part mentoringship. So okay uh let's continue to this slide. Sorry for that one. Uh in conclusion, a security champion in addition to those uh development skills, they are more than that. They are proactive emphatic um inspiring collaborative leaders who believe in the cause of security and the well-being of uh the enterprise and neutering with these skills, abilities, and knowledge. And they make sure that our security champion program creates a culture where it empowers security empowers everyone developers, architects, managers and beyond to create safer and more resilient software. In the end, it isn't it is this in the end. Sorry. Yeah. To build more resilient software. Sorry. Great. Now that we have created a

profile uh about how our security champion would look like now it's time my family to seek out the security champions actually we need to find our friends who are willingly to help us and believe in our cause and friendship is everything friendship is more than talent is more than government is almost as equal as family and that's why we should create a community out of it and to create a community out of it. We should consider at least defining a purpose and goal uh the scope of the community that is aligned with our vision that we have created earlier on. And we should assign dedicated family members who uh who will uh interact with the

community frequently and create measurable success criteras. and continuous monitoring on it so we can see if we are still on the right track. Then we should define how the community will align with the overarching security strategy and objectives and we should have a family member who is attending to strategic update sessions. But it will be even greater if you can find a security executive who will give us periodically uh provide periodically updates in our community to showcase where are we going, what is the strategic, how it is going with the execution and how can the champions help them out and where do they play a role in it. Then establishing regular communication channels and uh

collaboration uh to make sure that security champions can interact with each other and also with the security team the family and this can be done through online forums, chat groups, uh shared workspaces, social media accounts, mailing list doesn't matter if it is just a platform that fulfill everyone's needs and And so like asking questions, having discussions, providing updates and truly using this uh platform as an active knowledge bank for the organization. Then we have organiza organized periodically events and activities for security champions to interact with each other and uh learn from each other and this can be done through workshops, demos, presentations, uh panel discussions, group discussions, quizzes, games etc. This about showcasing a solution of security uh an issue a

challenge that might be arised um a project that is going on and it would be really great if you can add an element of um gamification towards it because this will motivate them even more making sure they are more engaged and think about for example capture the flag is really a nice example of it really great way to showcase your skills your knowledge helping each others learning from each other and also it has an competitive edge right who's the best and this always uh also triggers a the curiosity of the development teams like hey what is security uh the added value of it towards their solutions but focusing on events and activities that is are about knowledge

gaining is really uh great but we should also consider are uh creating regular events about fun getting to know each other because we want the community. Community means loyalty, trust and that means also personal connections are really great and important. Then as our security champions uh wise and mature in their role, we should acknowledge and reward them about their milestones they have achieved. And it isn't about the incentives that we are giving them. It is about a powerful motivator and making it part of sustaining our strong effective security champion program. And the first part is about acknowledging and rewarding security champions plays a pivot role in several ways. First and foremost, it is fuel about their enthusiasm and uh dedication

towards the program. And when they see it is being appreciated, it will strengthen them sense of ownership. It will make sure that they take on even more initiative about deepen the security within their development teams. And this kind of recognitions also helps them see that they have a positive impact on the organization. Then a rewarding program also cultivates a culture of a continuous improvement. Um at uh as a security champion evolves and mature in their role and deepen their broaden their knowledge, we should uh celebrate those milestones and reward them like uh giving them a public acknowledgement badges trophies uh certifications or maybe more tangible things like uh leading workshops, represent their company at external

events or contributing to strategic uh discussions will go a long way and this validation motivates them even more to keep pushing their boundaries of uh their skills and knowledge. Then uh in addition rewarding champions reinforce the security uh collect reinforce the collective success of their security champion program. It creates an atmosphere where security is not seen as a individual task responsibility but something to be proud of, something to be celebrated by the entire organization and and it uh it reinforce a community mindset and helping champions feel like they matter and they are part of something bigger than just their own role. And finally, a rewarding system is an instrument in talent retention. When the organization

uh demonstrates that it values your expertise and the contributions they make uh it will encourage the individuals to stay engaged with the program for a longer time and this reduce turnover and motivate the champions who are invested in the ongoing success of the organization. In the end, rewards aren't just about the incentive, the celebration of the achievements. It is about uh motivating and reinforcing the gratitude that we that people put the efforts in to make security a core part of the organization sculpture. And to build a successful security champion program, we have to it is essential to invest in those development and the growth of our champions. The investments we make today isn't about just growing into their

role. It is about strengthen the security posture in the organization for the long run and supporting their growth and development uh is an essential part of it. We should give them opportunities to learn and advance in their career. And yeah, I already said it. Security is a constantly evolving field. So they should always be up to date with the latest knowledge, trends, activities, tools and threats that can come after us. Uh so we should give them uh regular training, access to certifications and maybe uh attend security conference like these to stay up to date with the latest knowledge. And additionally, we should create personalized growth paths for those champions to make uh to show them

what kind of skills they should be developing, what milestones they should aim for, and what kind uh of uh leadership roles they could lead into are really great. And it will show them that you are invested in their professional development and uh where you want to go. and they feel valued and supported. So I will go a little bit faster to the slides because I see I don't have too much time anymore. Uh but ensure uh they feel valued. Uh it isn't about just the rewards that we are giving them. It is also making sure they feel valued on a personal level that they're uh yeah contribution matter that they matter as a person. So check in

regularly with them like ask them how are you feeling today? Do you have anything uh have you everything that you need to advance in your career and uh and those kind of questions and this will show them that you really invest in their growth that you really appreciate them and try also to acknowledge by uh leadership that their contribution matter. Then while it is important to invest in our security champions, it is equally important to anticipate the natural turnover or or personal change leaves because everyone is on the move constantly. Organizations change, team dynamics evolves. So we should think of a way to anticipate for it. So you can think of creating a strategy plan about

identifying new uh potential security champions all the time to have a steady pipeline over it. So when someone leaves you can replace it easily with someone else and moreover make sure your security program is scalable. So write down documentations, guidelines, training material so that every new champion can uh step in more easily and make sure you have knowledge sharing within the organization because when someone leaves the when someone leaves the organization the commun uh the knowledge stays within the community so you can keep on the momentum of your program. So in this cruel world where we are currently living right now, we can't afford to wait trouble knocking on the door, we have to unite and to safeguard

our solutions, our family. And today you have learned valuable lessons about how to create a family, how to create a team, learn how to get the investors on board, how to create a profile and how a security champion should look like. Um, and you know how to invest them and not just with tools, techniques, knowledge, but also with opportunities, motivation, guidance and mentorship. And maybe more importantly, you know how to keep the momentum on of your security champion program alive uh alive to make sure your legacy doesn't fade away but grow stronger with every generation because the threat uh we see isn't the worst one is actually the one that we ignore. And we don't

just create a program, we make them an offer they can't refuse to stand with us to protect what matters to become the guardians of the future. And this is our security family. Thank you so much for having me here listening and your attention. If you have any questions, I will be more than happy to answer them. Once again, thank you and may your family be at uh as untouchable as the Corno the family. Thank you.