2. Start with a clear vision for your program
What
A vision is defined as, “the act of power of imagination.” When you apply vision to the future, you can create a mental picture that can be used to direct your and your organization’s actions toward achieving security. A vision of security champions program serves as a guide in achieving security in your organization and can be used to provide a sense of purpose for IT engineers doing security.
Why
Having a vision is critical for your decision-making and the long-term success of your program. It gives your program purpose, and clearly articulates the ‘why’ and ‘what’ that you want to see happen and the change you want to achieve. Without a clear end goal or destination from the outset, it will be difficult to create meaningful goals and strategies and make effective decisions.
There are several angles for defining a vision for security champions. The most common angle is that of democratizing security knowledge in the development teams, removing dependencies on the central security team, and governing security in development teams.
How
A successful vision must be:
- Imaginable:
Convey a clear picture of what the future will look like. Translating this to your security champions program, you can consider drawing a security operating model with the roles and responsibilities of the security champions, dev(ops) engineers, IT Leads, Product Owner, and security organizations. - Desirable:
Appeal to the long-term interest of those who have a stake in the Enterprise. Translating this to your security champions program, you should consider describing the benefits of embedding security in the development team through a security champion, with mandate, knowledge, and skills to do security. - Feasible:
Describe realistic and attainable goals. For your security champions program include goals like “hours spent on security by the champion”, “training objectives of the champion”, ” the number of security champions meet-ups”, “the decrease of security risk”, etc. - Focused:
The vision should be clear enough to provide guidance in decision-making. What are the boundaries of security champions, what are commitments towards the program by senior management and what are expectations towards security champions? Is the scope of security champions to secure the entire enterprise? What is their role within the development team? What is their role compared to that of the Security Organization? - Communicable:
A vision is easy to communicate and can be explained quickly. Don’t write several pages of vision. A picture showing how security champions are enabling your goals in security and IT development will go a long way.
Please note that it is not advised to create your vision in isolation. By involving as many key stakeholders as possible, you’ll enable people to take greater ownership of the vision and increase commitment. Think about IT Leads, POs, senior developers, and security leaders to be part of this vision creation process. Once the vision is in a good draft, give it a try by explaining and selling to within your organization (senior management, developer community etc).