Skip to content

3. Secure management support


What

Ensure your security champion program is recognized as a formal program with a set purpose within your organization. This is achieved when you secure management support for the program.

Why

A successful security champions program brings unmatchable security benefits to the table. It scales your security mindset and your security organization to the IT Department. Security Champions means that IT engineers are championing security. Doing so requires the IT department and other relevant departments to spend time, effort, and budget to create, nurture and enable the security champions. And this priority will conflict with other IT and Business priorities. Out of experience, we know that when priorities conflict, formalized priorities win the battle. Even the most passionate security champion will struggle to prioritize security over the expected workload. This can lead to frustrations within your security champions and will harm your security champions program.

That is WHY we strongly advise securing management support for your security champion program. This makes the program a formalized priority for the IT Department and thus for the security champions. Security Champions can spend the needed time to improve security without the constant distraction of explaining to IT Leads, Product Owners, and middle management why time is spent on security activities.

How

Setting up a Security Champion program requires a thorough analysis of the stakeholders to get the program approved and supported. The Head of IT, to whom the security champions report, is a key stakeholder. This can be the IT department doing Application Development, the IT Department doing Infrastructure Development, or both. Besides the Head of IT, if there is a Security or CISO department, management from that department is also a stakeholder as they set the direction of security and the Security organization. There are views that Security Champions are an extension of that Security Organization. Therefore, the manager of the Security Organization is a key stakeholder in securing management support for your security champions program. Another dimension to consider is when your vision of the security champion program states that being a security champion should be included in the job description of IT Engineers. It is advised to identify HR as a stakeholder.

Once the right stakeholders are identified, it is advised to understand what is essential for them and build your security champion program case around them. For the Head of IT, this would be in the direction of utilizing IT resources optimally, delivering IT fast and with adequate security/risk levels. For the Security Organization (CISO), what makes them tick is that security processes, expectations, and governance are embedded in the champion’s model and a clear articulation of the benefits of having such a Security Champions program on top of the existing organization. Per stakeholders, the benefits should be articulated, including addressing the potential risks they see for their objectives.

Finally, the proposal of the program should be approved by each identified stakeholder, making the program a formal program.

Please see this artifact used by a financial company (bank) to build its case for formalizing the security champion program.

(p.s. In the included artifacts, clear disclaimers are included of the organization's context and why re-consideration is needed when copying and pasting the model to the user’s organization).