10. Anticipate personnel changes
What
The field of information security staffing has undergone significant changes over the last decade. The increased reliance on technology has made Information security skills essential in many industries, leading to a high demand for information security talent and a lot of job opportunities. This high demand and abundance of opportunities has impacted the turn-over rate of staff significantly and companies find it harder to retain information security talent. Therefore, organizations need to anticipate these personnel changes in their organization and their security champions program as they are unavoidable.
Why
Placing too high of a demand on a limited number of individuals as Security Champions increases the risk of a Security Champions program failing when certain, key, individuals leave the organization or change role within the organization.. Organizations need to acknowledge that people will leave, and ensure this does not bring the continuity of their Security Champions program in danger.
How
In order to ensure consistency and continuity in the Security Champions the following, complementary, recommendations can be made:
-
Have a reasonable ratio of champions to developers (e.g. 1 champion per 25 developers for large organizations);
-
Implement a T-shaped model for DevOps engineers, this means personnel possess a solid foundation in both development and operations, while also having the ability to contribute to other areas such as security (or automation, testing, etc). Reward personnel financially for their “additional” skill. This is further highlighted in Principles 8 & 9.
-
Ensure it is an officially recognized position in the organization and align with HR to adapt the recruitment & selection process towards hiring Security Champions;
-
Run a continuous training and educations program for security champions, this enables new joiners to grow into the role of Security Champion;
-
Do not adopt the 1 Champion - 1 team model but group champions based on specialism or type of technology, e.g. have a pool of security champions with an expertise on container security or API Security and use them as a liaison and knowledge base of their specific topic. Create collaborative working groups where knowledge is actively transferred. When one security champion then leaves the organization the rest of the group is able to “absorb the blow” of this person leaving.