Welcome to this issue of the WeAreDevelopers Dev Talk Recap series. This article recaps an interesting talk by Tanya Janca who gave advice about how to find and teach the perfect persons to be your security champions.
What you will learn:
- How to attract the right people to your program - How to engage them, and turn them into security advocates
About the speaker:
Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community, and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won numerous awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.
In this talk, Tanya tells us all about what security champions are and how to build them up. Or in other words, how do we find a “regular person” and teach them how to be a security champion.
So, what is the recipe we will follow? There are six steps to follow:
But first, we start by talking about an industry-wide problem: there are not enough application security professionals or people that know how to secure software. And because of this shortage, we must scale.
So, what is a security champion?
The Wikipedia definition goes as follows:
A security Champion is a member of a team that takes on the responsibility of acting as the primary advocate for security within the team and acting as the first line of defence for security issues within the team.
The “Tanya-Definition” is a little different. First, they are your communicator. They deliver security messages to each dev team, teaching, sharing, and helping. Also, they are your point of contact. They deliver messages to the security team and keep you up to date on what matters to your team. Finally, according to Tanya, they are your advocate. They perform security work, for their dev team, with your help.
So, after defining what a security champion is let’s go on and start with Tanya’s recipe.
1. Recruiting your champion
First and foremost, the number one rule in recruiting: Do not “voluntell” someone to be a security champion. Tanya often saw questionable recruiting methods (like you were last in the meeting so you must be the new security guy). These are, no wonder, the wrong methods of doing so.
Attract the right people instead.
The second rule in recruiting is: Ensure managers are on board and will give the champs time to do this important work.
You don’t want them to work against what their managers are telling them to do because they are going to be conflicted. If the bosses are not in favor of spending work time on security work, you need to solve this problem.
But how to actually recruit? Tanya likes to start with just sending out an e-mail to persons she thinks might be interested in doing the job. In this mail, you can write something like: “Hey, I started building up a security program, and since you are always asking these really interesting questions I wanted to ask if you are interested in being involved”. Also, tell them why you thought especially of them, what exactly is the security program, how much time commitment you will need from them. It would also be good to have a management agreement before you start to ask people, so they know it is a company concern.
Also, it is a good opportunity to give people the chance to reveal themselves. Tanya says that she is now good at giving talks, but she was awful when she started. But the more she was on stage the easier she found it and now she loves presenting as well as teaching it to others and giving workshops. And most of the time she finds someone in the learning group to stick out. Those are the people who ask a lot of questions, make eye contact, or provide material they found themselves. And exactly these are the types you want to send an invite to. For more reach add to your email signature that you are looking for a security champion.
Another important factor in recruiting is to attract volunteers. You can use lunch or trainings to get to know potential candidates. Anyone who asks questions and/or attends all the events is a potential champion. Also, make sure to use an interesting title for those meetings as from Tanya’s experience the first impression is very important.
2. Engage your champion
What exactly does Tanya mean when she says “engage”? Occupy, attract, and involve developers in security activities. But that works both ways, so you also need to participate in what your champions are doing. This helps you to find out what they are working on if they need help, or what you can do to make their job easier.
But how to engage them? First, bring them on an incident. Tanya herself got hooked on being a security champion by going on one incident.
Also share (appropriate) secrets with them. Giving insight into sensitive information helps to let them grow in their new responsibilities. Also let them see everything first like new tools, changes, information, and ask their opinion about it. To streamline this process, you should create a mailing list to pass on the new security stuff. Through this distribution method, you can also share other materials you found like articles, podcasts, videos, and so on.
To intensify the connection set up a meeting at least once a month with a list of questions ready. Those could be: What are you working on? What are you going to be working on next? Do you need any help? These questions will spark conversation and led you down the right path.
But also brace yourself for bad news, as when a champion starts to trust you, they will tell you things that might make you upset.
Also, show them contact points like security communities and conferences to further increase their skills and to make it easier for them to connect with fellow champions.
3. Teach your champion
A general rule would be to teach your champions only what they need to know and nothing more. So, think for yourself what you need, expect, and want from them to streamline your process of teaching, and this way they also don’t feel like you are wasting their time with stuff you just find interesting but is not necessary. Some good topics for champions would be secure coding and architecture, your policies, and tooling.
4. Recognize your champion
Tanya points this out as a very important part of her recipe. With recognition, she doesn’t necessarily mean to award them monetarily but rather let their peers, bosses, and most importantly themselves know that they are doing are a great job and are an asset to the company. Don’t make them feel as you take them for granted.
There are some tips from Tanya on how you could recognize your champions:
create a certificate to put on their wall
recognize them in front of their peers (special virtual background, put a star on their name in slack, etc.)
important: put a note on their performance review about how much they helped you. The more detailed you get with it the more appreciated they will feel.
Tell their boss every time they do something that makes a big difference
send them an email and tell them when they did something big, let them know that you saw it
5. Reward your champion
Reinforce good behavior, instead of punishing bad! Keep in mind that people react differently to compliments. Some are very happy when you do it, but some others need to be rewarded in other ways to keep them happy and make them feel appreciated.
Reward good behavior with anything you (reasonably) can. That could be:
- Security-related gifts like books, videos, training, CTFs - Giving them your time and attention as a reward - Help them with more than just security (like connecting with other people) - Let them see new tools first - Let them help you make decisions
6. Don’t Stop!
This point is arguably the hardest one to achieve in Tanya’s recipe. But always remember: Consistency is key!
If your goal is to arrange monthly meetings don’t do five in the first and then run out of steam and stop. Do just one per month but make that particularly count and really prepare for it. It’s not the end if you accidentally dropped your schedule but try to pick it back up as soon as possible.
Also don’t forget that some champions will need more of your time than others, and some will perform better than others. Make the effort of getting to know each and every one of them to ensure that you will meet their individual needs.