A security champions program is critical to maintaining an organization’s security culture, but during the COVID-19 shutdown, teams could find themselves working with one hand tied virtually behind their backs. Telework arrangements, online meetings, collaboration software and extensive smartphone use can keep an organization running, but they can’t recreate the casual interactions that are an underrated element of getting work done — and an important part of how security champions carry their message.
“Security champion,” after all, isn’t necessarily a designated job title. They are often volunteers who help spread the word about an organization’s security message while staying alert to potential issues as they crop up. They don’t have to solely be security pros, either. In fact, the nature of their mission requires that they have other areas of expertise, but they have an interest in security and in ensuring that the organization’s software and applications provide necessary controls and protections. In many organizations, a lot of their interactions are informal. These kinds of interactions give security champions the opportunity to bring up an issue, ask about how something similar has been dealt with in the past or pass along ideas on what to do next.
When interactions are moved exclusively online, a lot of that can get lost. You don’t schedule a Zoom meeting or go on Slack to ask about weekend activities, how someone’s kids are doing or where to find a reliable plumber. But, the casual camaraderie of such exchanges gives security champions the opportunity to raise a subject that colleagues might not be concerned with at the time. Those conversations help keep security concerns front and center in an organization.
Informal communication often lost by WFH
How has the pandemic changed these exchanges? It’s hard to measure the impact several months of shutdowns have had on the work security champions do. The progression of such programs isn’t linear, moving along some chartable line of success or failure rates, so it’s not something anyone has reliable data on, at least not yet. But the changes have had some obvious impacts. At Denim Group, for instance, we’ve noticed that the traditional communications channels have deepened — developers and security pros who were already using, say, Slack, have made greater use of those channels. But the informal channels of communication have, in some cases, been forgotten.
And that’s where security champions can step up their game with a focused effort to put collaboration tools to use. The pandemic shutdown led to employees communicating via Zoom, Slack or other tools that they were familiar with, but may not have actively used. Groups within an organization, such as the management team or developer team, are mining those channels within their own fields, but there’s an opportunity for security teams — and security champions — to use those channels as well. With regard to software, developers are the center of gravity, so security people should follow them to their meeting places. It’s a practice that has been recommended for as long as collaboration tools have existed. If you want to talk with developers, use the tools they’re using. The shutdown has opened the door to making more use of them.
Collaboration tools can also be employed to keep up the kinds of casual office interactions that have been missing, which can help when an issue arises. In the office, it’s fairly easy to approach someone you say hello to each day, even if you don’t typically discuss work matters. In the remote environments, however, you may not have encountered them at all for three months. Using communications tools to keep contact with them fairly regularly could make raising a security topic easier.
Online impact of security champions
The goal of security champion programs has been to push security knowledge and awareness out to developers and others in an organization, and to make it local, with a comparatively informal approach — as opposed to inflexible, company-wide programs — that can match the cultural and practical needs of developer groups within an organization. That approach may be more important now than ever with people working remotely and limiting themselves to their own respective bubbles.
Traditional, formal approaches to security awareness can be somewhat stilted. They are even less effective in a world where workers are scattered and forced to rely on online tools. Making use of those tools to bring the security message to them in the online places where they congregate can have a great impact.
About the author
A globally recognized application security expert, Dan Cornell holds over 20 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. Cornell is an active member of the development community and a sought-after speaker on topics of web application security, speaking at international conferences including TEDx, RSA Security Conference, OWASP AppSec USA, and EU and Black Hat Arsenal.