Your company has decided to add security champions to improve your overall security postures, and you’ve chosen great candidates to take on this role. The next step is to define the responsibilities of your security champions so everyone is on the same page and the role produces positive results throughout the organization.
One of the most important duties of a security champion is to act as a liaison between the security team and other employees. It’s recommended that, whenever possible, each department should have a security champion who has already proven to be a team player. Employees are more likely to listen to and work with someone they already know and who has a good understanding of their department’s environment.
In this role as liaison, the security champion provides a human touch to security. They should be able to take the technical language of the security team and relay the information to their co-workers. It is the security champion who shares important security-related news but also can answer questions, so the security champion should be okay with regular interruptions. Because the security champion should be the single point of contact within a department, everyone knows who to turn to.
The security champion is also tasked with overall security awareness within the organization -whether it is secure coding standards for the software development team or security awareness for the finance team. Regular meetings with the other security champions (as often as weekly, but at least once a month) allow for coordination of training efforts and to address security issues that come up.
Technical Know How
Most security champions have some technical responsibilities as well. The original role of the security champion was to improve the security in application development, and within many organizations, security champions continue to take on the role of providing application security. Application security champions should also know how to code and be prepared to recognize and mitigate bugs in the software. It is helpful if the security champion has white-hat hacking skills, which will help with triage of vulnerabilities as well with the training aspect of the role.
Security champions aren’t just about ensuring internal security. They should be part of the software security process to ensure that customer-facing applications are released in a timely manner but with high levels of security assurance.
Security is the number one responsibility of a security champion, but security comes in many forms, from software development to employee education. The security champion’s most important responsibility is to be both passionate and knowledgeable about all facets of security within the organization and use that passion and knowledge to improve the organization’s security posture.