Building a Security Champion Program
Tanya Janca on why your organization needs security champions –– and the recipe for making them.
What’s a security champion, you ask? Tanya Janca of We Hack Purple stopped by the Juniper booth at the RSA Conference 2022 to explain the who, what, and why of building a security champions program at your organization. Learn everything you need to know about security champions from her short presentation.
You’ll learn
Why it’s beneficial to have security champions in your organization
How Tanya builds security champions programs
How to encourage people to become security champions
Who is this for?
Host
Transcript
0:06 hi everyone thank you so much for coming
0:07 and thank you for having me because
0:09 there's so many things here i really
0:11 appreciate it so i wanted to talk to you
0:13 about security champions today so first
0:15 i'm going to tell you what security
0:16 champions are supposed to be and then
0:18 i'm going to talk about how i stumbled
0:20 into building a champions program and
0:23 then how i ended up just building tons
0:25 and tons of them for several companies
0:27 so
0:28 i was a dad for a really long time
0:31 and when i switched into security i had
0:33 no idea i was a security champion i was
0:35 really excited i was learning stuff on
0:37 my own i was reading blogs listening to
0:39 podcasts very excited and every time
0:41 there's a security bug i'm like i'll fix
0:43 it i got this i want to talk to the pen
0:44 tester i want to do this i want to do
0:46 that and i got really really excited
0:48 about security and eventually the
0:50 security team said well
0:52 we have an opening do you want to apply
0:54 and i was like
0:57 and surprise i i got it i was the only
0:59 applicant to be clear but
1:01 um so i
1:03 a security champion is supposed to be
1:06 your
1:07 person on every single different team so
1:10 this could be someone on the marketing
1:12 team this could be someone on the sales
1:14 team
1:15 this could be someone on each different
1:17 software development team where you work
1:19 and if you work at juniper there are a
1:21 lot of software developers and network
1:23 engineers
1:25 this person that is on another team
1:28 is your champion and by that i mean they
1:30 sing the praises of security you tell
1:32 them about for instance marketing teams
1:35 you're like gdpr let's not violate that
1:37 every day and get sued it'll be great
1:40 and so you teach some of that and you
1:41 tell them about it and that person
1:43 that's the champion
1:45 does that work for you so
1:48 they communicate on your behalf
1:51 they tend to teach other people
1:53 on their team they're like hey you're
1:55 gonna do that and like put all that data
1:56 into facebook but we didn't ask
1:58 permission for our users to do that so
1:59 we're not allowed doing that so please
2:01 stop
2:03 and then
2:03 in vice versa you teach that person you
2:06 encourage that person you enable that
2:08 person to do their job securely
2:10 and help give them all the tools and
2:12 education they need to help their entire
2:14 team succeed
2:16 and so
2:17 i was a software developer and i
2:18 switched to security but at the same
2:20 company and so all the devs were my
2:23 friends that's who i had lunch with and
2:26 so then i started talking to them and i
2:28 said hey i want to scan your apps with
2:30 this little dynamic scanning tool
2:33 but i don't have time to do all 150
2:35 there's like two or three hundred of you
2:37 there's one of me
2:38 can i show you how and could you scan
2:41 those apps for me and then tell me if
2:43 you need help and i'll be there
2:45 and then before i know it i had one
2:46 person on every single team
2:48 that was my guy or my gal who would help
2:51 me and so then i would
2:53 start meeting with them at least once a
2:56 month if not more and i'd be like hey
2:57 stephanie and how's that secure coding
2:58 library going what's up man
3:01 and i ended up building these really
3:03 strong relationships with the devs that
3:05 were was different because i was on the
3:07 security team and so then when stephane
3:09 who was my secure coding librarian which
3:12 is awesome
3:13 when he would say to his teammate like
3:16 hey
3:17 you didn't scan your app like you're
3:18 supposed to or hey
3:20 like remember she taught us not to do
3:21 that
3:22 that's their peer saying that to them
3:24 instead of the big bad security person
3:26 because when i went on to my next office
3:28 i as the security person the devs didn't
3:30 know me and previously they had been in
3:33 my opinion abused by the previous apsec
3:36 person that yelled no a lot apparently
3:39 and so i had to rebuild trust and again
3:42 reach out to each team find that person
3:44 who wanted to work with me
3:47 and one day i met this guy named ray and
3:49 he has this blog come on in come on in
3:51 there's a seat right there and it has
3:52 your name on it
3:54 but basically my friend ray he writes
3:56 this blog called hellasecure.com
3:59 and he's like oh yeah what you do that's
4:00 called security champions that's what
4:02 you've been doing for years there's a
4:04 name for it
4:06 i was like i thought that was just
4:08 my friend on that dev team and my friend
4:10 from marketing and my friend from sales
4:13 that makes sure that really bad stuff
4:15 doesn't happen to our company
4:17 and so
4:18 eventually like by reading his blog
4:21 reading tons of blogs realizing that
4:22 there was a name for this i started
4:24 helping more and more companies do this
4:26 and i came up with a recipe
4:28 that i'm going to basically
4:30 because we don't have an hour
4:32 and so i want to be respectful of your
4:33 time i'm just going to explain the
4:35 recipe so the first thing i do is i
4:36 invite a whole bunch of people to be
4:38 champions i tell literally anyone that
4:40 will sit still and listen to me if
4:42 there's a
4:43 all staff i'm like hi i have two minutes
4:45 with you and i want to tell you about
4:46 this and i need your help and if you're
4:48 interested email me and so i just tell
4:50 everyone who will listen
4:52 and anyone who's interested in security
4:54 i'm forming this champions team and i
4:56 just need two hours a month from you
4:58 and two hours is like not that scary and
5:01 one of the hours is sort of optional
5:03 basically it's like i want to talk to
5:05 you once a month
5:06 i want to ask how is it going i want to
5:09 ask what you're working on and if you
5:10 need help and i'm going to help you with
5:11 security step and then the other hour is
5:14 i'm going to hold some sort of learning
5:16 thing
5:16 and if you could show up that would be
5:18 grand but if you miss a few i will live
5:21 and so then you have a few people so
5:24 let's say you have like four people but
5:26 you want 20 people
5:27 so continue so step two so first one
5:30 invite people so it's called recruiting
5:33 so whatever you want to call it just
5:34 invite them
5:35 don't force them against their will we
5:37 are adults no one likes that no one
5:39 wants to be voluntold
5:41 so then the second thing you do is you
5:42 engage them so you start learning about
5:45 them asking them about what they're
5:46 working on asking them what's coming
5:48 next what they need help with and
5:49 helping them you start teaching them
5:51 stuff holding lunch and learns or
5:54 presentations or whatever you want to
5:56 call it
5:57 and then more people will come and
5:58 people start talking and they're like
6:00 i'm a security champion and it didn't
6:02 even hurt
6:05 this security person has not yelled at
6:06 me one time
6:08 and that's pretty good right
6:10 and so as you engage them
6:12 and you teach them more
6:14 and you pay attention to them and give
6:16 them your time and attention
6:18 more of them will start to reveal
6:20 themselves and then invite them and so
6:22 at this point hopefully you have a bunch
6:24 of champions but maybe not as many as
6:26 you want you don't have one from every
6:27 team but you have quite a few
6:29 so then the next thing i start doing is
6:31 i start officially teaching them so it's
6:33 like let's say you're in marketing and i
6:35 want you to know these three things i'm
6:37 going to teach you how to do your job
6:39 securely and in hopes that you teach the
6:41 rest of the team
6:42 some things apply to everyone so like
6:44 let's say you have a password manager
6:48 and you want everyone to turn on
6:49 multi-factor authentication that's two
6:51 thumbs up that's even better but you
6:53 would teach everyone that but sometimes
6:55 you just want to talk to software
6:56 developers or network engineers or
6:58 operations folks
7:00 and so you'll have things that are just
7:01 for them
7:02 but as you start teaching them more
7:04 people are going to talk more people are
7:06 going to show up
7:07 and you're going to have that person
7:09 that asks a question every single time
7:12 or that person that emails you or that
7:14 person that shows up all the time you
7:16 should reach out and invite that person
7:18 to be a champion
7:19 sometimes people need a direct
7:21 invitation and this might sound really
7:23 stupid but there's a lot of people
7:25 that have imposter syndrome but who are
7:27 completely amazing and they have not
7:30 received the memo that they are
7:32 completely amazing and sometimes you
7:33 have to deliver that memo to them
7:36 and be like hey so i saw you at all the
7:38 lunch and learns and you ask really
7:39 great questions and you're like always
7:41 on top of all of the security bugs or
7:43 things that are important to you like
7:44 would you like to be a champion
7:46 and some of them will be like oh i don't
7:48 know enough he's like that's cool
7:49 because i'm going to teach you i'm going
7:50 to show you how
7:52 and then
7:53 you might have to massage some of it be
7:54 like it's okay don't worry we can do
7:56 this trust me you're good enough but
7:58 then once you have enough champions and
8:01 you're teaching them regularly all the
8:03 things you need them to know and you're
8:04 talking to them at least once a month to
8:07 see
8:08 so i asked three questions what are you
8:10 working on
8:11 what are you working on next
8:13 and then do you need any help with like
8:15 literally anything i am your buddy and i
8:17 want to help you you're helping me how
8:18 can i help you
8:20 if you can just touch base with each one
8:22 of them once a month and keep doing that
8:25 and then have some sort of learning
8:27 session once a month
8:28 you can have a really good program but
8:30 if you want to have a fantastic program
8:32 so this is the end of the recipe so
8:34 there's three more things
8:36 so i have a question for all of you
8:37 first
8:39 who here has read either an article or
8:42 the book or a blog post or something
8:44 about the five love languages
8:47 okay awesome there was like no one in my
8:48 talk when i did this on monday
8:51 so the five love languages
8:53 are basically how people
8:55 feel that they're loved
8:57 and some of them are wicked
8:59 inappropriate to do at work like
9:01 touching don't do that
9:03 but you can recognize and reward people
9:06 so recognition would be words of
9:07 affirmation
9:08 so for instance you know how you told me
9:10 that your team was doing this thing and
9:12 you were worried about it i came in i
9:14 talked to them we improved it and now
9:16 they're all
9:17 have mfa are doing the thing that i
9:19 really needed them to do without you
9:21 that couldn't have happened so thank you
9:23 putting a note in their performance
9:25 review to thank them for going above and
9:27 beyond and being a champion for you
9:30 it might sound really silly but making
9:32 like a little certificate that goes on
9:34 the wall in their cubicle or like a
9:36 virtual background in zoom or slack or
9:38 whatever the thing is that you use to do
9:39 your meetings
9:40 but to say like this person goes above
9:42 and beyond for the security team and we
9:44 value them and that is recognizing your
9:46 champions and a lot of people
9:49 feel loved when you recognize them i'm
9:52 one of those if my boss is like you did
9:53 a good job i'm like
9:56 and i would like that more than like a
9:58 free dinner or something like that
10:00 that's how i am but the other half of
10:01 people tend to be gift driven
10:04 and so i feel like we can give gifts
10:07 that reinforce the thing we want so for
10:09 instance
10:10 i wrote a book and i happen to think
10:12 it's great and if you come back to the
10:13 juniper
10:16 booth tomorrow and you will get a copy
10:18 of my book i believe
10:19 yeah so they're going to have 50 copies
10:21 i think to give away throughout the day
10:23 so come and say i saw this yesterday
10:25 well hi
10:26 come and say i saw this yesterday and
10:27 that you want a book i'm going to sign
10:29 them all today i mean i'm going gonna
10:31 come in tomorrow morning and sign them
10:32 but i can't actually be here all day
10:35 um but the point is is like if you can
10:37 give them like let's say a ubi key or
10:39 give them a book about security that
10:41 relates to their job or let's say
10:43 they're doing marketing and you give
10:44 them a marketing privacy book or let's
10:46 say you buy them a ticket to rsa there's
10:49 so many things that you can do that is a
10:51 gift but that reinforces your awesome
10:53 message of like i
10:55 i really want you to keep doing cool
10:57 security stuff
10:58 i usually pair privacy with security you
11:00 don't have to do that
11:02 but i find it's pretty nifty to make
11:04 sure that they're obeying privacy rules
11:06 like gdpr
11:08 yeah
11:09 i've been i've been almost bitten a
11:10 bunch of times so i'm like pretty
11:12 nervous about that okay so now we have
11:14 done five of the six things so we have
11:17 recruited people we have engaged them we
11:20 have taught them we have recognized and
11:22 rewarded them
11:23 the last part of the recipe is the
11:24 really hard part
11:26 and that's that you shouldn't stop
11:28 you have to keep
11:30 going you are investing you know who
11:33 here is red like the wealthy barber so
11:35 when i was younger like if you invest
11:37 money now you'll be rich later i'm like
11:38 but i'll be poor now and that sucks
11:41 right
11:42 but if you are investing in these other
11:44 employees
11:46 you're investing in their education
11:47 you're investing in their knowledge
11:48 about security you're investing in these
11:50 processes that help them be better
11:52 champions for you
11:54 don't stop this is the biggest problem
11:56 that happens with security champions
11:58 programs people start they do like 20
12:01 things the first month they do 10 things
12:03 the next month and the third month
12:04 they're exhausted and they don't do
12:06 anything for a year and then i usually
12:08 get some pretty cool consulting hours
12:10 out of it but that's not what i want
12:12 i want all of you to have successful
12:14 programs so if you can
12:16 pace yourself don't do five things the
12:18 first month do one thing for five months
12:21 and then you just did five awesome
12:23 months
12:24 if you can
12:25 share it with another employee so for
12:28 instance
12:29 i like to partner with awesome privacy
12:31 folks i know security is different than
12:33 privacy but i respect what they do and
12:35 so if i'm like you know what my june's
12:37 really crazy because there's rsa i'm
12:39 gonna be busy i'll ask the privacy folks
12:42 can you do a presentation for all the
12:43 security champions
12:46 and then you didn't stop and you didn't
12:47 miss a month if you have to miss a month
12:50 for some reason send them an email and
12:52 this might sound really cheesy but send
12:54 them an email and say hi everyone i hope
12:56 you're having a great summer vacation
12:57 well whatever we're not going to have a
12:59 presentation this month but
13:01 here's a podcast that i thought would
13:02 help you here's a video from rsa of this
13:06 talk that i thought really applied to
13:07 this thing we do at work or here's
13:09 whatever it is and then next month we're
13:12 going to do that i'm going to see you
13:13 all then i'm still here if you need me
13:15 send me a message
13:17 but this is what i have for you for now
13:19 thank you for being a champion i
13:20 appreciate you and then it sounds really
13:22 silly but i like to put a really silly
13:24 meme at the bottom to make sure that
13:26 they read to the end if you've ever seen
13:28 my newsletter if you haven't seen the
13:29 meme that means i know you didn't read
13:31 it
13:32 it works
13:33 and so with that
13:35 i want to thank all of you for coming to
13:37 this i want to thank you for coming to
13:39 see me and i want to ask who has
13:40 questions because i was really fast and
13:42 i bet there's a bunch
13:44 does anyone have any questions well
13:46 thank you how about this thank you
13:48 thank you
13:50 [Applause]
13:54 does anyone have questions you can ask
13:56 there and then i'll repeat it here and
13:57 you don't have to speak into a mic if
13:59 that's scary
14:04 yes so the recipe that i use is recruit
14:08 and so basically it means a lot of
14:09 invitations engage so become interested
14:12 in them become interested in what they
14:14 do pay attention ask them lots of
14:16 questions
14:17 two teach them teach them every single
14:20 thing that you need them to know to do
14:22 their job as securely as you wish they
14:24 would then recognize and reward i put
14:26 them as two separate ones it's important
14:29 you do both because some people it
14:31 doesn't matter how many nice words you
14:33 say if you don't give them a gift they
14:34 don't feel valued and the opposite is
14:37 true i don't want a 200 bonus i get paid
14:40 very well 200 is nothing i want to hear
14:42 my boss say you rock
14:44 and so do both to make sure you hit
14:47 everyone's kind of like feel
14:50 do not do uh the other love languages
14:52 because you might get in trouble
14:54 oh and then the last one is don't stop
14:57 [Music]
14:58 thank you are there any other questions
15:01 does anyone have a program
15:04 at work do they have a security
15:05 champions program yeah
15:07 is anyone thinking of starting one
15:10 [Music]
15:11 i have a blog series of 10 blogs in a
15:14 row where i drag this out with way more
15:16 details and metrics and how to measure
15:18 your program etc
15:20 if you go to wehackpurple.com
15:23 and it's free
15:24 we have purple just as free stuff now we
15:27 got acquired
15:28 that means we don't have to we don't
15:30 have to like make money it's awesome
15:33 thank you everyone so much for coming
15:35 and i think that the juniper people
15:37 probably want to talk to you so thank
15:40 you very very much i really appreciate
15:42 it
