Tuesday, January 12, 2016

Do you have Security Champions in your company?

Happy New Year 2016! I am continuing my series of posts on security topics of primary interest to businesses, as I mentioned in my first post on this blog. In this post, I focus on making sure you have some security-minded people on your team(s).

Starting the New Year Right

If you are like me, when the new year rolls around, you reflect on the past year and determine what worked and what didn't. You also make goals and plans for the coming year.

Because I focus on security, application security in particular, I usually think about the application security needs of my business and those of my clients. None of us wants to be in the headlines for a security breach. We know security is still important in 2016, but how do you make sure it happens? How do you make sure security is a priority in your products and services?

Early in 2015, there was a role mentioned in a few places around the internet that every software development team in a company should consider having: A Security Champion.

What is a Security Champion?

I first heard this term early in 2015 from Dinis Cruz in his blog post Does your team has a Security Champion? If not, get this Mug and Library and later What are Security Champions and what do they do?. There were a few others who talked about the role in 2015, including Gunnar Peterson in his blog post Security Champions Guide to Web Application Security.

Essentially, a Security Champion is someone on your software development team who takes on the responsibility of coordinating and tracking security issues and efforts. They are not responsible for implementing all security features in your products or services, but instead they help lead the efforts. They report status on security issues to the team leads. They also make recommendations and/or help make security decisions that impact your products and services.

Why do I need one?

You need a Security Champion on your team because security does not happen by accident. Also, while everyone should be thinking more about security in their everyday lives (i.e. don't blindly open that email attachment even if it seems like it came from someone you know, etc.), everyone can't focus on it exclusively. It helps to have someone or several people in your company who are more aware of security issues and who are willing to lead others in best practices.

My goals for 2016 and a challenge for you

This past year, and for several years, I have served as a Security Champion for my clients on several development teams and for several projects. I look forward to continuing to do so. In this past year, I also had opportunity to speak to more software developers in user groups and conferences about the Threat Modeling process and as I did I also tried to encourage a few to consider becoming Security Champions on their own teams.  I plan to keep speaking on these topics. In addition, I will also provide training for those who are also interested in being effective Security Champions.

My challenge to you: If you don't already have Security Champion(s) on your team(s), think about hiring one or determining who may take on that role. If you already have Security Champions, then by all means encourage them and help them be as effective as possible.

If you have any questions or comments, please leave them below or get in touch through my contacts below.

About Robert Hurlbut

Robert Hurlbut, owner of Robert Hurlbut Consulting Services, based in Enfield, CT, provides software security consulting, architecture, and training. This includes software development, threat modeling, secure code reviews, and other kinds of security audits for your company. If Robert can be of assistance to your company, please get in touch through the below contacts.

Web: https://roberthurlbut.com
LinkedIn: https://www.linkedin.com/in/roberthurlbut
Twitter: @RobertHurlbut

Upcoming security talk: Robert is speaking on February 9, 2016 on "Threat Modeling" at the OWASP Hartford Chapter meeting in Hartford, CT.


  1. Necessary information, that we don't always think about ahead of time...