Darren Meyer 4d ago

Did your Security Champions program fail, or did your org do something silly and ill-advised and stick a "Security Champions Program" label on it? Way too many orgs try to "Shit Left", dumping security accountability on team members, declaring them "Champions", and providing them wildly insufficient support.

And then leaders are confused that this fails, and ultimately decide that champions programs don't work.

Show threadDarren Meyer 

Champions aren't "bonus staff" for the security team. They're trusted partners in building a security culture.

A Security Champions Program should work more like a Safety Warden program. The goal is to create a network of people who act as liasons between their teams and the professional security teams. As a bonus, you get a network of trained rapid-responders when there's a high-priority issue.

Jul 16 at 10:05pmWeb
Show threadDarren Meyer 4d ago
Champions are empowered to make routine security decisions, educated to help their teams follow the security policies and programs that apply to them, and relied upon to provide valuable feedback to the security teams about places where the program can be less disruptive or otherwise improved.