Okay, so the roles are defined, now it's the time to nominate the Champions! In order to smoothly pass this step, you should first get approvals from the management on all levels - from top management to product owners down to direct team managers. Even though this is classical "top-down approach", it's an extremely important part, as it ensures that the worst argument you can hear: "I had no time for security", is fixed. Make a presentation of defined roles, benefits for the team, and approximate time Champion would spend on the security tasks - 20% should be enough for the beginning.
Once the approvals are obtained, the next step would be to identify potential Champions. Sit down together with team manager, select the candidates and conduct mini-interviews with each of them. Remember - it's not appointing but nominating! Describe the role, expectations and strategy, and show them personal benefits of becoming a Champion:
- self-development and ability to look at things differently
- increase of his/her value on the market
- improving quality of the product
- attending security conferences
- becoming an important part of the security meta-team
- having fun :)
In the worst case scenario, ask team manager for help to find one - although hopefully you'll get the Champion right after the first presentation.
Final step here would be official nomination - add them to the meta security team page, replacing interim "security contact" with "Security Champion" (see Phase 1), think of some sort "insignia" like mugs, and introduce the novice to the others.
Great job nominating your Champions! As the program evolves and Champions come and go, it is important to establish an onboarding routine. Common steps are:
- Introduce newbies to the other champions
- Communicate new joiners company-wide
- Add them to all communication channels
- Introduce the knowledge base and include them in the training cycles
- Assign the first task
- Have periodic 1:1s
<< Previous page | Main page | Next page >> |
---|