[00:00:00] Camille Morhardt: Hi, and welcome to this episode of What That Means. Today, we’re going to talk about security champion and we have with us Roman Zhukov, who is a security champion himself at Intel in the Software and Advanced Technologies Group. Welcome to the show Roman.
[00:00:17] Roman Zhukov: Hello dear listeners. Hi Camille, thanks for having me.
[00:00:20] Camille Morhardt: It’s really great to have you here. I want to ask you a true to form in the first couple of minutes, could you just informally define what is a “security champion”?
[00:00:30] Roman Zhukov: Yeah, sure. Often the case is that the term security champion is perceived the specific job, or just even yet another buzzword; but there is not actually one specific definition, it evolves over time. But I would like to clarify that it is more of a role, not a position. The primary purpose of a security champion is to help incorporate good security practices and to spread a security-first mindset and culture, and all aspects of company daily operations. This is a person, a site team or a business group that advocates and most importantly adopts corporate security policy, taking into account the other sides, business reason, and established processes in this particular business group.
The goal of security champion is to be an enabler, not a blocker. I can compare a security champion with some kind of a business partner with whom the other employees feel comfortable talking without worrying that they are bothering someone who may have more important concerns and so on.
[00:01:41] Camille Morhardt: So is it generally like a security champion is assigned within a product division and then they’re kind of the liaison with the security group who is creating and maybe more in depth on the policies and processes and different methodologies for security that’s kind of at a corporate level.
[00:02:02] Roman Zhukov: Yes. I think there are several models. How can security champions be a science actually? So sometimes they can share work in time, have different roles. For example, not full-time security champions, the responsibility of a security champion is to ensure that their team is ready to meet security needs.
So a security champion can also perform the hard security stuff like threat monitoring or threat modeling and intelligence gathering to keep their team up-to-date on the latest security trends, threats, antics, and so on. Does it mean the centralized corporate security team model is that because the core expertise and governance remain in their hands originally the term security champions came from software developments.
However, I observe more and more in my practice that firms in different industries, not only in tech, apply this approach. Accounts in manufacturing or IT, of course, they should follow corporate security policy. Right? And influencers from these divisions who have to really understand that security is not a feature, but a part of daily life.
[00:03:24] Camille Morhardt: Okay. That makes sense. And there are some external trainings available that people could take to give them certificate or status that would allow them to take on that role, even if it wasn’t a formal role.
[00:03:38] Roman Zhukov: Sure, sure. External trainings are available because firstly you should be trained as a security champion, even though you have some background in security, and of course you should always be up-to-date. And then the purpose is to spreads this given knowledge to all the teammates.
[00:04:01] Camille Morhardt: So I want to get right into the hard questions. If you’re a security champion and you’re familiar with the policies and requirements and best practices that maybe a central security group is developing on behalf of the company.
But you’re sitting in a product division, which is a common layout, like you say, not always a common layout, then you’re also dealing with a lot of the pressures of schedule, shipping a product on time, making sure you’re optimizing the product for whatever features you’ve decided are going to help sell the product which may or may not include some of those security best practices.
I would imagine that often security champions might feel a lot of pressure from the product-side of the house and a lot of pressure from the security-side of the house. How do they deal with that? How do they kind of reconcile those two?
[00:04:55] Roman Zhukov: I think this is the era when security-first mindsets starts to play. So imagine that nowadays consumers or even corporate customers are relying on technologists or on products or services provided by big companies and they are supposed to trust enough and usually do nothing in securing them by themselves.
That’s why we really need the people inside a business group who can explain that security really matters. They’re talking about hard decisions. Often during my professional career, I hear this perception of what should be first, security first or business first? The thing is security is no longer a product feature or company’s feature, it’s parts of normal functionality of our organization.
That’s why as a security champion, you really need to empower it. So spread that knowledge to make sure that we’re all good in security prospective. Also the mature company, even setting specific KPIs for security champions, both targets, so business parts and so security parts I think that helps to address all these concerns about producing in time and so it’s secure.
[00:06:34] Camille Morhardt: Yeah. And I know that the integration of product development life cycles and security development life cycles has been a trend, right? So I think things like that probably help. We kind of back it up so that you’re not doing a security review at the very end pre-ship and discovering a whole bunch of problems that you have to go address; you’re finding them along the way. I’m wondering if you can talk about how the role of security champion evolved has evolved over the last few years.
[00:07:05] Roman Zhukov: I believe when the term first appeared about seven or eight years ago, security champions were parts of a special application security or development team, and their job was to learn or understand security basics and possible issues.
The champion would then help bridge the gap between development and security or IT and security. So two departments often battle with one another and it’s still true for some teams, of course, for now. However, the concepts of security champions and overall idea has emerged a little bit.
From my perspective, security champion now has less of a technical role and more and more of a spiritual one. In this version, a security champion is someone who serves both as mentor and cheerleader engaging with and encouraging all employees to learn, adapt, and remain committed to security policy or product.
These champions may not have as deep an understanding of security as someone in InfoSec, for example, or IT or centralized security team, but they know enough to answer at least basic questions and serve as a bridge between InfoSec gross, really secure to experts in your organization and their ordinary employees.
What trends I have been observing over the past two or three years is the real domains of nominating security champions inside non-technical departments. Another interesting point is formerly, a security champion is a voluntary, unpaid role, and they did that just for fun or for some other personal reason.
[00:09:00] With the increasing importance, incentives grow as well to involve the best influencers to participate in this role. Those that are interested in security matters or are perhaps considering a career shift into informational security may see this as a good way to get acquainted with policies and really to connect with other professsionals.
[00:09:26] Camille Morhardt: I want to talk about the old argument of carrot versus stick, because whenever you’re dealing with something like security, you’ve got both sides of that coin, you’ve got compliance and then you also have, I think, it’s emerging or becoming more built in, the idea that actually recognizing people might be more effective or maybe a first layer before you hit compliance. So can you talk about that change if you’re seeing it? And of course, if it intersects with the security champion role, how that works.
[00:10:04] Roman Zhukov: Historically security has always been perceived as a stick actually as something established by the management, but by the security authority sense should be followed just because you must. Of course, centralized policies should be included and some sorts of control, like metrics does make sense, but that’s not enough in today’s world.
When we tried to implement security spirits into the product development, for example, skewed often perceived as something unclear and only in the lights of, “Okay, we don’t like that stuff, but we have to do it. We got a lot of tasks, they are boring, but we really have to complete them all.” As a result, teams often ends up with only minimal compliance, which is far away from the nature of today’s cybersecurity.
So, I see the focus shifting from just following their compliance, to acting like a last fortress. To effectively struggle with modern adversaries, just to realign policy and establish requirements or running your scanning tool is not enough. Why? Because implementing alone they cannot help to grow security mindsets and to make these cultural shifts.
So, excuse the champions of your business units or of your group should vote for running security improvement programs and should represent you as a team in front of other security central organization. That’s include security community building, for example, and not boring training approach.
[00:11:51] Camille Morhardt: Did you just say not boring training approach? Fun things like capture the flag or belts, belts, security belts, or various things that people can have fun with, and kind of show off that they’ve achieved certain levels, as opposed to just a mandatory training I have to click through with kind of no fun and no outward benefit to me.
[00:12:14] Roman Zhukov: That’s true. So like a belt program, like a rewarding program. It does make sense, especially for technical guys who always want to do something unusual, something special to achieve or solve some tasks. Not just click some buttons, as you mentioned, that they really wants to win the battle. That’s why things like CTF, I mean, the competition between teams so and so break something or et cetera, it is a good approach to train your personnel in security.
[00:12:50] Camille Morhardt: So my last question is going to be the ever present question in any company which is, I would love to have a security champion in every product group within every division, but I probably don’t have the resources to do that. So how do you leverage security champions, or how do you deal with the fact you’re not going to have enough resources and can security champions kind of help you bridge any gaps?
[00:13:16] Roman Zhukov: Great question. I would start with cybersecurity is widely unfair, right? A hacker needs to succeed only once to get what they want; while a business needs to succeed every day to prevent that from happening. Right? That’s why they’re all security champions. So crucial when we are talking about limited resources, I always ask for what. Probably if we just justify the reason we could find these resources.
So their solution is for example, automate everything. And, because automation makes security easier and reduces the burden on understaffed and under-resourced security teams. When considering automation strategies, security must be adapted to the business processes and not expect business unions to adapt to security.
That’s the key points. So security champions play a crucial role because they guide product team. What security practices, trends, or tools, contemporary, and how to implement them consistently in each product division. There are several tasks; we really need strong security architects or major security experts no doubt, like a planning product concept or threat modeling or et cetera.
We should ultimately start to think like a hacker, trying to break the products. From my perspective, it’s a bit simpler to train technologist specific domain experts. For example, such as cloud professional or network guru or apparition system, or IT infrastructure professional in security, then other way around.
According to my practice up to 90% of daily security tasks can and should be completed natively by teammates, by workers with a help from security champion without central security team engagement. So that’s why it’s important.
[00:15:39] Camille Morhardt: So it’s relatively scalable or they can help scale. Okay. Very interesting.
Roman, where are you from originally?
Roman Zhukov: I am from Russia.
Camille Morhardt: And you used to work at a company in Russia, is that right? What were you doing there? What was the company?
[00:15:52] Roman Zhukov: So I worked for different companies; for a system integrator. I was gaining experience as an engineer and then a security architect for different infrastructure.
So then I joined the biggest telco operator here in Russia, like AT&T or Deutsche Telekom, Ross Telekom, and helped to build cyber security business. So actually we made the first Russian-made MSSP managed cybersecurity service provider in Russian markets. Finally after that I joined the cyber security vendor, like a McAfee, where I was responsible for both business developments and our own security like building SDL security development lifecycle, dev sec ops practices and et cetera. So as a result, this variety of roles and experience right now helps me think different sense allows me to look from different angles. When I face advocating security to business, for example, or advocating business to security.
[00:17:10] Camille Morhardt: Well, it’s been really interesting talking with you and I appreciate your giving us the time. Hey, I appreciate it. And, we’re both now part of Intel security center of excellence. So it’s been really good to talk with you. Thanks a lot.
[00:17:36] Roman Zhukov: Thank you very much for having me today.