Skip to content
InTechnology Podcast

#73 – What That Means with Camille: Security Champion

In this episode of Cyber Security Inside What That Means, Camille talks with Roman Zhukov, Product Security Manager at Intel about Security Champions and their roles in product development. The conversation covers:

  • What a Security Champion is, and what they do in a product team.
  • How the role of a Security Champion has changed over time with new security needs.
  • How to encourage Security Champion and cybersecurity training effectively by using the carrot over the stick.
  • Who is responsible for what parts of security in product development.

And more. Don’t miss it!

The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.

Here are some key takeaways:

  • The definition of what a “security champion” is evolves over time. The purpose is to put security first and incorporate it into every part of a company. They educate, they adopt policy, they communicate, and they help enable positive security change.
  • A security champion can be a liaison between a product division and a security group.
  • Their job is to ensure their team is ready to meet security needs.
  • You can be trained to become a security champion, even if it isn’t your formal role. They can spread knowledge to teammates.
  • This is so important because users often will trust big companies or services to provide security – so much so that they won’t do anything in securing themselves. So, we need someone on the product team reminding people of that and making sure security is a first priority.
  • Companies that have been doing this a while and have made good strides in security have KPIs for both the business parts and the security parts. 
  • Originally, security champions were the bridge between the two departments (security and another like development or IT). The two sides used to battle one another, and a security champion helped them through that. Now, though, they serve more as a person who is encouraging employees to learn and to stay committed to security policy. They don’t know as much as someone in the security team, but they can answer questions and relay info. 
  • In terms of thinking about the carrot vs. the stick tactic of getting people to think about security and be compliant with requirements, historically security has always used the stick. But what they’ve found is that the stick (do it because you must) only gets minimal compliance, which isn’t enough in today’s world. The carrot comes into play with making training fun and desirable to do. Make it a competition, and change your approach to training your personnel in security.
  • Having security champions is worth finding resources for. They guide the product team, and help the team to start thinking like a hacker. Try to break the product, and then develop something to prevent that from happening.
  • We need more daily security tasks (about 90%) to be completed by the native team with help from a security champion, instead of going to the central security team. 

 

Some interesting quotes from today’s episode:

“Often the case is that the term security champion is perceived as the specific job, or just even yet another buzzword. But there is not actually one specific definition, it evolves over time.” – Roman Zhukov

“Influencers from these divisions who have to really understand that security is not a feature, but a part of daily life.” – Roman Zhukov

“I think this is the era when security first mindsets start to play.” – Roman Zhukov

“The thing is, security is no longer a product feature or a company’s feature. It’s part of normal functionality of our organization.” – Roman Zhukov

“I know that the integration of product development life cycles and security development life cycles has been a trend, right? So I think things like that probably help. We kind of back it up so that you’re not doing a security review at the very end, pre-ship, and discovering a whole bunch of problems you have to address; you’re finding them along the way.” – Camille Morhardt

“Just to realign policy and establish requirements or running your scanning tool is not enough. Why? Because implementing [those] alone, they cannot help to grow security mindsets and to make these cultural shifts.” – Roman Zhukov

“Cybersecurity is widely unfair, right? A hacker needs to succeed only once to get what they want, while a business needs to succeed every day to prevent that from happening.” – Roman Zhukov

Share on social:

Facebook
Twitter
LinkedIn
Reddit
Email

[00:00:00] Camille Morhardt: Hi, and welcome to this episode of What That Means.  Today, we’re going to talk about security champion and we have with us Roman Zhukov, who is a security champion himself at Intel in the Software and Advanced Technologies Group. Welcome to the show Roman. 

[00:00:17] Roman Zhukov: Hello dear listeners. Hi Camille, thanks for having me.

[00:00:20] Camille Morhardt: It’s really great to have you here. I want to ask you a true to form in the first couple of minutes, could you just informally define what is a “security champion”?

[00:00:30] Roman Zhukov: Yeah, sure. Often the case is that the term security champion is perceived the specific job, or just even yet another buzzword; but there is not actually one specific definition, it evolves over time.  But I would like to clarify that it is more of a role, not a position. The primary purpose of a security champion is to help incorporate good security practices and to spread a security-first mindset and culture, and all aspects of company daily operations. This is a person, a site team or a business group that advocates and most importantly adopts corporate security policy, taking into account the other sides, business reason, and established processes in this particular business group.

The goal of security champion is to be an enabler, not a blocker. I can compare a security champion with some kind of a business partner with whom the other employees feel comfortable talking without worrying that they are bothering someone who may have more important concerns and so on.

[00:01:41] Camille Morhardt: So is it generally like a security champion is assigned within a product division and then they’re kind of the liaison with the security group who is creating and maybe more in depth on the policies and processes and different methodologies for security that’s kind of at a corporate level. 

[00:02:02] Roman Zhukov: Yes. I think there are several models. How can security champions be a science actually? So sometimes they can share work in time, have different roles. For example, not full-time security champions, the responsibility of a security champion is to ensure that their team is ready to meet security needs.

So a security champion can also perform the hard security stuff like threat monitoring or threat modeling and intelligence gathering to keep their team up-to-date on the latest security trends, threats, antics, and so on. Does it mean the centralized corporate security team model is that because the core expertise and governance remain in their hands originally the term security champions came from software developments.

However, I observe more and more in my practice that firms in different industries, not only in tech, apply this approach. Accounts in manufacturing or IT, of course, they should follow corporate security policy. Right? And influencers from these divisions who have to really understand that security is not a feature, but a part of daily life.

[00:03:24] Camille Morhardt: Okay. That makes sense. And there are some external trainings available that people could take to give them certificate or status that would allow them to take on that role, even if it wasn’t a formal role. 

[00:03:38] Roman Zhukov: Sure, sure. External trainings are available because firstly you should be trained as a security champion, even though you have some background in security, and of course you should always be up-to-date. And then the purpose is to spreads this given knowledge to all the teammates. 

[00:04:01] Camille Morhardt: So I want to get right into the hard questions. If you’re a security champion and you’re familiar with the policies and requirements and best practices that maybe a central security group is developing on behalf of the company.

But you’re sitting in a product division, which is a common layout, like you say, not always a common layout, then you’re also dealing with a lot of the pressures of  schedule, shipping a product on time, making sure you’re optimizing the product for whatever features you’ve decided are going to help sell the product which may or may not include some of those security best practices. 

I would imagine that often security champions might feel a lot of pressure from the product-side of the house and a lot of pressure from the security-side of the house. How do they deal with that? How do they kind of reconcile those two?

[00:04:55] Roman Zhukov:  I think this is the era when security-first mindsets starts to play. So imagine that nowadays consumers or even corporate customers are relying on technologists or on products or services provided by big companies and they are supposed to trust enough and usually do nothing in securing them by themselves.

That’s why we really need the people inside a business group who can explain that security really matters. They’re talking about hard decisions. Often during my professional career, I hear this perception of what should be first, security first or business first? The thing is security is no longer a product feature or company’s feature, it’s parts of normal functionality of our organization.

That’s why as a security champion, you really need to empower it. So spread that knowledge to make sure that we’re all good in security prospective. Also the mature company, even setting specific KPIs for security champions, both targets, so business parts and so security parts I think that helps to address all these concerns about producing in time and so it’s secure. 

[00:06:34] Camille Morhardt: Yeah. And I know that the integration of product development life cycles and security development life cycles has been a trend, right? So I think things like that probably help. We kind of back it up so that you’re not doing a security review at the very end pre-ship and discovering a whole bunch of problems that you have to go address; you’re finding them along the way. I’m wondering if you can talk about how the role of security champion evolved has evolved over the last few years. 

[00:07:05] Roman Zhukov: I believe when the term first appeared about seven or eight years ago, security champions were parts of a special application security or development team, and their job was to learn or understand security basics and possible issues. 

The champion would then help bridge the gap between development and security or IT and security. So two departments often battle with one another and it’s still true for some teams, of course, for now. However, the concepts of security champions and overall idea has emerged a little bit.

From my perspective, security champion now has less of a technical role and more and more of a spiritual one. In this version, a security champion is someone who serves both as mentor and cheerleader engaging with and encouraging all employees to learn, adapt, and remain committed to security policy or product.

These champions may not have as deep an understanding of security as someone in InfoSec, for example, or IT or centralized security team, but they know enough to answer at least basic questions and serve as a bridge between InfoSec gross, really secure to experts in your organization and their ordinary employees.

What trends I have been observing over the past two or three years is the real domains  of nominating security champions inside non-technical departments. Another interesting point is formerly, a security champion is a voluntary, unpaid role, and they did that just for fun or for some other personal reason. 

[00:09:00] With the increasing importance, incentives grow as well to involve the best influencers to participate in this role. Those that are interested in security matters or are perhaps considering a career shift into informational security may see this as a good way to get acquainted with policies and really to connect with other professsionals.

[00:09:26] Camille Morhardt: I want to talk about the old argument of carrot versus stick, because whenever you’re dealing with something like security, you’ve got both sides of that coin, you’ve got compliance and then you also have, I think, it’s emerging or becoming more built in, the idea that actually recognizing people might be more effective or maybe a first layer before you hit compliance. So can you talk about that change if you’re seeing it? And of course, if it intersects with the security champion role, how that works. 

[00:10:04] Roman Zhukov: Historically security has always been perceived as a stick actually as something established by the management, but by the security authority sense should be followed just because you must.  Of course, centralized policies should be included and some sorts of control, like metrics does make sense, but that’s not enough in today’s world.

When we tried to implement security spirits into the product development, for example, skewed often perceived as something unclear and only in the lights of, “Okay, we don’t like that stuff, but we have to do it. We got a lot of tasks, they are boring, but we really have to complete them all.” As a result, teams often ends up with only minimal compliance, which is far away from the nature of today’s cybersecurity.

So, I see the focus shifting from just following their compliance, to acting like a last fortress. To effectively struggle with modern adversaries, just to realign policy and establish requirements or running your scanning tool is not enough. Why? Because implementing alone they cannot help to grow security mindsets and to make these cultural shifts. 

So, excuse the champions of your business units or of your group should vote for running security improvement programs and should represent you as a team in front of other security central organization. That’s include security community building, for example, and not boring training approach.

[00:11:51] Camille Morhardt: Did you just say not boring training approach? Fun things like capture the flag or belts, belts, security belts, or various things that people can have fun with, and kind of show off that they’ve achieved certain levels, as opposed to just a mandatory training I have to click through with kind of no fun and no outward benefit to me.

[00:12:14] Roman Zhukov: That’s true. So like a belt program, like a rewarding program. It does make sense, especially for technical guys who always want to do something unusual, something special to achieve or solve some tasks. Not just click some buttons, as you mentioned, that they really wants to win the battle. That’s why things like CTF, I mean, the competition between teams so and so break something or et cetera, it is a good approach  to train your personnel in security. 

[00:12:50] Camille Morhardt: So my last question is going to be the ever present question in any company which is, I would love to have a security champion in every product group within every division, but I probably don’t have the resources to do that. So how do you leverage security champions, or how do you deal with the fact you’re not going to have enough resources and can security champions kind of help you bridge any gaps? 

[00:13:16] Roman Zhukov: Great question. I would start with cybersecurity is widely unfair, right? A hacker needs to succeed only once to get what they want; while a business needs to succeed every day to prevent that from happening. Right? That’s why they’re all security champions. So crucial when we are talking about limited resources, I always ask for what. Probably if we just justify the reason we could find these resources.

So their solution is for example, automate everything. And, because automation makes security easier and reduces the burden on understaffed and under-resourced security teams. When considering automation strategies, security must be adapted to the business processes and not expect business unions to adapt to security.

That’s the key points. So security champions play a crucial role because they guide product team. What security practices, trends, or tools, contemporary, and how to implement them consistently in each product division. There are several tasks; we really need strong security architects or major security experts no doubt, like a planning product concept or threat modeling or et cetera. 

We should ultimately start to think like a hacker, trying to break the products. From my perspective, it’s a bit simpler to train technologist specific domain experts. For example, such as cloud professional or network guru or apparition system, or IT infrastructure professional in security, then other way around.

According to my practice up to 90% of daily security tasks can and should be completed natively by teammates, by workers with a help from security champion without central security team engagement. So that’s why it’s important. 

[00:15:39] Camille Morhardt: So it’s relatively scalable or they can help scale. Okay. Very interesting.

Roman, where are you from originally? 

Roman Zhukov: I am from Russia.

Camille Morhardt: And you used to work at a company in Russia, is that right? What were you doing there? What was the company?

[00:15:52] Roman Zhukov:  So I worked for different companies; for a system integrator.  I was gaining experience as an engineer and then a security architect for different infrastructure.

So then I joined the biggest telco operator here in Russia, like AT&T or Deutsche Telekom, Ross Telekom, and helped to build cyber security business. So actually we made the first Russian-made MSSP managed cybersecurity service provider in Russian markets.  Finally after that I joined the cyber security vendor, like a McAfee, where I was responsible for both business developments and our own security like building SDL security development lifecycle, dev sec ops practices and et cetera. So as a result, this variety of roles and experience right now helps me think different sense allows me to look from different angles. When I face advocating security to business, for example, or advocating business to security.

[00:17:10] Camille Morhardt: Well, it’s been really interesting talking with you and I appreciate your giving us the time. Hey, I appreciate it. And, we’re both now part of Intel security center of excellence. So it’s been really good to talk with you. Thanks a lot.

[00:17:36] Roman Zhukov: Thank you very much for having me today.

More From

#88 – What That Means With Camille: Developer

Images of podcast hosts

#87 – Privacy Considerations in the IOT Era

WTM images of host and guest

#86 – What That Means with Camille: Threat Detection Technology – Stopping Cyber Risk at the CPU