| |April 201719CIOReviewyou when you find yourself in the unfortunate position of having to respond to a crisis. If you have those existing relationships and buy-in from the top, it will be much easier to get the rest of the organization on your side. A good approach is for the central security team to align with its security champions across the organization. This helps open the lines of communication. For example, if the central security team is not brought into product development conversations early on, how can they weigh in on what improvements could be made to product revisions? It's a lot easier to get buy-in if a security champion, embedded in the product engineering team, can help the central security team prioritize and establish open dialogue with key stakeholders.Extending beyond the central security team's typical comfort zone, security champions know their audience and speak the right language. The central security team may have a habit of coming to the table with a laundry list of things, in no particular order that that must be addressed. Rather than this approach, the central security team should work with the security champions to deliver collaborative, prioritized, data-driven arguments that outline what priorities should be addressed. Since the security champions sit on the product engineering teams--they know the products, and they also understand where security needs fit within product priorities. Security, reliability, performance and enhanced features are all ways to measure a product releases success. There are several inflection points that can motivate an organization to get behind the security battle-cry and put the need for a security champion program front and center. One example that presents an opportunity for security involvement early on, is when an organization is considering an acquisition. A proactive plan should be put in place so the newly acquired product portfolio can be quickly integrated into the software development lifecycle and make sure processes are quickly adopted to follow standards of the rest of the organization. Newly acquired products that are being folded into an existing portfolio need to be examined carefully and have security participation from the beginning. The central security team in coordination with security champions will focus on identifying potential complications that the newly acquired assets may bring and can ease potential growing pains. It's a good idea to identify security champions as early as possible to evaluate risks and make informed recommendations based on that assessment. Acquisition plans are typically put in place for HR and finance­the same needs to happen for security. You will also want to identify a specific security champion on the newly acquired team who can make suggestions, since they will have a heightened awareness from the perspective of the new investment.If your organization does not have a security champion program in place, there is no better time than the present to get one organized. Once you have a program in place and execute well, your central security team will be viewed as an invaluable asset to the organization. Security champions are a critical part of maintaining a strong central security team. Your team will thrive with an open culture mindset and operate as an essential business partner across the organization­this ultimately benefits the entire business­a win-win for all parties involved. Security champions are a great way to build strong relationships outside your central security team and a crucial step in maintaining a security-aware culture
< Page 9 | Page 11 >