After the release of the Threat Modeling Manifesto, which was a gigantic success, both as a collaborative working group amongst fifteen Threat Modeling experts, and as the seminal work defining the essence of threat modeling, Marc French, Adam Shostack, and I talked about what we could do next to improve the world of application security.
We identified a need for a document that helps people new to Security Champions build a program. We created a new working group to create similar work to the TM Manifesto for Security Champions.
We waffled between creating a Security Champion Manifesto, a framework, a book, or a series of blog posts. Ultimately, the Champion group lost steam due to circumstances that took various team members away from the project, including me, at the time.
From the beginning of the effort, I had envisioned that the output should be a framework and a maturity model for Champion programs. My vision was a document that would capture various maturity levels across the most important pillars of a program.
My thoughts crystallized in various talks I delivered in 2022. I started at RSA with a talk entitled “Elite Security Champions Build Strong Security Culture in a DevSecOps World,” which a recording can be found on Youtube: https://youtu.be/9gVM93a1H1I. I delivered a refined version for the ISC2 Security Congress, where I fleshed out the initial categories of the Security Champion Framework.
The framework categories are based on my experience running a large-scale Champion program at Cisco from 2011-2016 and consulting and advising various Champions programs as a consultant from 2017-2022. I’ve collected feedback from other practitioners and program builders. I want the framework to be larger than my experience and capture the experience of experts from around the globe.
Using the words of the framework itself, “The Security Champion framework exists as a measuring stick and a roadmap. As a measuring stick, the framework allows leaders to measure how well their champions program performs. As a roadmap, the leader can use the measurements as input and build a plan to improve their program by applying updates towards a higher framework level.”
Five high-level areas divide the framework, with one to four sub-areas within each area.
| Area | Description |
|---|---|
| Planning | Planning includes the activities needed to scope and build a strategy. |
| People | People include recruiting, retaining, capturing commitment, and onboarding new champions. |
| Marketing | Marketing includes the branding of the program and communication plans. |
| Execution | Execution includes the program pillars, coaching, education, and globalization efforts. |
| Measurement | Measurement includes metrics for demonstrating the value generated by the program. |
The Framework is released as CC-4.0-Sharealike. We are accepting PRs as feedback and additions to the framework. Please dive deeply into the framework and put it into use, and let us know of anything we missed: https://github.com/edgeroute/security-champion-framework
