I’ve had this blog post floating in my head since I came back from RSAC 2022, as I related two pieces of content I was recently exposed to. One of them is Ricardo Ferreira’s book “Policy Design in the Age of Digital adoption” (full disclosure: a friend who asked me to review his book and which I’m very glad he did) and Chris Romeo’s talk at RSAC on “Elite Security Champions – Build Strong Security Culture in a DevSecOps World” which was the best I’ve seen on the subject, by a long margin and how (intuitively or not) Chris applied so many of the concepts I saw explained in Ricardo’s book. Ricardo delved deep into public policy research to find what governments have been doing about policy design for a long time and applied those same concepts on how we can approach the issue of digital policy design and adoption in our organisations.

The basic of policies and policy design

We first need to start with some basic structure and then I’ll apply to a specific use case.

A policy needs to start with the following:

Goal: what is the general idea behind this policy ?

Objectives: What is this policy going to be addressing ?

Setting: what are the environmental or contextual nuances of where this policy is going to be applied ?

We often start the activity of policy development with a flimsy aim to be certified to a standard, looking for the easy-wins of writing a document and forgetting about it without being deliberate about objectives and setting.

After we are clear about these, then HOW we go about implementing these and there are 3 key considerations for this

LogicHere we think about the preference for the type of instrument we’ll be using to implement policy. This can be coercive instruments (like enforcement or authorisation), suasion instruments (nudges, incentives and marketing tools), statistical instruments (data presented in impactful ways), financial instruments (bonus, subsidies, gifts) or social instruments (like volunteers or internal events)
Mechanicsthis specifies the specific instrument to be used. For instance, if we choose to apply suasion instruments we could decide for training as the mechanics
Nuancesthis specifies how instruments will be used as part of guidelines, policies or standards

As the author points out “policies can become very complex, as they usually require a mix of goals and instruments, making them prone to becoming inconsistent or lacking coherence by mixing too many diverging instruments”

And finally, once we have all of these defined which should assess our work according to the 3Cs of good policy design.

Consistency – ensuring that instruments used remain aligned

Congruency – ensuring that instruments are aligned with the goals

Coherency – ensuring that goals are aligned

I’d highly recommend the book for a more in-depth view of its content, but this is the bare minimum to position what I’m about to write next and the application to a specific use case of using this approach.

Developing policy to support a Security Champions goal

Now, this is the section of this blog post where, inspired by Chris Romeo’s brilliant talk at RSA, I start associating principles and ideas from both from the perspective of policy and policy design.

So let’s start at the top, how could we frame the need for a policy to enable the effective creation and sustainability of a Security Champions programme ?

Goal: To create a vibrant security community in the organisation, defined as “a virtual team of engaged developers, architects, software managers, testers, and similar roles (product adjacent) that extends the experience and knowledge of a central security team deeply into product/development teams” [Romeo] as means to scale security expertise without the financial burden of significantly increasing the size of the security team

Objective: Policy will address the establishment of a security champions programme that will include branding considerations, executive buy-in, recruitment and retention, career development, program development, incentives for participation and communication across the organisation

Setting: This programme will have global reach, and as such needs to consider participation across differing time zones and local cultural norms that may require positioning of the programme and message to be effective. It also needs to consider goal conflicts and how to ensure continued commitment to the programme by those participating and driving it for sustained success.

NOTE: this was the context that Chris Romeo shared in his talk

Thinking about the HOW of let’s look at these in turn.

Logic: Chris decided to apply most types of instruments we defined earlier: coercive (only for the executive buy-in, more on this later), suasion, statistical, financial and social instruments as the way to holistically deploy this policy

Let’s look at the mechanics of each instrument used

coerciveExecutive buy-in (programme authorisation)Ensuring authorisation of the programme by the Execs, and not as grass-root only initiative where it would be competing for resources in an unauthorised fashion
suasionbrandingengagement with marketing and designing of logos/mascots alongside distribution of swag (lanyards, tshirts, stickers)
suasionaccess to educationadvanced training, degrees, exclusive learning events, cross-organisational collaboration, and career advancement opportunities (pivot into security), security days or conferences, master’s degrees, book of the month club
suasioncommunication with managementupdating direct managers of those involved, sending newsletters and high level reports to keep engagement and communicating contributions made by their employees
suasionlocal time constraintsensuring that champions meetings happened in local timezones (in consideration of the globalisation challenge) to make it easier for those interested to join
statisticalExecutive statisticspresentation of security champion programme metrics to keep Executive interest in the programme (total count of champions, distribution of champions across business, champion education and champion flaw density – comparing security outcomes between security champions vs non-security champions as proof of impact)
financialcash rewardsI believe this was in the form of retail vouchers for continued participation (I didn’t keep note of this particular one, apologies)
socialyearly opt-inevery year, security champions have to positively acknowledge they wish to renew their commitment for another 12 months. This ensures that people are both interested and invested and we don’t get a “dormant” community
socialacknowledgement and recognitionrecognition through newsletters article and management/executive exposure
socialindustry visibilitysupport to build content for security conferences and external-facing articles
socialvolunteer-based membershipat least to start with, this ensured initial members were highly invested and interested in being there to create social proof internally for the success and engagement of the programme
socialtournaments / internal CTFanother mechanism to promote social interactions of employees interested in security and promote a collaboration across organisational boundaries
socialcreation of Slack/teams channelensuring that security champions have a place to discuss and share ideas

From the 3C’s perspective

There were numerous instruments used by Chris in order to enact this policy, and what I believe is beautiful is how they’re all mutually supportive and not in direct conflict with each other, and the strategy mostly relied on a combination of suasion and social instruments which is exactly what you want when others involved actually already have a day job and role responsibilities that are competing for their time and attention.

Now, let’s think for a minute what Chris COULD have done but didn’t and reason about the effects it may have had (this is counter-factual reasoning which I’m generally not a fan, but serves as simulation)

This programme was very successful and still going strong years after Chris left the company. I’ll posit the following:

  • Had it included from the start coercive tactics such as mandatory membership (voluntold), obligation to achieve certain targets, fully tracked attendance and reporting to management etc, I DOUBT that this would’ve been successful
  • Had it not had consideration for timezones, and expecting people across the planet to take time out of their personal lives to participate, only the most interested would join and global success probably wouldn’t have happened
  • had the financial incentives been structured in a way as to be “too good” generating perverse incentives and gaming of metrics, it would’ve likely attracted people with the wrong mindset or with motivations incongruent with the goal of the programme to begin with
  • had communication with management and executive buy-in alongside champion flaw density reporting not be part of communications, line management under the pressure of “faster, better, cheaper” would probably have eroded programme efficacy over time

So let’s specifically look at the 3C’s of good policy design we’ve discussed at the beginning:

Consistency – ensuring that instruments used remain aligned

Constant communications at exec and management level, with powerful presentation of statistics and on-going effort in marketing and access to education ensured the instruments remained aligned and consistent

Congruency – ensuring that instruments are aligned with the goals

this policy enactment, making copious use of social and suasion instruments and avoiding the use of coercive instruments, is congruent with the goal of creating security champions which by definition are not dedicated security resources to ensure engagement over time

Coherency – ensuring that goals are aligned

Goals are clearly aligned with the need to scale security knowledge across the company without resorting to the significantly increasing headcount in the security team as providers of that service and negatively affecting value creation chains by requiring hand-offs for all security work. This is coherent with having an agile and sustainable organisation where knowledge exists at the time of need and in the context of value creation

Parting thoughts

One of the things that most excites me is combining the expertise and knowledge of different professionals and highlight how experts so often do things because it makes sense to them intuitively, though may not have the language to fully articulate why. Both Ricardo and Chris are clearly experts, and combining their content can hopefully give us all new language we can use to improve security outcomes for our own organisations and be more strategic about how we think about security transformation