Teaching security champions

Engaging security champions effectively involves focusing on essential knowledge and avoiding unnecessary filler content, as highlighted by the need to teach them only what they need to know to fulfill their roles. Key areas of training should include secure coding, threat modeling, secure architecture, code review, and bug fixing, with a recommendation to repeat these sessions annually. Additionally, it is crucial to communicate clear expectations and goals, provide relevant organizational policies, and involve champions in creating and refining guidelines. Practical skills such as understanding and using tools are emphasized, with the suggestion to either assist in selecting tools or involve champions in the selection process. Encouraging feedback and consultations can enhance their sense of being heard and valued, ultimately improving the effectiveness of the program.