Scaling LinkedIn's Security Champions Program
Co-authors: Pavi Ramamurthy and Angel Liu
Three years ago, LinkedIn was looking to boost its internal security initiatives and encourage engineers to develop expertise in this crucial area. While there were many off-the-shelf certification programs available, we found that the best way to achieve these goals was to create an in-house Security Champions Program. As part of the program, members of the LinkedIn Information Security Group engage, mentor, and train selected engineers—or “Champions”—to become more security-aware, providing high-impact training and eventually guiding them to be the “voice,” or first point of contact, for security for their own teams. Through participation in the program, Champions can take advantage of a valuable career advancement opportunity by gaining new skills and becoming knowledgeable resources for their teams. Since its creation, the Security Champions Program has successfully graduated more than 50 Champions.
Security Champions playbook
We’ve found immense value in our Security Champions Program and think that other organizations might benefit from adapting the program to address their own needs as well. That’s why we’ve decided to “open source” the program by sharing our playbook—a guide to how we run our Security Champions program. It is our hope that the ideas and tactics outlined below can assist other interested groups in creating their own versions of the program. After all, better security benefits all of us!
Who is a Security Champion?
A LinkedIn Security Champion is passionate about information security, dedicated to protecting LinkedIn against security threats, and committed to increasing security awareness for his or her team. Champions spend 25% of their working time during the program on these issues.
What do Security Champions do?
Upon successful completion of the program, Security Champions become security resources for their teams, often driving security improvements within their teams and products. While the Information Security Group maintains ultimate responsibility and oversight for security, Champions can assist with design reviews and also serve as the first point of contact for security incident response for their teams.
Who can become a Security Champion?
No prior infosec knowledge or training is required to become a Security Champion. Any engineer who has good situational awareness for his or her team, is interested in learning about information security, and is passionate about protecting LinkedIn while strengthening its security posture is an ideal candidate for the program.
How does the Security Champions Program work?
Managed by the LinkedIn Information Security Group, each round of the Champions program runs for a period of six months. The first quarter is dedicated to security training, and the second quarter to achieving milestones, such as completing security-oriented projects.
The program begins with a call for nominations. Anyone who works in engineering can nominate someone, including themselves. The easy nomination form requests basic information and responses about why the candidate would be a good choice for the program. Once the nominations are received, the security team selects a pool of participants, ensuring representation across teams and skill sets.
The selected Champions are then paired with “buddies” on the security team who work with them for the entirety of the program. Security buddies have frequent meetups with the Champions, working off of a customized “tour of duty”—a set of actionable security milestones or projects. Since each Champion is unique, so too is their tour of duty. The buddies make sure that training stays on track to be completed in the first quarter and that the champions are fully engaged and motivated. This one-to-one pairing works well because it is exclusive and personal, and both parties can learn from each other.
Security training materials are developed in-house at LinkedIn and are supplemented by the Stanford Advanced Computer Security Certificate Program. After investigating various outside training options for our champions, we decided on the Stanford program because it offered a well-rounded curriculum on overall security design principles, including concrete programming techniques, network security, cryptography, and mobile security, to name a few. The program also enabled Champions to complete the online courses at their own pace. All training is completed by the first quarter and also includes ad-hoc presentations from members of the security team on technologies, best practices, and processes.
The Stanford trainings are the foundation for Champions to define and execute their tour of duty in the second half of the program. However, the Champions are also looking for hands-on platforms where they can practice what they’ve learned in the trainings. Last year, we introduced a Capture the Flag (CTF) competition to the program for the first time. The Security team built security challenges for CTF based on the most common vulnerabilities we see in the security world and let the Champions discover during the competition. This new addition to the program gave all the Champions real “hacking” experience and took their interests in security to the next level.
The LinkedIn Security team has seen an overwhelming response and interest in the Champions Program, and we are constantly refining the program based on feedback from the Champions themselves. The long-term plan is to continue to evolve the program, and within 4-5 years, we hope to have graduated about 100 Security Champions in total.
Feedback from Champions and lessons learned
The Security team constantly listens to feedback from past graduates on their program experience and incorporates that feedback into the program. We would like to share some of those lessons learned and key takeaways from the graduates, as feedback may be useful for others thinking of implementing similar programs:
- Tom: “I had a great time going through the program and enjoyed the CTF event. I recommend that we have monthly CTF challenges and add more hands-on labs.”
- Crystal: “It’d be nice to have workshops or mini-talks tying the material being taught to security experiences or practices at LinkedIn specifically.”
- Priyanka: "Security should not be an afterthought. Think about security at project inception."
As the creators of the program, we are constantly evaluating the effectiveness of the program and the ROI that it brings to LinkedIn. One of our key challenges has been to keep our Champions invested in the program with respect to their time commitment. Given regularly changing and conflicting work priorities, committing 25% of an individual’s time to security training for a period of six months continues to be a challenge for both the Champions and their buddies. As a result, some Champions have chosen to extend their six-month program in order to complete all the work at a slower pace, while others have taken a break to come back at a later time.
Program elements
Each round of the Security Champions program involves security training, mentorship, defining and executing the tour of duty, and a chance to participate in LinkedIn’s Capture the Flag competition.
Dedicating the time
Champions, on average, are expected to spend at least 10 hours per week on training, working with their buddies, or actively executing on their tour of duty. It’s an important feature of the program, however, that these 10 hours are on LinkedIn’s time—in other words, the Champions are replacing 10 hours of work they’d normally do every week with the Security Champions programming instead. To make sure that this is a feasible arrangement, part of the nomination process for the program requires a commitment from the prospective Champion’s manager that they can dedicate that much time each week to the program, instead of to typical job responsibilities.
Buddies, on average, spend about 2 hours per week mentoring their Champions. The buddies have regular sync ups with their Champions, where they answer questions the Champions may have during the trainings, work with them on defining their tour of duty, and of course provide guidance on any security-related topics.
The one-to-one connection
Another important aspect of the program is the one-on-one mentoring relationship the Champions have with their buddies. Although this does limit how many Champions we can accept into each program cycle, we feel that this direct mentorship has immense benefits. It allows the Champions to learn about security in a way that’s tailored specifically to their backgrounds, expertise, and daily job responsibilities. This maximizes the value of the program for each Champion.
Creating mutually-beneficial relationships
One of the best parts of our Security Champions Program is that it benefits both the company as a whole and the individual participants. As a company, we strengthen our security practices by increasing and diversifying the number of engineers with security experience. Through their efforts, Champions have helped gain traction on bugs, tighten up infrastructure, conduct security reviews, and more.
On an individual level, Champions benefit from the program by gaining security skills and experience that serve them well in furthering their careers in technology.
Acknowledgements
The Security Champions Program would not have been possible without the support from our executive team, and the tireless work and dedication from our teams in House Security: Assessment, Assurance, SEEK, and the Ecosystem team.
Some of the Champions with their buddies