Organizations focused on creating a security culture are looking for new, innovative ways to create security awareness and inspire employees at all levels to take ownership of security. One the strategies that they are adopting is a security champions program.
While the idea is not new — some leading enterprises have had these programs for at least a decade — Gartner predicts that the number of organizations with a security-champion strategy will grow from 10 percent in 2017 to 35 percent in 2021. Among the reasons that drive this growth are the low cost, a potentially high return on investment and the overall effectiveness of the program.
While many companies launching this program are in the tech sector, organizations of all sizes and from any industry can benefit from having security champions. By creating a network of employees who can serve as conduit for information dissemination, you’re adding another layer for communicating your security objectives. At the same time, you create an open dialogue with the security team and strengthen your security culture by giving others in the organization ownership of security.
Security Culture and Security Champions
Do you need to adopt a security culture before you can have a successful champion program, or do you create a security champion program so you can build a security culture? This may seem like a chicken-or-the-egg question. The simple answer is that the two are intertwined and you may be building the two in tandem.
You may not have a strong security culture yet — that’s why you need security champions after all, right? But at the very least, the organization’s leadership needs to understand why there’s a need for a cultural change and be willing to support the strategies you’re proposing for creating that change. And vice versa: you could likely achieve a security culture without champions, but you’d be creating a lot more work for your security team — and ultimately, you may be less successful.
To be effective, your program needs to have the following components.
Despite the paradigm shift that security is not an IT problem but rather a business problem, IT and cybersecurity teams still struggle to communicate the connection between cybersecurity and business objectives, especially if the organization’s mission doesn’t have a direct link to security. Before you can launch a program, you need to identify why there’s a need for it at your organization. This step will help you both lay the foundation for the program and sell it to your superiors and the high-level executives.
Some questions to ask yourself include:
- What problems are you trying to solve with this program?
- What challenges should be a priority?
- What do you hope to achieve through your security champions?
As PSCU’s chief information security strategist Gene Fredriksen recently wrote in Forbes: “A culture of security has to start at the top… The security culture at a company is just as important — if not more so — as the technology being implemented.”
You can’t have a security culture without the support of the leaders. The leadership of the organization needs to buy into the idea of a security-champion program. Your job is to build the business case for them: show how this will impact the business and why you need the program.
While generally speaking security champion programs can be low-cost, you’ll have to involve human resources at the very least. Additionally, you will likely need a budget to implement certain aspects of the program, such as training and perks.
Defined Roles and Responsibilities
Before you can recruit for your champion team, you’ll need to outline what the expectations will be for your champions. Consider what qualifications you may want your champions to have, but don’t limit yourself to people who are “techy.”
Your champions will need to be strong communicators first and foremost. You’re not looking for tech or security gurus for this role because you’ll develop the champions into experts through training.
The champions need not be department heads, but you do want leadership qualities because you’ll be empowering them to initiate their own activities rather than giving them a fully prescribed action plan.
Based on a survey of more than 600 employees across one organization, researchers from the University College London found that the attitudes toward policy and behavior types varied broadly in the company’s divisions. According to the researchers, this demonstrates that “security champions cannot be uniform across the organization, but rather that organizations should rethink the role of security champions as diverse ‘bottom-up’ agents to change policy for the better, rather than communicators of existing ‘top-down’ policies.”
“We find that investing solely in security champions who rigidly follow policy misses opportunities to involve the wider organization in shaping of effective and workable security,” the researchers wrote in their paper, published by the Internet Society. Before you set off to recruit your champions, your security team needs to understand the value of proactive champions who don’t blindly follow policies but rather help identify the disconnect between policy and process and can assist in closing the gaps.
Besides outlining the roles and responsibilities for your ambassadors, you’ll need to assign roles for the central security team. Who will manage the program? Who will serve as the contact point for the champions? Who will develop the training? What will your security team need to do differently once the program is in place?
To communicate your message broadly across your organization, your champions need to represent a diversity of roles, departments geographies and so on. Recruit them by asking for volunteers or for nominations from team heads.
The champions need to be influencers with their peers and the communities they represent. They need to be passionate about impacting change and understand why it’s important. Be prepared to meet with candidates face-to-face or via video link for a conversation about the role of champions as well as the rewards they’ll receive.
Multiple Communication Channels
Your security champion program should include a mix of tasks — some will be structured activities and regular meetings and others more ad-hoc that the champions may initiate in their own communities. You’ll need to support consistent communication at several levels and through different channels. If your organization is already using tools such as Slack, Yammer or Skype, take advantage of them.
Regular meetings with your team of champions every couple of weeks can help keep everyone in sync with goals, provide feedback on initiatives and brainstorm new ideas. Outside of regular meetings, make sure you engage the champions in conversations — they should be able to easily ask your security team questions and share successful strategies with each other.
Training and Support
As with any program, a multi-step training plan will help you onboard the champions and provide continuous training. In addition to training sessions, you’ll need to prepare toolkits and other materials for your champions to use.
As you’re developing your security-champion program, questions to ask include:
- How will you train the champions?
- What resources will you make available to them?
- What are the key topics, best practices and strategies you want them to learn?
- What training formats can you provide?
Some ideas for training and support include:
- Live interactive training sessions
- Guest speakers from outside the organization
- Online modules with quizzes
- Email newsletters with updates and security industry news
- Resource library with relevant books and articles
- Networking and brainstorming sessions
- Materials that cover both technical knowledge such as common types of attacks and process knowledge such as governance requirements
To incentivize your team, you need to reward and recognize your champions. The perks may vary from developing new skills and visibility to financial rewards. A few ideas include:
- Professional development opportunities that tie into the champions’ performance plans
- Credits toward professional security certifications
- Annual awards program, complete with plaques and monetary rewards
- Recognition at department and company-wide meetings
Metrics and KPIs
To show the return on investment and measure how well the program is working, you’ll need to create measurable goals ranging from short to long-term and come up with metrics and key performance indicators (KPIs). The same needs to be in place for the champions so each are working toward individual goals.
Measurable goals may range from the knowledge growth of your team and participation in the program to improved risk posture in each community and across the organization. Create a baseline for metrics related to user behavior, security incidents, security-training participation and so on, so you can understand the long-term impact of this initiative.
Launch Is Only a Start
Once you establish the program, you’ll need to maintain interest among your champions through the various activities as well as build up your pipeline, so you can both expand the team and replace champions who move on. Reaching out to new hires will help build up the pipeline and foster relationships with the next generation of champions.
Expanding the reach of the program should become easier as your champions gain more visibility and you share successes throughout the organization. Enthusiasm is contagious, but your job of keeping the excitement alive among your security champions will never end.
Fostering a culture of security, Forbes
Finding security champions in blends of organizational culture, University College London
Security champions playbook, OWASP