Many companies use information security teams to manage and implement information security measures within the organization, and this practice is pretty standard. But aside from security teams, companies can also use Security Champions.
Security Champions are not part of the security team, but they enrich their respective teams/departments with information security knowledge and leadership that they provide to the other team/department members. This translates into a more integrated company that is better prepared for today’s information security landscape.
This article will detail a six-step checklist for the information security environment within an organization. If you can apply these steps to your organization, then you will have a solid start at a Security Champions program.
You don’t need an unlimited budget or dozens of hours to create a truly engaging security awareness campaign. You just need the right resources and a playbook.
1. Identify Security Champions
There a few different ways to identify Security Champions within your organization. The first is by providing a survey to members of all teams in the organization. Include questions about their general information security proclivity, followed by questions narrowing down their strengths and skills within the information security sphere.
Another great way to identify Security Champions is to incentivize the responsibility. Some ideas of incentives include free lunches, preferred parking spots and a slight pay raise (where budget allows). Extra incentive on the job is a good way to coax engagement out the most reluctant of employees.
You can also regularly monitor employees while keeping an eye out for ones with an affinity for security. Employees typically lean towards their interests on the job, and information security is no exception. For example, if you see someone in accounting advising a co-worker about avoiding a phishing scheme or hear a marketing team member speaking knowledgeably about a recent ransomware attack, then you have possibly found a Security Champion. Sometimes employees will even self-identify as a Security Champion. If you do notice someone outside the security department with some information security proclivity, take the opportunity to talk to the employee about being a Security Champion as your next step.
2. Define the Security Champion’s Role
It goes without saying that every organization has different needs with respect to the role of a Security Champion. Some organizations have a less mature security culture than others; organizations such as these will need their Security Champion to focus more on fundamental tasks including organizing security training, testing and implementing security policies. Other organizations with a more mature security culture will focus on higher-level security tasks — things like development of information security test cases and performing threat modeling. In either case, serving as a liaison with the organization’s security team will be standard fare for the Security Champion.
3. Capture the Attention of the Organization
Capturing the attention of organization employees will be vital to the initial success of any Security Champions program and is essential for nurturing the program within your organization. Remember that being a Security Champion is an auxiliary, volunteer position within an organization, so at least a spark of attention-capturing will be required to attract initial Security Champions.
A good way to capture the attention of the organization is to advertise your Security Champion program and the benefits that come with it — including getting to gain some on-the-job information security experience and possible incentives. If your organization does not yet have a program and you want to capture the attention of potential candidates, put up some promotional posters and start a mass email campaign within to attract attention and potential talent.
4. Set Up Communication Channels
Security Champions should also be the liaisons between their respective teams and the security team. An effective Security Champion will get to know the security team; they will introduce themselves, discuss some common goals shared with the security team and generally build their relationship with the security team.
Another essential part of the communication channel step is that Security Champions need to efficiently and effectively solve information security incidents. To this end, you can probably see just how important a good relationship with the security team is. Imagine if the Security Champion had a bad relationship with the security team: incident resolution response would be obstructed, and the hero would become a zero.
5. Build a Solid Knowledge Base
While it is possible to have a security genius as your team’s Security Champion, often this is not the case. It is more common to see someone who simply has an interest in information security serve as the team’s Security Champion.
Being a Security Champion can entail a good amount of self-learning in order to competently serve as a Security Champion. Sometimes Security Champions need to take classes or attend seminars to acquire the knowledge required. Whenever any specialized education occurs for a Security Champion, there should be a knowledge repository where the Security Champion deposits their notes, handouts and other evidences of this knowledge for easy access by other Security Champions in the organization. A good way to accomplish this is to simply make a shared folder accessible by all Security Champions. From my own personal experience as a Security Champion for a healthcare IT organization, this practice of a solid knowledge base was vital to quick resolution of incidents on multiple occasions.
6. Maintaining Interest
One of, if not the most, important factors that makes Security Champion programs successful is maintaining interest in the program. This really stems from the fact that being a Security Champion is not a Security Champion’s main job at the organization, so when their main job’s workload and stress level goes up, enthusiasm normally goes down.
To ward this off, make sure that the Security Champion program allows for learning, growth and new opportunities (such as incorporation of new information security technology). This will not only ensure that your current Security Champions will thrive but also make it easier to attract new Security Champions to your organization’s program.
Security Champions are quickly stepping to the forefront of many organization’s internal teams to provide for better handling of security issues and incidents. The most interesting thing about Security Champions is that they can come from any team within an organization and help teach others on their team about their respective information security environments.
If you are thinking of beginning a Security Champions program, or simply reviewing your current program, the above checklist will help you review your current landscape in order to move forward with your own program or improve it if it already exists.
This free security awareness kit comes with email templates, posters, infographics, banners and more!
- How to Cultivate Security Champions at the Workplace, Tripwire
- Security Champions Playbook, OWASP
- Your Path to a Mature AppSec Program, Veracode
- Building a Network of Security Champions, CIOReview