How to Build a Network of Security Champions Within Your Organization
Improving security awareness with specialized programs is essential for small businesses and large corporations alike, but is it enough?
According to Joanna Huisman, research director at Gartner: “The problem is that these traditional security awareness approaches are not flexible enough to meet the cultural or local needs of diverse audiences, especially in global corporations.”
See Infosec IQ in action
Gartner suggests a security champions program can help “accelerate your security message” at little or no cost to company. Internal gurus with different skills can act as security mentors, researchers, moderators, negotiators, and trainers.
Enterprises may benefit from building such a network of security champions (NoSC) that will promote and improve the security behaviors of employees in the long-term. It looks like it is a good time to jump on the bandwagon, before your competitors do. Gartner predicts: “By 2021, 35 percent of enterprises will implement a security champion program, up from less than 10 percent in 2017.”
What Is a Security Champion?
OWASP defines this role player as:
- An active member of a team whose brief it is to help decide if and when to engage the “real” security ninjas in the basement. Membership in this team does not exclude them from membership of other teams; in fact, their role as a champion usually requires this person wears multiple hats
- A member of a product or other type of team that acts as the "voice" of security for it, e.g. the finance department might select Sue to act as their security liaison on issues relating to finance, and Joe might be the security voice for Human Resources
- The go-to person who assists in the triage of bugs and other security issues for their team
We will mention some alternative models for the champion role in the conclusion. First, let’s explore what is a Network of Security Champions (NoSC) and how we can build one.
What Is a NoSC and Why Do You Need One?
A NoSC is an integrated team of employees who have committed to taking time and making the effort to work with their colleagues to assist the official security team and improve on an organization’s current and future security.
- A NoSC is made up of internal staff members who have specialized and diverse skills. These skills may range from employees with security expertise to people who have the different skills (and time and patience) to implement the program, e.g. trainers, writers and researchers
- The goals behind a NoSC are to utilize existing skills in an organization, spread the training load, share learning and upskill employees with new knowledge
- A NoSC can contribute to positively changing the perception of security policies, create a feeling of camaraderie, build stronger relationships between teams, unite staff at different levels in a common goal and develop a knowledge-sharing, assistance culture
- The benefits include a reduction in the official security team’s workload, a faster and more effective feedback channel of communication between official security and the rest of the company, the fostering of a culture of security, a reduction in security incidents and the identification of factors (change resistors) holding security improvements back
- For champions, benefits may include access to the latest technologies, liaison with executives, paid certification training, sneak previews of R&D projects, and even a new career path
In this article, you will learn how to build a network of security champions in your organization, step-by-step:
- Documenting a plan of action (PoA)
- Gaining support
- Building the network
- Presenting the role
- Implementation
Documenting a Plan of Action (PoA)
If it is not written down, it stays only an idea.
Before you get everyone fired up, you need to document a PoA. The first step is creating a security playbook with emphasis on how employees will fit into the framework. You can do this using the Software Assurance Maturity Model (SAMM), from OpenSAMM. The framework also helps you to identify security risks and create benchmarks to measure the success of your program.
OWASP’s VirtualWare case study describes how the organization created a security roadmap using SAMM. Stages two and six in the below diagram are where NoSC comes in, the creation of informal security response teams.
(Source: OWASP)
Gaining Support
Your roadmap in place, it’s time to get support for the program by raising excitement. But first, you should present your PoA to management and business leaders.
In “The Impact of the 6 Principles of Influence on Cybersecurity” the author suggests: “Organizations can substantially improve how they address the human aspect of cybersecurity by utilizing the tactics of their cyber-antagonists to change behaviors and reduce risk.” One “weapon of influence” that can be utilized is the Authority Principle, which suggests that people tend to follow people who seem to be confident they know what they are doing. When creating a NoSC program, it is important the company’s leadership explicitly lend their support to the project and lead by example.
Your first champion will be the person who has the skill and nous to come up with innovative ideas to kick-start the program and relay the NoSC message to employees. It could be as simple as having an informal team lunch (with free pizza) or a more formal department workshop (with free pizza).
Chris Parkerson from Adobe Security says a primary goal when Adobe engineering started developing a NoSC was to lower security overhead in the SDLC and change the perception of the official security team as one bent on making developers’ jobs more difficult. “In order to promote security knowledge throughout the large Digital Marketing engineering organization, I created a human ‘botnet’ of security champions,” he wrote. “These champions come from positions all over the organization and coordinate with our security team to facilitate ongoing management and enforcement of our SPLC process.”
Building the Network: Channeling Resources
The first thing you need to do is decide whether you are going to create a team-based program (choose a representative from each team in the company to be the team champion) or skill-based program (choose the best people for the job from the entire pool of company employees), or a combination of both. Which route you choose depends on your organization’s requirements and setup. A small business may not have clearly delineated teams while a larger organization with multiple, large teams may find a team-based model easier to manage.
There is a third option. LinkedIn’s engineering department made building a NoSC a relatively simple process that can be adapted for most companies’ needs. Where they differed from other programs is that the goal was to train engineers without any security experience to get security certification.
- Call for nominations – In LinkedIn’s case, all engineers could nominate themselves or a colleague. Nominees had to explain why they were a good candidate for being a champion.
- Select participants – The security team then selected a pool of participants based on candidates’ skills and ensured there was balanced representation across teams.
- Create a buddy system – Each champion was paired with a “buddy” on the security team and assigned actionable milestones.
- Train the champions – At LinkedIn, each iteration of a program runs for six months. The first three months is dedicated to training. LinkedIn chose the Stanford Advanced Computer Security Certificate Program.
- Work on milestones – During the second three months of LinkedIn’s NoSC program, champions and their buddies worked on the security projects they were assigned.
Some insights from LinkedIn’s NoSC:
- The organization had a Capture the Flag (CTF) competition where team were tasked to solve challenges based on common security vulnerabilities. This gave the champions hacking experience and encouraged their interest in the underworld of real-world cybersecurity
- The buddy system works “because it is exclusive and personal, and both parties can learn from each other.”
- According to LinkedIn, “Through participation in the program, Champions can take advantage of a valuable career advancement opportunity by gaining new skills and becoming knowledgeable resources for their teams. Since its creation, the Security Champions Program has successfully graduated more than 50 Champions.” Organizations should ponder the potential long-term cost savings in creating champions internally rather than recruiting externally as the need arises, or after they have been breached.
Presenting the Role: Who, What, When, Where, How and Why
You will possibly want to create two team roles: department representatives and skills gurus. A department representative would be the liaison between a group, department, or team and the official security team. A skills guru would be a person who would teach, foster, mentor or assist employees on security issues.
OpenSAMM will help you to define champion tasks and responsibilities but there are some practical considerations to take that will ensure the program operates efficiently, has official status, and doesn’t become a “flash in the pan” idea. For instance, if the NoSC team members don’t have a place they can meet regularly, people will start rescheduling “till further notice”, a place in time that, frankly, usually never happens.
TechBeacon provides a few tips to get started:
- Define the role descriptions – What are the champions’ roles and responsibilities? Some ideas: investigating security reports, liaising with official security, writing a checklist of best practices, participating in new development planning, collating user issues, investigating new security software applications and so forth
- Nominate champions – Who is going to investigate bug reports and present them to the official security team? Encourage volunteering; anyone can become involved, e.g. graphic designers can create NoSC posters to market the program internally and drum up interest
- Set up communication channels – When are champions going to meet up? Where are champions going to meet up? How are champions going to communicate? Schedule a regular time and place for champions to meet and standardize communication channels, using a messaging app like Slack for chatting or Jira to manage tasks. You will also need an administrator to monitor these channels so that people don’t abuse them with unrelated content
- Maintain interest – Training workshops, newsletters, regular intranet updates and a notice board next to the coffee machine will all help to remind people the NoSC is an important, ongoing project. You can also provide opportunities for employees to learn new skills or pay for them to get a security certification, and offer recognition and rewards for their input over and above the call of duty, like a meal voucher for two for an employee who presents a weekend security workshop
Implementation – A Measure of Success
The last step in your PoA is to measure the success of your program. You should have benchmarks in place that you created using SAMM. The framework includes:
- A module to measure projects against company compliance standards and security goals
- Use of scorecards to demonstrate improvements against initial benchmarks and capture performance scores at regular intervals
- Maturity level analysis, e.g. success metrics examples to test if an organization is performing at a required level
Conclusion
In conclusion, let’s summarize the three NoSC models you could consider for your organization. The goals are the same: to harden security, take pressure off the official security team, provide opportunities for employees to learn new skills, create a security culture of awareness, and improve incident response. A NoSC is a cost-effective way to do this and if you do it right, its efficacy is measurable.
NoSC models
- Buddy model – Employees with no security experience team up with an employee from the official security team and are mentored to become security experts. In this model, the employee spends time studying towards security certification and simultaneously works hand-in-hand with the security employee to solve real-world security issues. The employee eventually graduates as a cyber security champion.
- Skills model – In smaller companies, anybody can become a champion and they all belong to the core champion team and perform different roles, based on either existing skills, or skills they commit to learning and passing on to their colleagues. The team would include members who are prepared to put in time to assisting the security team on an ad-hoc basis
- Teams model – In larger organizations, teams appoint a champion to liaise with the security team. In this model, champions are security ambassadors for their teams. Their role is to be the go-to security person for a particular area or department
Where to Next?
- Learn more about designing a security champions program
- Learn how to nurture security champion developers in an AppSec team
Sources
Build a Network of Champions to Increase Security Awareness, Smarter With Gartner
Security Champions, OWASP
Software Assurance Maturity Model, OpenSAMM
The Human Aspect: The Impact of the Six Principles of Influence on Cybersecurity, Intuition
The 6 Principles of Persuasion, Influence at Work
Building a Team of Digital Marketing Security Champions, Security @ Adobe
Scaling LinkedIn’s Security Champions Program, LinkedIn Engineering
See Infosec IQ in action
Scaling DevSecOps: Take a page from the Security Champions Playbook, TechBeacon
In this Series
- How to Build a Network of Security Champions Within Your Organization
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness