Critical Components of Implementing a Successful Security Champions Program
Organizations focused on creating a security culture are looking for new, innovative ways to create security awareness and inspire employees at all levels to take ownership of security. One the strategies that they are adopting is a security champions program.
While the idea is not new — some leading enterprises have had these programs for at least a decade — Gartner predicts that the number of organizations with a security-champion strategy will grow from 10 percent in 2017 to 35 percent in 2021. Among the reasons that drive this growth are the low cost, a potentially high return on investment and the overall effectiveness of the program.
Phishing simulations & training
While many companies launching this program are in the tech sector, organizations of all sizes and from any industry can benefit from having security champions. By creating a network of employees who can serve as conduit for information dissemination, you're adding another layer for communicating your security objectives. At the same time, you create an open dialogue with the security team and strengthen your security culture by giving others in the organization ownership of security.
Security Culture and Security Champions
Do you need to adopt a security culture before you can have a successful champion program, or do you create a security champion program so you can build a security culture? This may seem like a chicken-or-the-egg question. The simple answer is that the two are intertwined and you may be building the two in tandem.
You may not have a strong security culture yet — that's why you need security champions after all, right? But at the very least, the organization's leadership needs to understand why there's a need for a cultural change and be willing to support the strategies you're proposing for creating that change. And vice versa: you could likely achieve a security culture without champions, but you'd be creating a lot more work for your security team — and ultimately, you may be less successful.
To be effective, your program needs to have the following components.
Clearly-Identified Goals
Despite the paradigm shift that security is not an IT problem but rather a business problem, IT and cybersecurity teams still struggle to communicate the connection between cybersecurity and business objectives, especially if the organization's mission doesn't have a direct link to security. Before you can launch a program, you need to identify why there's a need for it at your organization. This step will help you both lay the foundation for the program and sell it to your superiors and the high-level executives.
Some questions to ask yourself include:
- What problems are you trying to solve with this program?
- What challenges should be a priority?
- What do you hope to achieve through your security champions?
Leadership Support
As PSCU's chief information security strategist Gene Fredriksen recently wrote in Forbes: "A culture of security has to start at the top… The security culture at a company is just as important — if not more so — as the technology being implemented."
You can't have a security culture without the support of the leaders. The leadership of the organization needs to buy into the idea of a security-champion program. Your job is to build the business case for them: show how this will impact the business and why you need the program.
While generally speaking security champion programs can be low-cost, you'll have to involve human resources at the very least. Additionally, you will likely need a budget to implement certain aspects of the program, such as training and perks.
Defined Roles and Responsibilities
Before you can recruit for your champion team, you'll need to outline what the expectations will be for your champions. Consider what qualifications you may want your champions to have, but don't limit yourself to people who are "techy."
Your champions will need to be strong communicators first and foremost. You're not looking for tech or security gurus for this role because you'll develop the champions into experts through training.
The champions need not be department heads, but you do want leadership qualities because you'll be empowering them to initiate their own activities rather than giving them a fully prescribed action plan.
Based on a survey of more than 600 employees across one organization, researchers from the University College London found that the attitudes toward policy and behavior types varied broadly in the company's divisions. According to the researchers, this demonstrates that "security champions cannot be uniform across the organization, but rather that organizations should rethink the role of security champions as diverse 'bottom-up' agents to change policy for the better, rather than communicators of existing 'top-down' policies."
"We find that investing solely in security champions who rigidly follow policy misses opportunities to involve the wider organization in shaping of effective and workable security," the researchers wrote in their paper, published by the Internet Society. Before you set off to recruit your champions, your security team needs to understand the value of proactive champions who don't blindly follow policies but rather help identify the disconnect between policy and process and can assist in closing the gaps.
Besides outlining the roles and responsibilities for your ambassadors, you'll need to assign roles for the central security team. Who will manage the program? Who will serve as the contact point for the champions? Who will develop the training? What will your security team need to do differently once the program is in place?
Cross-Functional Representation
To communicate your message broadly across your organization, your champions need to represent a diversity of roles, departments geographies and so on. Recruit them by asking for volunteers or for nominations from team heads.
The champions need to be influencers with their peers and the communities they represent. They need to be passionate about impacting change and understand why it's important. Be prepared to meet with candidates face-to-face or via video link for a conversation about the role of champions as well as the rewards they'll receive.
Multiple Communication Channels
Your security champion program should include a mix of tasks — some will be structured activities and regular meetings and others more ad-hoc that the champions may initiate in their own communities. You'll need to support consistent communication at several levels and through different channels. If your organization is already using tools such as Slack, Yammer or Skype, take advantage of them.
Regular meetings with your team of champions every couple of weeks can help keep everyone in sync with goals, provide feedback on initiatives and brainstorm new ideas. Outside of regular meetings, make sure you engage the champions in conversations — they should be able to easily ask your security team questions and share successful strategies with each other.
[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]
Training and Support
As with any program, a multi-step training plan will help you onboard the champions and provide continuous training. In addition to training sessions, you'll need to prepare toolkits and other materials for your champions to use.
As you're developing your security-champion program, questions to ask include:
- How will you train the champions?
- What resources will you make available to them?
- What are the key topics, best practices and strategies you want them to learn?
- What training formats can you provide?
Some ideas for training and support include:
- Workshops
- Live interactive training sessions
- Guest speakers from outside the organization
- Online modules with quizzes
- Email newsletters with updates and security industry news
- Resource library with relevant books and articles
- Networking and brainstorming sessions
- Materials that cover both technical knowledge such as common types of attacks and process knowledge such as governance requirements
Rewards System
To incentivize your team, you need to reward and recognize your champions. The perks may vary from developing new skills and visibility to financial rewards. A few ideas include:
- Professional development opportunities that tie into the champions' performance plans
- Credits toward professional security certifications
- Annual awards program, complete with plaques and monetary rewards
- Recognition at department and company-wide meetings
Metrics and KPIs
To show the return on investment and measure how well the program is working, you'll need to create measurable goals ranging from short to long-term and come up with metrics and key performance indicators (KPIs). The same needs to be in place for the champions so each are working toward individual goals.
Measurable goals may range from the knowledge growth of your team and participation in the program to improved risk posture in each community and across the organization. Create a baseline for metrics related to user behavior, security incidents, security-training participation and so on, so you can understand the long-term impact of this initiative.
Launch Is Only a Start
Once you establish the program, you'll need to maintain interest among your champions through the various activities as well as build up your pipeline, so you can both expand the team and replace champions who move on. Reaching out to new hires will help build up the pipeline and foster relationships with the next generation of champions.
Expanding the reach of the program should become easier as your champions gain more visibility and you share successes throughout the organization. Enthusiasm is contagious, but your job of keeping the excitement alive among your security champions will never end.
Sources
Fostering a culture of security, Forbes
Scaling DevSecOps: Take a page from the security champions playbook, TechBeacon
Finding security champions in blends of organizational culture, University College London
Build a network of champions to increase security awareness, Gartner
Phishing simulations & training
Security champions playbook, OWASP
In this Series
- Critical Components of Implementing a Successful Security Champions Program
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness