A New Kind of Hero: Security Champion

In today’s world of malware, ransomware, hacking, phishing and other never-ending threats, the need for employee vigilance has never been greater. How does a company accomplish this, especially a large organization with many different locations, networks and departments? Increasingly, many are finding the answer is creating the role of security champion.

In this article, we’ll define what a security champion is, why your company needs them and how to get your employees on board.

Security Champion: A Definition

First of all: what is a security champion? There is no one specific definition, as the role has evolved over time. When the term first appeared about five years ago, security champions were part of an app sec or development team, and their job was to learn or understand basic security issues. The champion would then help bridge the gap between development and security, two departments that are often at odds with one another.

While that definition is still viable, a new concept of security champion has emerged that has less of a technical role and more of a spiritual one. In this version, a security champion is someone who serves as both mentor and cheerleader of sorts, engaging with and encouraging all employees to learn, adopt and remain committed to security protocols. These champions may not have as deep an understanding of security as someone in infosec or IT, but they know enough to answer basic questions and serve as a bridge between the infosec gurus and the ordinary employees.

Why You Need Security Champions

Security champions are an additional layer of protection and enforcement that adds more of a “human touch” than a traditional security officer or operations manager would. That is not to say those in infosec are icy, Spock-like people, but a security champion may be someone in an ordinary department with whom the other employees feel comfortable talking, without worrying they are bothering someone who may have more important concerns.

In larger organizations, especially those with more than one office, security champions serve as a network of their own. These champions can be the ones that ensure the latest security-related information is spread through their company offices.

Additionally, security champions can help with training and real-world simulations. For example, InfoSec Institute’s SecurityIQ program is a platform which consists of an educational unit (AwareED) and a phishing simulator (PhishSIM); while these can be administered remotely, it can be helpful to have someone in the office who can motivate employees to complete the training as well as answer questions. When creating phony phishing emails for the PhishSIM, a champion may have good ideas about which department/people to target to make the simulated attack seem more real.

In the case of an actual attack or breach, your security champions will prove to be essential in mitigating damage. Often, a major factor in successful phishing scams is the lag in reporting the incident, sometimes out of embarrassment or fear of repercussions. That’s another reason why a security champion should be someone that employees feel comfortable talking with.

How to Empower Your Employees to Be Security Champions

Usually, a security champion is a voluntary, unpaid position. This means you may need other incentives to get people to participate. For some of your most loyal employees, merely the title may be enough. Those that are interested in security matters or are perhaps considering a career shift into information security may see this as a good way to get acquainted with protocols and connect with other professionals. Other perks could be in the form of parties, gift cards or extra personal time off.

The first, most important thing you can do is set up your security awareness/education program. Working with your designated security officer (DSO), you’ll need to develop or enhance your security protocols and distribute throughout the organization. At this point, you may want to announce the new role of security champion and see if there are any volunteers, dangling a few perks if necessary. You may also want to pre-select a few candidates within the company that have shown an interest or proclivity towards security.

Once the security champions have been chosen, you may want to give them special training/assessments. After they’ve passed the course, they will be able to work with other employees to help them understand the importance of security.

If your organization is large, there may be a network of security champions that need to connect with each other; make it easy for them by creating a special online group or email thread. Keep them engaged and informed but try not to overwhelm them with too much information.

The role of security champion can also be treated as a temporary position, which can mean less of a commitment and perhaps encourage more applicants. This also allows you, over time, to train more employees about security, resulting in better overall vigilance and a greater sense of responsibility.

The threat landscape is constantly changing, and the time is now to get your security champions in motion. Good luck!

 

Sources

A Security Champion in the Developer Midst May Just Solve the Secure Code Conundrum, Security Boulevard

Security Champions, OWASP

Empower Your Employees to Become Security Awareness Champions, Security Intelligence