Security champions: How to identify them and use them for your security awareness program

In all of our blogs and Live Cyber Security Awareness Forum Panels, there’s one term that’s always mentioned: Security champions. Need to build a positive security culture? Use your champions. Need to encourage training completion? Use your champions. Are you looking to educate your employees on remote work security habits? Use your champions. 

Photo by Giorgio Trovato on Unsplash

Security champions act as intermediaries between departments, relaying important information such as policies, training requirements, and industry news to their teams. They also help their team by acting as a guide for proper security behaviour and can become their go-to person for reporting suspicious behaviour or asking security questions. In short, your security champions are your brand ambassadors for your security team. 

Identifying your potential champions

Not everyone in your organization can be a security champion. You need individuals with a keen interest in security and a desire to promote good security practices. A security champion should have the following characteristics:

• Enthusiastic about security 
• Excellent communication skills 
• Respected by their colleagues
• Some background knowledge of technology

To identify them, check for individuals who have taken extra cybersecurity training or completed all their training on time, seem interested whenever you have done workshops or training, are looking for voluntary assignments, and are passionate about developing their knowledge about security.

Create a list of potential security champions, but at first, keep it small until you are ready to have a security champion on every team. Once you’ve created a list of potential security champions, consider connecting with them face to face (or ask for a coffee chat over Zoom if that’s not possible). Explain why you’ve chosen them, how they would affect the security of the organization, and any commitments they would need to meet. 

Note: Becoming a security champion does require a slight increase in your employee’s workload. If you cannot financially reward or give tangible gifts or gift cards, ensure that you provide your security champions with the verbal recognition and appreciation that they deserve.

Security champions in action

Training

Security champions require targeted training to enable them to assess their colleagues’ security knowledge and develop security-focused habits. This training should involve interactive sessions covering significant security threats and how to mitigate them, phishing prevention techniques, and best practices for safeguarding sensitive data.

Create customized groups for your security champions using Click Armor’s new customized group training tool. Book a call to learn more. 

Consider hosting a workshop with all of your champions to explain how they can integrate these issues into everyday conversations, encourage training completion, and handle breach reports within their team. Also, host continuous meetings with your security champion team so they never feel disconnected from you and their purpose. 

Main tasks

The security champion’s main responsibility is to motivate their colleagues to take their role in enhancing security seriously and encourage a positive security culture. More specifically, security champions are typically required to:

• Increase daily conversations on security culture: Start water cooler conversations about security, ask their team what they thought of training, etc. 
• Monitor team progress on training: Encourage and remind their team to complete any training and gather feedback afterwards.
• Encourage policy implementation: Help implement new policies within their team as they are released and address any employees not following rules. 
• Receive breach reports and address questions: The champion acts as the identified lead of security on their team and addresses any questions or issues on their team and reports it back to the security team. 
• Inside threat watch: The security champion is also responsible for understanding insider threats and reporting any suspicious activity back to the security team. 
• Be a role model: Complete any training and attend events with enthusiasm to encourage their team to follow. 

Before assigning your champions any tasks always pick a main goal that you can always come back to. This way, your champions can understand the goal of the program and feel purposeful when completing these tasks. 

Benefits of having security champions

Not only will having a security champion team increase the positive tone around security in your culture but it will also save your company money by creating: 

1. Reduced Security Incidents – A survey by Nominet found that organizations with a Security Champion program were 65% less likely to experience a data breach than those without one. This indicates that Security Champions play a vital role in promoting security best practices and creating a culture of vigilance within the organization.
2. Enhanced Employee Engagement and Awareness – Security Champions act as advocates for security within their respective teams or departments. By promoting security best practices and providing guidance, they help increase employee awareness about potential security risks and the importance of cybersecurity. This leads to a more informed and vigilant workforce that actively participates in safeguarding the organization’s digital assets.
3. Improved Incident Response – Security Champions play a crucial role in identifying and mitigating security threats at an early stage. Their technical expertise and familiarity with their department’s operations enable them to recognize vulnerabilities specific to their areas. By acting as the first line of defence, they help prevent incidents from escalating and contribute to faster incident response times, minimizing potential damage.

Cyber Security Awareness Month is closer than you think, so start scanning your organization for individuals who look like potential candidates for becoming a security champion. Begin implementing training and hosting continuous meetings to get them up to speed and use October as a kickstarter to officially introduce the Security Champion Team. But, whether it’s for CSAM or not, if you begin implementing security champions into your program you’ll start to see an impact on your overall security culture and on the strength of your security awareness program.

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.