Starting a Security Champion program

Starting a Security Champion program is all about leveraging people within your organization. A lot of times as Security Awareness Managers, we forget to look outside of the security team for help. But, building a Security Champion program can be one of the best ways to improve your overall security culture – you just need the right tools to do it. 

Stephen Grant (SG) – Stephen is the Chief Operating Officer of Click Armor and has been with us for five years. Before that, Stephen ran a facial recognition program in one of the largest vendors in Canada.  

And myself, Scott Wright (SW), CEO of Click Armor, the sponsor for this session. Now, let’s get to our discussion on security champions:

What are the benefits of having a Security Champion program?

JP: The benefits of having a program like this is it really drives a lot of the security value for an organization outside of having to come from a risk-focused, formalized organization. So you can get innovation happening, where you have leaders or champions actually pulling security into your business rather than having it pushed upon them.

An interesting example of this is looking at DevSecOps engineering practices. When we look at DevSecOps and DevSecOps engineers, when you have teams building things out, implementing version control is huge. The moment you start putting your configuration changes into a version control system and even linking that into a ticket system, all of a sudden you’re rapidly moving into compliance. And from my standpoint, it’s like you’re pulling the security inside the organization, which  makes your job easier. 

SC: For me as a head of IT, having this come from within and having teams who are really enthused about anything is a huge boon to managers and to anybody who’s trying to get an adoption of something.

We had Slack Champions and when we started a security program, these people were coming and telling me they wanted to be champions for security wins, and I was surprised at that. But it’s both eye opening and pleasant just to see that happen organically.

EL: One of the benefits that I see in a Cyber Security Champions Program is that it stretches the arm of the security team. It extends it because having a security champion in your  HR division or your marketing division or finance stretches the arm of the security team into those different departments and helps drive the security awareness and adds to the human centric approach because it starts teaching from within.

SG: Security Champions also legitimize security. They make security accessible and real for non-security colleagues. They embody security as everyone’s job.  If you’re working on any organizational culture, often you run into the issue of people will only adopt the culture if they see the bosses doing it and their peers doing it. So you really have to set a culture that says that this is normal behavior and it’s what you have to do to be part of this organization. 

What are the key qualities that you should look for in a Security Champion?

SW: We’re looking for people who are passionate and really want to help and who will take on tasks for free that may not be part of their official duties. And we’re looking for people that have capabilities where there may be gaps within the official organizational structure and places where we’ve seen risks and people can help out with their skills.

We want to be able to communicate often with them in both directions, help them spread the word, but also get feedback from them and what they’re seeing out in the field. So, they have to be good communicators, but also good listeners. 

EL: Some of the key qualities you want to look for is somebody who’s actually enthusiastic about security. Shouldn’t really matter what department they’re in, as long as they can get excited and be an influencer in their organization around security. Because those types of people tend to drive and attract other people. 

JP: You want individuals that are leaders in the organization and I’m not talking about leading from a title perspective. They are the influencers. They have the ability to engage people’s minds, their hearts, their spirit, and get them to want to embrace change.

Yes, you must have the passion and the enthusiasm. But there’s also that curiosity, that growth mindset, that sort of continual hunger to learn new things.You also want people that understand change and the change cycle.

SC: For me, finding security champions is based on specific projects. For example, if there’s something that is regarding change, I try to get line managers to be security champions. This way it actually comes from the top down. And I always say working from the top-down is a huge help.

What are the challenges of running a Security Champion program?

EL: Over-evangelizing. Being out there too much or being in the way of productivity. You still want your folks to be able to do their job and to be secure in how they’re doing it. A lot of the people you will be recruiting won’t be security folks, so you have to remember that they have other roles, too. 

JP: You want to make sure that your champions are not doing this for themselves. This is not an ego thing or “I’m going to get a promotion” type thing. They’re really, genuinely there to try to make the organization a better place. And I will say hands down, there are tons of people in your organization like that.

SC: Just getting people who are enthusiastic at the beginning to show up and actually do what you ask later on. If it’s added on to their job, then it becomes, “How many hours do I need to do this?” And those kinds of challenges. This isn’t specifically for security champions, but also for just implementing new policies in general. 

–

If you’re looking to start a formal Security Champion program, this expert panel gave some great insights. While doing your search, don’t only focus on technical skills or certain titles, but look for people in your company who have great leadership qualities, are reliable, and show curiosity about cyber security. Once your program is implemented, you’ll notice that your job has become easier as the champions act as extra reach for your training and new policies. If you’d like to learn more about Security Champion programs, you can watch the full recording of the panel here.

Click Armor is the first highly interactive security awareness platform, with engaging foundational courses and 3-minute weekly challenges that employees love. We offer content on everything from security basics, phishing and social engineering to passwords and privacy.

Even if your organization already has a solution, there’s a high likelihood that some employees are still not engaging and are exposing your systems and information to cyberthreats. Click Armor offers a special “remediation” package that complements existing solutions that don’t offer any relevant content for people who need a different method of awareness training.

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.