You’ve got your Security Champion programme set up, so how do you know if it is working?
In our last article, we looked at the concept of the Security Champion - who they are, how they are selected and motivated and how they work inside a business.
There is another consideration though, how do you measure the success of your programme? Just like with an internal awareness campaign, you need to know how it is reflecting upon your company’s security to know if it is worth the investment of time and money.
What Works?
As we proved last time, there is often not a massive outlay of cash when it comes to Security Champions efforts, as most people ‘appointed’ are not being paid for the extra effort and are doing this role as a voluntary activity.
Stuart Coulson, director at Hidden Text, says the answer on how well your campaigns are working is to wait for a response.
He talked about driving a campaign to thousands of tech-savvy staff members, and to measure success, he said he would “wait for them to start sending me content” as this way, “they became a form of Security Champion: the culture changed from absorbing media to creating content.”
Talking to SC UK, Denise Beardon, CEO and Founder at Copper Ink, talked about how she had set up the Security Champions programme for a major law firm, and I was keen to understand how she went through the stages of identifying the right people, as well as ensuring that it was working well.
The Security Champions programme really depends on the organisation, she says. as well as having the right people to work with. “I am specific on who I want, and I went from getting anyone who was interested in the subject - not techy, but interested.”
Also running the programme means finding out what the Champions are willing to do, form floor walking to see what is being done, to seeing if sensitive papers are being left out, and desktops are locked. ”There has got to be sensitive way, you don’t want them ‘out spying’, and let people work out what is comfortable for them,” she says.
She says in her role at the law firm, the remit was to ”be clear on positioning and empowerment and increase confidence in infosec” as “Champions want to do something positive, and part of what they are doing is for your security reputation, and you have got to remember they are an extension of the team.”
How to Measure
This leads to the main question of measurement, and how best to do that. Beardon recommends having an initial baseline expectation of results, and correlate it with your expectations.
On the measurement side, she recommends measuring both the intended and expected behaviour, the impact upon productivity levels and users, and consider the target behaviours around password management and physical security.
“I do focus on measurement, but also find out why they [the staff] are doing what they are doing, look at behaviours and productivity and how they are being impacted by time, and attitudes towards security too as if they have a negative attitude that can cause an issue.”
Beardon says that with good measurement metrics, it can show if there has been an impact, even if it is understanding via an employee survey to get an idea of the landscape of the organisation.
“Measurement is a voice for the people, and what it is like to be sat in the organisation,” she says. “You can understand what is great and not great, and what works as without feedback, it is hard to know.”
Best Tactics
Which tactics are best to use for measurement? Beardon says that a full suite of qualitative and quantitative research is always the recommendation.
“The quantitative research (surveys) will provide you with statistics, and are useful for gap analysis when it comes to annual or monthly reporting; while qualitative research (focus groups) is much better for finding out people’s experiences and perceptions.”
She also recommends using auditing methods, such as locking desktops and password changes, but you need to ensure that these different measures are analysed together to provide a clear picture of what is happening.
“For example, if you have an issue with people not locking their desktops when away from their desk in the office, is this related to working with a hybrid model? What’s happening when they’re at home and wouldn’t it be good to try and find out? This is about looking at the whole of an issue rather than just zoning in through a narrow lens.”
Are metrics easy to gain though? Beardon says there is an element of survey fatigue at most organisations, even though it’s still a reliable method of capturing people’s intended behaviours without monitoring them.
She says: “It’s crucial to strike a balance between gathering this valuable information and not overwhelming your audience.” She recommends having a more targeted approach to gathering this data, as most people want to help and if they are allowed to reply anonymously, they’re more likely to be honest.
Also, this will remove the idea of ‘big brother’ breathing down their necks, even if it’s for the ‘good of the company’.
“If we want people to behave securely we must build trust, not act as if we’re conspiring against them,” she says. This is also the case pf not having your Champions as a crew of ‘snitches’ who are looking to spot people doing wrong.
Which Result Do You Want?
Ultimately the point of a Security Champions programme is to better instill cybersecurity best practises across your organisation, and have the volunteers internally assist you with that. So at the start, should you go in with an expectation of what to achieve, or what you want to achieve?
Sarah Janes, managing director of Layer8, says when starting a security champions programme, work out what you want to change first and rather than measuring, understand how you can identify behaviour changes, and consider that to be the achievement of your strategy.
Beardon agrees, and that you have to work out what it is you’re trying to prove.
“For example, do your people have a negligent attitude towards security or are they simply not savvy when it comes to the tech? Your research must always try and reveal why something is happening, or certainly point you in the right direction so you can make further investigations,” she says.
Also consider ending up with too much data that you don’t have time to process. “At Copper Ink, we use something called data storytelling which means simplifying complicated information so that the audience, for instance, the information security team, can make critical decisions quickly and more confidently.”
Having a Security Champions team does require a company with a group of staff who are willing to participate, and the rest of the company who are open to engage. The next stage is knowing how to deploy those Champions and what you want to learn and achieve. It’s a positive step for the right security team.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.