Why a security champions programme is about more than awareness.
Over the years, the duty of spreading the word about security best practise in the workplace has often fallen on the shoulders of the CISO, most likely via emails and physical awareness campaigns.
After lockdown ended, and with a third of staff now still working remotely, does there need to be a consideration on how best to spread the word of security best practises on a corporate level to a remote workforce?
One option is to empower selected staff to be ambassadors for the corporate security team, and act as ‘security champions’ for the company. This concept led me to wonder how a security champion program is operated, how people are selected and what sort of tasks they can be expected to do? Also is it all done as a voluntary exercise, and how does a company measure the success of its champions programme?
Understand the Challenge
One resource I did come across when looking into this subject is the Security Champion Success Guide, which advised when considering how to put together a set of champions, to “search for individuals who you feel can add value to your brainstorming sessions while also engaging in healthy debate, optimising the creative process.” This guide recommended starting with one or two people, and from that you would need to decide how the security champions is going to operate and look at how they will be tasked.
Sarah Janes, director at Layer8, says that setting up a programme should start with a “prep phase” where you set the tone that you want the champions to use, and “get people talking about the right things.” From that prep phase the champions will know what content to share, and how you can measure success.
Also prepare job descriptions for the champions, focus on positive outcomes, and give them a view of how you want them to be as a champion, Janes said, pointing out that this is less about a set of rules, and more about facilitating the staff and “making sure they are empowered to have good quality conversations.”
Awareness versus Champions
Speaking to SC UK, Janes says there is some confusion around the difference, as a lot of awareness is about telling people what risks and threats are, and there was a need to do something different. In particular there are two differentiators between awareness and champions; one is to facilitate change and wanting to do something; and the other is about spreading messages locally and be able to tailor it to a different HR team in another country and explain how it matters to them, and having a two-way conversation.
“What a good champion does is talk about risk at the ground roots of the company and conflict,” she says, saying the role of the champion is to be more collaborative.
When selecting staff, would you refrain from approaching members of IT or the security team to bring in a broader set of skills? Janes says the best people to appoint are those with some tech knowledge, but the “best traits are knowing how to talk to people.”
She says: “Some organisations’ traditional mindset is to go for IT people, and that is not always right; go for those people with human skills and teach them security skills.”
Commenting, Stuart Coulson, director at HiddenText says in his past experience, he has done awareness for thousands of ‘techies’, which is no easy feat, “especially since this audience was nailed-on techies; so ‘don’t click bad links’ to a contractor who is installing the DLP solution was always going to be tricky.”
Instead, he says he used “very targeted news” with targeted content so that the community would be aware.
Coulson’s rationale here was when the recipient saw something, they knew it was either for them or for someone like them and so they kept an eye on it.
Janes said champions campaigns are typically favoured by larger companies, and people who run awareness initially go understand it, but often don’t always do it well, “and suspect it is to do with ROI and it is hard to articulate what is going to be different at the start.” That is where the prep plans can be valuable, if you know what you’re aiming to achieve you can build in.
Inspire the Champions
If you can identify and crown the right people to be your champions, next comes the main challenge - how can you encourage them to be the best they can be? One of the factors here is that this is often a volunteer role, much as a first aider or mental health coach would be in an organisation.
Coulson says the problem with security champions is that it is often just an add-on to an existing role for no more money, so staff do it altruistically. “That however is quite a weak driver psychologically,” he says. “If you had two choices, you are going to take the one with less work - not the one with more work. So unless there is a financial reward or hours allocated in your contract to it, you ain’t going to do it.”
Janes says that encouragement comes with identifying the champions’ strengths, and linking their duties to those, as well as having core values of what the champions program looks like.
“It’s about showing people how they can make a difference - both to the organisation and other people,” she says, admitting that “no one says do it to get paid more and get bonuses.” Instead, most people feel valued and rewards structure is about being valued, and for the CISO to make sure people are thanked and show stories of success, and even failure, from the work they have done.
“One company we work with had a near breach and shut it down, and were able to do so as someone noticed something - and that came because of the champions,” Janes says.
She also recommends continual communication with the champions, and talking to them about what they are doing. “It has got to be a two-way thing or champions get annoyed as they are a foghorn for messages and two-way conversation gives them value and collaboration.”
The Security Champion Success Guide says this is now an industry-recognized role and can help demonstrate commitment to your field, as well as allowing those tasked with it to obtain real knowledge, skills, and experience in the field of cybersecurity; earn how to better protect themselves, their team, and company from security incidents; and influence your company’s culture, and earn recognition.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.