Can champions elevate your cybersecurity program?
A champions program can be a force multiplier for a cybersecurity program, help build a security-conscious organizational culture, and reduce risk.
Champions are local advocates for security within teams or departments across the company. They are not part of the security team, rather they take on the role as an extra hat – it is typically a volunteer role.
A great example is having a security champion on the development team in the IT group. This champion can help with risk modeling, teaching secure coding practices, deploying security tools, and integrating security throughout the software development lifecycle. They can also give feedback on how security tools and practices fit into the development workflow, and provide the inside knowledge to help solve any obstacles.
Areas where champions can help elevate a security program include:
Scalability: Champions act as an extension of the cybersecurity team, growing its reach into a business unit or team without adding additional staff.
Expertise: Champions are part of the business team. They understand the specific workflows, tools, and priorities for their teams and bring an incredibly valuable end-user perspective that can both help the local team implement security measures and provide feedback to the security team on what works well and what doesn’t.
Early warning and response: Employees may be more comfortable reporting suspicious activity or asking questions to a trusted peer (their champion) rather than directly to the security team. This can lead to earlier detection and reporting of potential risk, and better response to incidents.
Tailored security awareness: Security training that is tailored to a specific team or role is much more effective than generic training, and champions can help tie security training to their team's specific workflows, tools, and risks. Champions can help the local team understand the 'why' behind security policies and procedures using their team’s terminology, helping their colleagues understand and comply.
Ownership: Maybe the biggest benefit of champions is they foster a shared responsibility for cybersecurity by the business unit.
Creating a successful security champions program requires setting clear expectations for the role, being intentional about providing the support to make it meaningful, and gaining support from the leadership of the business team. Appointing someone a “champion” with no structure, follow-up, or support from their management is a meaningless exercise.
Some of the basic steps and suggestions to get a program going:
Start small and build - Identify one or just a few key areas to test and develop the concept, such as the Development team in IT.
Define the role and goals – What you will ask the champion to do, and what is the expected commitment. Avoid making it overly burdensome.
Seek feedback and support – Discuss with (i.e., sell) the leader of the target team: how this will be mutually beneficial, will they support it, and is there anyone they recommend for the role?
Select the champion – An ideal candidate has the right mix of technical skills, enthusiasm for security, and the ability to influence their peers. They could be a volunteer or nominated.
Provide training - Empower your champions by providing them with specific training that raises their knowledge of the security considerations in their areas. For example, provide specific training on your tools and involve them in incident response exercises. One idea to consider is creating a certification for champions that complete a certain criterion, as an incentive for their engagement
Communicate and collaborate - Make your champions part of an inner circle with your team, keeping them in-the-know on cybersecurity in general and especially what is happening in your program. Make it a two-way discussion by seeking collaboration and feedback. Can you create a dedicated communication channel (e.g., Teams/Slack) for sharing information, or host a bi-monthly champions lunch-and-learn?
Measure the impact - Consider both quantitative and qualitative measures of the success of your security champions program. This will demonstrate the value to business leaders and gain their support, and also motivate the champions. Think about the goals for each champion role and how success can be measured – it can be anything from vulnerabilities resolved, to training completed by the champion’s team.
Recognition: What is in it for your champions? What can you do to keep them engaged and see positive value from wearing this extra hat? Recognition and rewards show that you value their contribution and help the champions see a direct benefit. Be sure to discuss your champions’ impact with their managers during annual periods for performance reviews, promotions, and compensation adjustments, so they get “credit” for going above and beyond their core duties.
In addition to Software Development, good business units for starting a champions program -
Other IT departments: Helpdesk, system administrators, network engineering are often the first call for problem solving.
HR: Involved in onboarding, training, and handling sensitive employee data.
Finance & Accounting: Handle highly sensitive financial data and are frequent targets for phishing and Business Email Compromise scams.
Marketing & Communications: Manage public-facing platforms, handle brand reputation, and need awareness around social media.
Cybersecurity leaders know their resources and technology are never enough. By identifying, empowering, and supporting champions across your organization, you can scale your program, embed security within your culture, and reduce risk. It requires effort and commitment, but that investment can be a bargain compared to the return. Start building your network of champions today and turn it into a formidable security asset.