The role of ‘security champions’ – ordinary employees within an organization tasked with improving the cybersecurity knowledge and awareness among their colleagues – is now viewed as a critical part of a modern, mature cybersecurity strategy.
With Verizon’s 2024 Data Breach Investigations Report (DBIR) finding that 68% of all breaches involving human error, improving security awareness across the business can substantially reduce the chances of damaging incidents occurring.
Jessica Barker, co-CEO at Cygenta, told Infosecurity: “Security champions are a great way of scaling up the security awareness and behavior program of an organization. They can help to promote a positive and healthy security culture and, in turn, can be an invaluable way of listening to different teams and parts of the business.”
The theory may be sound, but ensuring security champions programs have the desired impact requires significant planning and preparation.
Barker said: “When a security champion program fails, it is often down to poor planning at the outset.”
During October’s Cybersecurity Awareness Month campaign, Infosecurity investigated the role security champions can play in creating a strong cybersecurity culture and how to ensure these programs work effectively – both from the perspective of the organization and the champions themselves.
How Security Champions Can Impact Cybersecurity Culture
Security champions are uniquely placed to have a positive impact on an organization’s cybersecurity culture.
Cara Annett, Security Awareness and Culture Director at global events business RX, Infosecurity Magazine’s parent company, highlighted the necessity of having security champions throughout a global and diverse organization, where less than half of employees’ first language is English.
She told Infosecurity that the security champions’ feedback is critical for translating security messages into a localized context. This includes highlighting where there are blockers in enabling secure behaviors or where guidance might be lacking.
For example, some RX phishing simulations used to reference Valentine’s Day lures. However, this did not make sense for employees in countries like Brazil and China where Valentine’s day is not celebrated. Local security champions were quick to point this out, enabling the business to amend the training for different regions.
“Having their input with timing, messaging and how things are going to resonate with their teammates in critical. You can be so tone death without that,” Annett acknowledged.
Security champions can also directly impact colleagues’ behaviors, often by providing simple insights and lessons.
Marina Wanner, Procurement Manager for the LATAM region at RX, and security champion at the business, said that employees in Brazil previously scored poorly compared to other regions in reporting phishing emails.
She learned through discussion with colleagues that many were unaware of how to report potential phishing emails, so providing simple lessons on where to locate the ‘Report Phishing’ button and who to contact in the security team when issues occur has led to a fast improvement in this area.
Annett believes RX’s Security Champions program has had a significant impact on the company’s cybersecurity culture, with a notable increase in awareness in areas like how to use password managers, reporting phishing emails and using strong passwords.
“Having people who aren’t from the security team that contribute to recommending more secure practices makes a big difference to the culture,” noted Annett.
Building an Effective Security Champions Program
Establishing an effective security champions program requires significant time, planning and resources.
Barker said it is important such an initiative is not rushed through, with some organizations she has worked with wanting to set up a program within a month.
“An organization has to be ready for a champions program. Most importantly, there needs to be resource and commitment in place to sustain a network once it has been set up,” she explained.
There are a number of steps organizations must take in setting up and maintaining an effective security champions program.
Recruitment
Barker noted that the recruitment of security champions is often easier than organizations originally anticipate.
“There are lots of places to find keen people who are interested in security, for example those who are first to complete the security training or report suspected phishes,” she said.
Barker emphasized that technical skills are not a necessity for security champions, with soft skills like empathy and good communication particularly important for ensuring messages resonate with teammates.
“Security champions should be guides, not guards. These networks are not there to police their colleagues, but rather to help support and enable them,” she noted.
"Security champions should be guides, not guards"
In RX’s champions program, which started in 2022, there has been no shortage of volunteers. Annett explained that every business unit within the organization has a target of at least one champion, with larger units aiming for two or more. This is to ensure champions are evenly spread across different functions and geographic territories.
Annett also emphasized it is important to ensure the requirements of being a security champion are not so onerous that they impact the individuals’ day-to-day job.
“We make sure managers understand we’re only asking for one to three hours per month of these people’s time, so it’s not going to be super burdensome on them,” she said.
Support and Structure
After successfully recruiting security champions, organizations cannot simply leave them to get on with things. Structured direction and support from the business is required to ensure they are properly equipped for the role.
There should be at least one representative from the organization’s security team who leads the network and maintains regular contact with the champions.
“This is someone who brings them together, provides guidance, answers questions and, crucially, keeps the champions engaged,” said Barker.
RX security champions maintain a close relationship and regular dialogue with the company’s security team and senior risk and compliance personnel. This includes check ins and ‘ask me anything’ sessions with RX’s CISO, Des Massicott.
This approach is designed to help upskill security champions, who can use this knowledge to impart cybersecurity lessons to their teammates. Annett added that champions are expected to undertake certain courses to upskill themselves.
RX’s Wanner commented: “I receive support from the security team through regular meetings, training, and presenting results. There is also significant backing from senior leadership in Brazil on this topic, helping us promote the initiatives.”
RX also provides guidance on the expectations on security champions, and a few key activities they should be undertaking with colleagues as part of the program. However, they are also given plenty of scope for how they conduct training sessions and the topics they focus on.
All this information can be located in a single resource – a SharePoint folder – which Annett said is vital to have from a practical perspective.
How to be an Effective Security Champion
With the right support mechanisms in place from the organization, security champions will be well placed to promote secure behaviors among colleagues, as well as gaining significant personal benefits from the exercise.
Impactful Approaches
Conducting security champions training sessions in person can be especially fruitful for champions in spreading awareness among colleagues, particularly in an age of hybrid work. This allows for more relaxed, informal conversations to occur.
“The in-person sessions are making quite a big difference,” said Annett. “With security, because it makes people feel a little bit unnerved sometimes, they want to ask questions they’re unsure about but they don’t know if it’s a stupid question.”
Wanner has found that relating security lessons to everyday life, such as how phishing attacks can damage someone’s personal finances, has been most impactful in explaining security lessons and concepts. This is part of Wanner’s approach to using non-technical language when talking about cybersecurity.
Annett revealed that some RX security champions have recorded good results from arranging competitions and prizes for their team, such as who reported the most phishing emails.
In the SharePoint resource, RX security champions can also share approaches they took which have been particularly impactful, allowing champions to learn from each other’s experiences.
Security Champions’ Benefits
The key benefit security champions accrue from taking this role is growing their own knowledge around cybersecurity, which is crucial for their personal lives and that of their friends and family.
Once people start to implement basic security measures, such as password managers, that substantially reduce the risk of compromise, it saves a lot of anxiety around cybersecurity.
“There’s so much fraud going on in the world. Just having everyone a little bit more aware knowing what to do in those situations helps a lot. I think they get a good feeling out of doing a decent thing that contributes to general security and safety,” said Annett.
She added that some RX security champions are even transitioning towards working in cybersecurity as a career by studying for available qualifications.
Another benefit is receiving recognition from the business for their efforts. At RX this includes personal thank yous and certificates from senior management, as well as gifts and other prizes.
Barker said: “A structure for incentives (which goes beyond 'swag' and taps into intrinsic motivation) is a game changer for a sustainable network.”
Conclusion
Security champions programs can make a substantial difference to an organization’s cybersecurity culture, with individuals working within the business uniquely placed to impart knowledge on colleagues and understand how to best connect to their team.
However, such programs will only be effective if they have the appropriate structure and input from the wider business.
This is underpinned by a long-term commitment to the project, ensuring it is not just a gimmick but a valuable component of the organization’s wider cybersecurity strategy.
Disclosure: Infosecurity Magazine is part of the Infosecurity Group, a business unit owned and operated by RX, part of RELX Group plc.