5 steps to run a successful cybersecurity champions program

Here's how others have launched successful cybersecurity champions programs to promote and encourage positive security cultures across an organization.

Cybersecurity awareness  >  A weary businessman holds hand to forehead at security training.
BraunS / Getty Images / Thinkstock

Cybersecurity champions programs nurture and encourage cybersecurity awareness within a business, combining education with peer-to-peer collaboration to embed a culture of security understanding, support, and positive behavior among a workforce. A typical program consists of individuals from different departments who act as security advocates for their function and help to shape an organization’s cybersecurity approach internally.

Growing in popularity across a wide range of industries, cybersecurity champions programs have proven so beneficial that they became integral components of some organizations’ cybersecurity awareness strategies.

An effective and productive cybersecurity champions program requires several key elements to achieve its goals and avoid being a wasted investment. Here are the advantages of running a cybersecurity champions program for CISOs with five steps to doing so, including advice from security leaders and experts who have first-hand experience in this area.

Advantages of a cybersecurity champions program

The benefits of a well-orchestrated cybersecurity champions program may differ depending on factors such as size and sector, but the general advantages are universal, experts agree. “To truly engage people in cybersecurity and positively influence their behaviors, it is key that we explain the ‘why’ of everything we talk about. When done well, a cybersecurity champions program is more effective at achieving this than anything else,” Dr. Jessica Barker, co-founder and socio-technical lead at Cygenta, tells CSO. “A champions program allows you to scale up your awareness-raising, tailor your communications to make them as relevant as possible and increase incident reporting. Most importantly, a successful champions program is one of the best ways to listen to your colleagues throughout your organization and understand their perceptions and challenges regarding cybersecurity.”

MongoDB CISO Lena Smart, who established the MongoDB Security Champions Program, agrees. “Given the rapid growth we’re experiencing, we view security as a differentiator and believe building a strong culture where my team is seen as a partner and enabler for the rest of the business is paramount to our success. Our program feeds into that and creates a personal, vested interest in keeping the company secure.”

A particular positive Smart has seen from the program is that it has become a pipeline for recruiting new talent to the security team. “We’ve had multiple employees who have transferred into full-time security positions from other teams. In my opinion, it can be easier to teach someone security skills than to try and hire someone from the outside who checks all the boxes with previous experience.”

Cross-department communication and collaboration has also been boosted with other teams becoming more engaged with the security function, Smart says. “We’ll attend product roadmap planning meetings with our engineering teams so we can be there to better understand and provide feedback on security considerations, for example.”

A solid program helps to demystify cybersecurity for non-security employees and bring it into the scope of their own specialties. “People often think cybersecurity is an unfathomable, deeply technical concept, but having security champions creates an open dialogue, and couching security issues and threats in ways that are relevant to specific roles is the best way to navigate this issue,” Dr. John Blythe, chartered psychologist and director of cyber workforce psychology at cybersecurity training firm Immersive Labs, tells CSO. “Engineers need to understand how to write secure code, executive teams need to know how to respond better in a cyber crisis, and IT teams need to know how to secure cloud infrastructure.”

Once trained, cybersecurity champions can identify and address cybersecurity vulnerabilities before they become widespread and problematic, adds Dominic Grunden, CISO of UnionDigital Bank. “In doing so, they can save organizations significant time and money in the process,” he says. Grunden has integrated and run cybersecurity champions programs across multiple industries and organizations.

5 steps to a successful cybersecurity champions program

1. Plan your security champions program thoroughly

Barker says prior planning is key to launching and maintaining a successful cybersecurity champions program. “We have worked with many organizations that didn’t plan a champions program. They went straight to recruitment and launch. After a year or so the program was failing to deliver and fizzled out,” she says.

Barker and her colleagues have spent several years developing the Champion Leader Framework and turning it into an online course, and new clients are often surprised by the amount of preparatory work they need to do before they start recruiting champions, she adds. “Building a program that is tailored to your organization – and laying the right foundations in terms of objectives, incentives and roles – is crucial.”

2. Secure leadership buy-in to support your program

Leadership support has a significant impact on the success of a security champions program, Smart says. It’s therefore key that CISOs ensure senior leaders in an organization understand the value of and are actively involved in promoting programs. “At a recent all-hands meeting, our CEO endorsed the program and encouraged employees to join, which adds to the accessible and proactive security culture we’re cultivating,” says Smart.

Alexander Antukh, director of security at Glovo and author of the Security Champions Playbook, echoes similar sentiments. “If leadership and team management do not see the value of the program, it is difficult to prioritize security activities even for those who really would like to contribute. There are different ways to get the support, but it’s mostly about educating the management about the issues and showing the benefits from this approach,” he tells CSO.

3. Prioritize communication skills, diversity when recruiting security champions

Cybersecurity champions are security cheerleaders rather than experts – amplifying security messages at the team level and acting as the security conscience of their department, keeping their eyes and ears open for potential issues. As such, they should be good communicators who are trained to better understand cybersecurity, not the other way around.

“A successful champion is usually someone who has good communication and interpersonal skills that you can develop with security guidance,” says Barker. It is ideal to recruit champions who are influencers throughout your organization, and this doesn’t just mean people who are senior, she adds. “You will find influencers in all sorts of roles and positions in your organization, and (drawing on principles of social proof) they will be most effective at winning hearts, minds, and behaviors of those around them.”

A good starting place for champion recruits is to consider people who ask a lot of questions of the security team, who actively engage in training and awareness, and those who have been involved in incidents in the past.

4. Balance commitment requirements, make training relevant and suitable

Being a security champion is voluntary, but it means taking on responsibilities outside of someone’s day-to-day job. Security leaders must strike the right balances of commitment and output to protect the longevity of the program and engagement from employees, while also ensuring training is suitable for specific and achievable goals. “Determine the level of commitment participants need before you start the program, based on how often the champions meet and other tasks they do,” says Grunden “You do not want the cybersecurity to be overloaded as it will naturally come out negatively in communication and awareness, which defeats the purpose of the program.”

Smart, for example, asks champions to attend monthly security-related meetings and dedicate approximately two hours per week to learning about security, focusing on relevant topics, news, and updates including injection attacks, cloud security, and securing a LinkedIn profile.

5. Incentivize your security champions program, make it fun and mutually beneficial

Security champions programs need to be just as engaging and fun as they are informative, Grunden says. “Everyone wants to believe and feel like they are part of something meaningful, positive, and purpose-driven in which opinions matter and are valued. Most of all, this culture should be fun by having special events, team building events, and other lighthearted activities to keep champions engaged and motivated.”

This is something Smart ensures in her program, providing champions with access to exclusive rewards and benefits. “We have activities including our movie discussion/book club and a capture the flag competition,” she adds.

Likewise, Grunden recommends having an unsung heroes awards ceremony to acknowledge champions and promote their accomplishments, along with allowing employees to display a cybersecurity champion badge in their corporate directory profile for all to see.

Blythe agrees regarding the importance of incentivizing employees to invest their time and effort. “Look for incentives that align with your organizational culture,” he says. “Incentives can be material (like money, vouchers, or swag) and non-material (like social recognition and praise). There must also be a willingness to listen to champions and adapt policies and campaigns based on their feedback, because when they feel valued and listened to, your security program will be more effective.”

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022