Build a Network of Champions to Increase Security Awareness

CIO Review Team

A well designed security cham­pion program will support long term behavior change.

If you work for a large organization, chances are you've been asked to complete computer-based security awareness training, such as an antiphishing behavior manage­ment course.

The problem is that these traditional se­curity awareness approaches are not flexible enough to meet the cultural or local needs of diverse audiences, especially in global corpo­rations. Security leaders consistently strug­gle with communicating the importance of a culture that is security-aware. Employees often see security as a responsibility of a sin­gle group, making it hard to achieve truly shared accountability for an overall secure environment.

How security champions help

Creating a security champion program is a low-/ zero - cost way to accelerate your secu­rity message. It forms a network through which a consistent stream of security infor­mation can be broadcast at a local level.

Security champions are members of the business, IT, development or delivery team who receive additional training on pertinent security issues. They may not get into the technical aspects of security issues, but rather act as local gurus who can answer questions, recommend training, and work with security experts to find answers to deeper questions or escalate issues.

"A good security champion program improves the integrity and reach of your security culture, and by localizing the security represen­tation throughout the business, your reach into the organization will become that much deeper," Huisman says.

Gartner predicts that by 2021, 35% of enterprises will implement a security champion program, up from less than 10% in 2017.

Build your network of champions

Four key recommendations for security and risk management leaders overseeing information security programs to ensure a successful secu­rity champion program.

1.  Make clear connections between the security champion program and business objectives to get executive support for the program. Re­sist using the "My program is the most critical investment you will make" approach. Rather, security leaders will have a much more per­suadable audience if their program is a corner stone of any effort in­tended to achieve business objectives.

2.  Build a network of champions that is inclusive of all roles and geographies across the enterprise. The right mix of representatives will come through manager nomination and volunteering. It is important to identify employees who have a solid understanding of how their respective communities work, and have the influence to be heard and drive change.

3.  Present the role of a champion as a develop mental opportunity and integrate it into performance development plans. The champions should have a way to assess their performance, the contributions they are making to the team and the impact they are having on their com­munity. Build in a recognition and reward system to drive interest and output.

4.  Allow champions to take creative liberties with the content to better suit their audiences. Package all materials into toolkits for con­sistency across the enterprise, but allow champions to tailor the con­tent and the execution in their local markets.