Looking for information about how to build or improve a security champion program? You’ve come to the right place. Within these pages I’ll share everything I know based on my own experience leading and building these programs for my employers and clients in order to help you make your program a success. I’ll be assuming you already understand the benefits, but if you’re looking for information about what a security champion program is and why you need one, read this. Good luck! I’m here to help and would love your feedback on this guide. — Dustin Lehr

The Program Success Guide

Throughout the years, I’ve developed a methodical and repeatable process for designing an engaging experience of any sort, whether it’s a security champion program, an agile transformation, or any other initiative that aims to influence organizational behavior at scale by reinforcing motivation and engagement. I call it the Program Success Guide and have designed this site around its steps.

The Guide itself is designed to be cyclical, incorporating feedback from each iteration to get you closer to your ultimate Vision. On this site, in the context of building a security champion program, I’ll walk you through each step while providing details, examples, and tips/tricks along the way. I’ve provided links to other sections of the site all throughout so you can find your way around quickly. If that all sounds pretty good and you’re ready to go to the first step, let’s dive in!

Still here? Totally fine. Maybe you’re looking to learn more before diving in, and I can respect that. Here are the links to all the steps in the full process, which you may feel free to learn about and jump around as you see fit:

1. Vision: Where do we want to end up? Capture the long-term goals of the program.
2. Participants: Who are we trying to reach? Determine the target audience.
3. Setting: What is the current environment? Document the org’s current state and behaviors.
4. Concept: How do we want our participants to behave? List Ideal Actions by participants in alignment with Goals.
5. Design: How will we incentivize the participants to perform the Ideal Actions? Determine Motivational Methods for encouraging behavior.
6. Delivery: How will we implement the Motivational Methods? Plan, communicate, and kickoff the program.
7. Tuning: What are we learning and how should we adjust? Measure progress and refine details.

After executing these steps it’s recommended to go back to the beginning of the cycle and prepare for the next phase. You won’t get it perfect the first time. Security Champion programs are dynamic, organic, and must be allowed to evolve, so you need to be ready to respond to a changing environment.

It’s important to realize that your culture and business objectives are unique. I’ve focused on building an effective process here because while some concepts are generally effective across multiple companies, you cannot just drop a security champion program design into a new culture that worked at another company. I’ve shared throughout the site examples and tips based what I’ve seen work, but I encourage you to be creative while following this process to tailor your own program to satisfy your needs.

If you’re still reading this, you may be wondering what a Security Champion program even is and why you should pursue one… well, read on then!

What is a Security Champion program?

A Security Champion program spreads awareness of best practices by influencing organizational behavior toward better habits to reduce overall security risk.

Security Champions are non-security volunteers who receive additional training and incentives to represent security on their teams. They act as liaisons, or points of contact, in both directions: from security to their team, and from their team to security, as shown here.

Why do I need a Security Champion program?

Effective security requires everyone’s participation. You won’t get far with employees ignoring it to focus on their jobs while you then hire a security team to “secure” your environment independently. Unfortunately, security is not usually an integral part of a company’s culture and habits in a way that’s effective and systematic.

This lack of security-focused culture may be because senior leadership and stakeholders in the business:

1. Are not aware of the negative impacts of poor security to their business OR
2. Do not desire a security-focused culture compared with other priorities OR
3. Do not know that security maturity requires integrating good security habits into the culture

These could be underlying problems with a company’s core principles and should be addressed at the senior leadership level to make a true change to the culture. However, instead of some senior leaders actively driving and holding their company accountable for this change, they delegate, and the responsible security team does not necessarily have adequate influence or power to rewire the company’s core principles. They are left with no other option than to attempt to influence change from the “side” as a peer team, or from the “inside out” using a Champion program.

This is not everyone’s situation. Some senior leaders do want a security-focused culture and simply need assistance to induce this change. It doesn’t happen overnight just because someone at the top says it should as there are norms and habits that need to be influenced over time.

Reasons to Build a Program

Here are a handful of reasons you may want to consider building a Security Champion program:

Why do these programs work?

Many of the methods initially implemented in a good Security Champion Program use extrinsic rewards and other surface-level incentives. These serve to train the org to practice new habits until, over time, the culture is rewired to follow the modified core principles. Essentially, Security Champion Programs are a method to “act your way to new thinking” which is sometimes necessary for fundamental long-term habit change.

Here are some other reasons why the “inside out” Champion model works:

• Prior Respect: A Security Champion is already a trusted and known resource on their team, so their words carry more weight than that of someone outside of the team. In other words, it’s easy to ignore a security person talking about security again, but when a non-security person whom you already know talks about it, you’re more likely listen.
• Context: Security Champions know their team best and can translate and filter security information to ensure it’s relevant. It would otherwise be a major challenge for the relatively small security team to tailor and refine their messaging for all the unique teams.
• Efficiency: Security questions / concerns can be worked through the pre-identified team Security Champion, instead of spending the time finding the right person when the need arises. This removes communication barriers, boosts efficiency, and increases the likelihood of security issues being addressed quickly.
• Specialization: Additional time is spent by a select few, the Champions, in learning security concepts and performing security-focused duties, instead of everyone. This reduces overall time spent by the organization while also increasing the likelihood of meeting security goals.

What’s in it for the Champions?

• Obtain real knowledge, skills, and experience in the important field of Cybersecurity
• Learn how to better protect yourself, your team, and your company, from security incidents
• The quality and culture focus helps you stand out, influence your company’s culture, and earn recognition
• Being a Security Champion is now an industry-recognized role and can help demonstrate commitment to your field

Now, on to the process of creating your own program!