How do we want our Participants to behave? Now that we know our overall objectives, who we want to reach, and how they’re currently acting and why, we’ll list the Ideal Actions we’d like to see Participants take in alignment with our Goals. This is a chance to remove your grounded reality constraints, dare to be creative, and dream big! In the examples, our first iteration will focus on Example Goals 4 (Knowledge) and 5 (Participation) because these are prerequisites to the ultimate goals of 3 (Discover Security Issues), 2 (Remediate Security Issues), and 1 (Prevent Security Issues).
High Level Desired Behavior
What do you want to see your Champions do at a high level? What are you looking to change or improve overall about your program? Ensure these align with your Goals. This exercise helps you focus on determining how you want them to behave.
Example High Level Desired Behavior
- Better attendance and more participation from the champions in meetings and brown bag events
- An excitement to grow, learn, and share knowledge with the Champions’ teams
- An active security champion volunteer among every group of people that work closely together to ensure security representation
- Proactive reporting of potential security issues
- Assistance with the rollout of security tools, processes, and habits across the organization
Ideal Actions
What specific things would you like your Champions to do? Capture this and how each behavior aligns with your Goals. Remember this process is iterative and you do not need to go after all your Goals in the first pass. I’d suggest focusing on actions associated with attendance/ participation and learning for the initial phase, then add additional responsibilities in later phases as the program catches on and the culture shifts. You can specify and document the phase as you brainstorm ideas.
Design Spreadsheet
I find it effective to capture the Ideal Action information in a Design Spreadsheet so I’ve provided an example Google Sheet for you to use to get started.
Example Ideal Actions (Initial Phase)
This is for the first phase, so includes only actions that satisfy Goals 5 (Participation) and 4 (Knowledge) and a couple from 3 (Discover Security Issues) that apply to all Champions. Meeting these goals will set the stage and open the door to meeting the ultimate but more difficult Goals: the rest of 3 (Discover Security Issues), 2 (Remediate Security Issues), and finally 1 (Prevent Security Issues). It makes sense: you can’t find, fix, and prevent security issues without learning why this is important and how it should be done. Show up and spread the news (Goal 5), learn something (Goal 4) and ultimately help influence the security posture of the company.
| Action | Goal Alignment | Participant Group | Phase |
|---|---|---|---|
| Attend Champion Meeting | Participation | All | Initial |
| Speak up or Chat During Meeting | Knowledge | All | Initial |
| Fill out End Of Meeting Survey | Participation | All | Initial |
| Post a Question or Article in Slack Channel | Participation | All | Initial |
| Comment, Answer, or React in Slack Channel | Participation | All | Initial |
| Complete Non-Required Training (Secure Code, Awareness) | Knowledge | All | Initial |
| Invite Guest To Champion Meeting | Participation | All | Initial |
| Watch Non-Required Security Video (Internal or External) | Knowledge | All | Initial |
| Read Security Related Blog Post or Article | Knowledge | All | Initial |
| Read Security Related Book | Knowledge | All | Initial |
| Refer Someone To Become a Champion | Participation | All | Initial |
| Showcase Champion Logo in Slack Profile Image | Participation | All | Initial |
| Showcase Champion Logo in Zoom Background | Participation | All | Initial |
| Complete Required Training within 5 Days | Knowledge | All | Initial |
| Mentor Another Champion | Participation | All | Initial |
| Provide Feedback or Suggestion About Program | Participation | All | Initial |
| Share What You Learned With Your Team | Knowledge | All | Initial |
| Report Potential Security or Privacy Concern | Discover Issues | All | Initial |
| Report Phishing Email | Discover Issues | All | Initial |
As the examples I’ve given focus only on meeting Goals 4 (Knowledge) and 5 (Participation), I’ll share a Success Guide example for a later iteration that captures Ideal Actions for Example Goals 3 (Discover Security Issues), 2 (Remediate Security Issues), and 1 (Prevent Security Issues) as a blog post. Stay tuned for that!
