Program Structure Implementation
Determine the execution details of the Program Structure and complete their setup and procurement. If there are monthly training meetings, who will host them? How will you determine the topics? Also set up other elements such as the slack channel.
It is very time consuming to have your team design and deliver the content for the monthly meetings, unless you have a dedicated team member who is skilled in training and presenting. It’s recommended to hire a vendor to design the presentations and host the meetings so your team can focus on running the program, among other things. Work closely with them to ensure the content is curated for the audience and culture. You should also schedule the meetings at least a month in advance so people can reserve the time.
If hiring a vendor for the monthly meetings is not possible, consider having less formal “open discussions” on a specific topic month-to-month, which will significantly reduce the preparation time and presentation burden.
Here are a few presentation tips / ideas:
- Pause and leave room for questions so the champions feel part of the experience and not simply lectured at.
- Prompt your audience to “fill in the blanks”, which is a gamification technique to engage their participation. Something like “SQL Injection can be prevented by proper ______” (Input validation). This isn’t to be used as a quiz and is more effective before presenting the relevant content.
Capture the Flag events are also time consuming to set up and host… you need an entire vulnerable sandbox for people to play in! It’s also recommended to hire a vendor for this.
Also, consider and write up how you onboard Champions and how you will remove them if they are no longer interested or if you detect that they left the company. It can be useful to tie your Champion list into other inventory data such as HR system staff member data to help determine when Champions leave.
Method Implementation
With your Design finalized and your Motivational Methods determined, decide how you will implement them. How will you calculate levels, boosters, mentors, and the other gamification elements? Spend the time proving out potential tools, then choose a solution and implement its initial setup during this step.
Example Method Implementation
A “Security Champion Tracking Spreadsheet” will be used to track the details of the Champions, including:
- Who are the champions – list email addresses
- Champion attributes:
- # of Stars
- Current Belt Level
- Ideal Actions completed by the Champions so Stars can be calculated
Spreadsheet formulas will be used to calculate attribute values such as Belt Level based on # of Stars, Expiration of Stars, Mentorship relationships, Mentors receiving half of stars for Mentee Ideal Actions, 2x Star Booster if below highest level earned.
The Tracking Spreadsheet will be sync’ed to a table in the asset inventory database so it can be related with other data, such as employee information (manager, title, etc.), and team information (engineering team Zaphod details) to help calculate metrics about the program.
An online “Wheel of Fortune” app such as this will be used to randomly select an attendee to win the prize.
Ideal Action Collection Plan
How will you track the Ideal Actions of your Champions so you can Reward them accordingly? In this step, you’ll finalize how each Ideal Action will be captured and tracked, using tools and integrations where necessary to automate. You can use the Design Spreadsheet you created when you finalized the Motivational Methods and add additional columns with these details.
Example Ideal Action Collection Plan
The “Security Champion Tracking Spreadsheet” will be used to collect which Ideal Actions the Champions took. Formulas will be used to tie the star calculations to the levels. The email field will be used to tie to the correct Tracking Spreadsheet tab.
| Date | Action | |
|---|---|---|
| 2022-04-05 | ford.prefect@example.com | Attend Champion Meeting |
| 2022-04-12 | tricia.mcmillan@example.com | Speak At Champion Meeting |
| … | … | … |
Most of the Ideal Actions will be documented by the program administrators through manual tracking and reports from tools. A “Self Attestation” form will be available for Participants to submit the actions that would otherwise be unknown and un-trackable by the administrator. This will be created via Google Forms.
| Action | How Collected |
|---|---|
| Attend Champion Meeting | Admin adds video call tool attendance information to Excel |
| Speak up or Chat During Meeting | Admin watches recording and adds action to Excel |
| Fill out End Of Meeting Survey | Admin uses survey results to record action in Excel |
| Post a Question or Article in Slack Channel | Admin examines slack entries and records in Excel |
| Comment, Answer, or React in Slack Channel | Admin examines slack entries and records in Excel |
| Complete Non-Required Training | Admin uses training platform to record action in Excel |
| Invite Guest To Champion Meeting | Participant submits via Attestation Form, Admin records in Excel |
| Watch Non-Required Security Video | Participant submits via Attestation Form, Admin records in Excel |
| Read Security Related Blog Post or Article | Participant submits via Attestation Form, Admin records in Excel |
| Read Security Related Book | Participant submits via Attestation Form, Admin records in Excel |
| Refer Someone To Become a Champion | Participant submits via Attestation Form, Admin records in Excel |
| Showcase Champion Logo in Slack Profile Image | Participant submits via Attestation Form, Admin records in Excel |
| Showcase Champion Logo in Zoom Background | Participant submits via Attestation Form, Admin records in Excel |
| Complete Required Training within 5 Days | Admin uses training platform to record action in Excel |
| Mentor Another Champion | Participant submits via Attestation Form, Admin records in Excel |
| Provide Feedback or Suggestion About Program | Participant contacts security team, who then contacts Admin |
| Share What You Learned With Your Team | Participant submits via Attestation Form, Admin records in Excel |
| Report Potential Security or Privacy Concern | Participant contacts security team, who then contacts Admin |
| Report Phishing Email | Phishing email report statistics per associate sent to Admin each month |
The information above can be captured as part of the Ideal Action information in the Design Spreadsheet created in the Concept phase. Here is an example Google Sheet to get you started.
Stars will be documented and applied to the Participants once a week, on Monday (or Tuesday if Monday is a holiday).
Rewards Delivery
How will the Rewards be delivered to the Security Champions? Go through the Rewards determined in the Design phase and determine the details around procuring the items and getting them to the right people. If you need help from other departments at your company, like workplace managers, be sure to engage them early before you kick off the program to ensure they can support the need of the program. You should also collect item costs and ensure you have the budget.
Example Rewards Delivery
The Champion’s physical rewards will be delivered by the workplace manager who supports their office location. The Champion can choose to either pick it up or have it mailed to them.
| Reward | How Delivered | Cost Per | Designer | Producer |
|---|---|---|---|---|
| Level Up Notification | Email (Via Template) | $0 | Program Admin | Internal |
| Belt Logo Digital Image | Email (As Attachment) | $0 | Program Admin, Brand Studio | Internal |
| Champion Program Logo Digital Image | Shared Drive | $0 | Program Admin, Brand Studio | Internal |
| Zoom Digital Image Background | Shared Drive | $0 | Program Admin, Brand Studio | Internal |
| Belt Sticker | Office Pickup or Mailed by Workplace Mgr | $0.30 | Program Admin | Merch Vendor |
| Security Champion Program Sticker | Office Pickup or Mailed by Workplace Mgr | $0.30 | Program Admin | Merch Vendor |
| Security Champion Mug | Office Pickup or Mailed by Workplace Mgr | $6.00 | Program Admin | Merch Vendor |
| Security Champion T-Shirt | Office Pickup or Mailed by Workplace Mgr | $14.00 | Program Admin | Merch Vendor |
| Security Champion Sweatshirt | Office Pickup or Mailed by Workplace Mgr | $30.00 | Program Admin | Merch Vendor |
| Challenge Coin Holder | Office Pickup or Mailed by Workplace Mgr | $25.00 | Program Admin | Merch Vendor |
| Karate Black Belt | Office Pickup or Mailed by Workplace Mgr | $35.00 | Program Admin | Merch Vendor |
| Gift Card (Digital) | Emailed by Workplace Mgr | $50 | N/A | Store |
If you have offices around the world, there can be some challenges when producing material Rewards. Are you going to have them produced locally and then ship them? Be aware of the risks of items being held up in customs. Are you going to create them using vendors located in each office’s location? Try to have the items created as similar as possible across locations.
Define and Implement Metrics
How will the Motivational Methods and Ideal Actions be measured to prove they satisfy defined Goals? Even if your leadership team is initially excited about your program, you will need to plan to show the return on investment as questions will come up from them or others about its value. It is recommended to create a dashboard that captures your metrics in a concise and easy to ready manner. Prepare to present metrics often during all-hands and while meeting with your senior leaders.
The ROI case that should be made depends on the goals of our champs program, as well as its structure/design, and even maturity. For instance, do you require your champions to accomplish tasks that lead directly to better security (IE: fixing vulns)? If so, you’ll be able to show direct measurable causation between what your champs are doing and the impact they are having. Is it a volunteer program where the actions you measure are more participation and training related? In this case, your only will be able to demonstrate correlation between these actions and their ultimate impact to the security bottom line (IE: show a strong statistically significant correlation between training and vuln density).
As a starting point, you can capture the Ideal Actions the Champions are taking per month, grouped by Goal. And you should also ensure you are capturing the metrics that measure the Goals themselves, as they were written to be measurable. Also, it is advisable to set a goal for each metric so you can understand what you are shooting for. Also, where it makes sense, make the metrics relative to the size of your program so that you’re not simply measuring the size of the program with each metric. Use percentages of Ideal Actions out of the whole population of the Champions to accomplish this, as shown below.
Example Metrics (Initial Phase)
- Goal: Discover Security Issues
- Potential Security or Privacy Concerns Reported per Month, Goal: increasing over time
- Phishing Emails Reported per Month, Goal: increasing over time
- Goal: Knowledge and Skills (80% of Champions have taken non-required training)
- Speak ups or Chats During Meeting per Month, Goal: increasing over time
- Non-Required Training Completions per Month, Goal: increasing over time
- Security Blog Post or Articles Read per Month, Goal: increasing over time
- Security Related Books Read per Month, Goal: increasing over time
- % Champions who have taken non-required trianing, Goal: 80%
- Goal: Security Champion Program Participation (80% attendance in monthly meetings)
- % Champion Meeting Attendance out of Total Champions per Month, Goal: 80%
- % End Of Meeting Surveys Completed out of Meeting Attendance per Month, Goal: increasing over time
- Question or Article Slack Channel Posts per Month, Goal: increasing over time
- Comments, Answers, or Reactions in Slack Channel per Month, Goal: increasing over time
- Guests Invited to Champion Meeting per Month, Goal: increasing over time
- Non-Required Security Videos Watched per Month, Goal: increasing over time
- New Champion Referrals per Month, Goal: increasing over time
- % Slack Profile Champion Logos out of Total Champions per Month, Goal: 50%
- % Slack Zoom Meeting Backgrounds out of Total Champions per Month, Goal: 50%
- % Completed Required Training Early out of Total Champions per Month, Goal: increasing over time
- % Who Have Mentees out of Who Are Able per Month
- Feedback or suggestions per Month
- Share What You Learned per Month
- Other Useful Metrics:
- Total # of Champions per Month
- Count of Champion Belt Levels per Month
- Total Points Accumulated per Month
The Security Champion Tracking Spreadsheet will be loaded into a data warehouse or database via a custom script and can be made accessible by an analytics dashboard product such as looker or sigma to calculate and display these metrics.
Rollout Plan and Implementation
How will you build support and kick off the program? All your planning has led you here and now it’s time to share the experience you’ve designed with the world! Set a roadmap of your plans with dates, including the kickoff event. Define how you will build awareness of the program, get out there and communicate! Determine what will be shared at the kickoff event and prepare the content. Plan as far forward as it makes sense for your program and execute!
You may want to start with only your innovator / early adopter groups identified as your initial Allies as more of a POC for the program to test what works and adjust as necessary before opening up to a larger group. The following example skips this step.
Example Rollout Plan
- Senior Leadership Buy-in should already be obtained up your leadership chain, but you may want to communicate with other senior leaders by having your leadership contact them, or contacting them yourself, to explain the program now that you have the details figured out. Be sure to focus on the business benefits and reasons to build one that are relevant to their level.
- Build a slide deck that summarizes the Vision, Participants, Setting, Concept, Design, Delivery and Tuning plan. Create variations of shorter and longer decks tailored to different leadership levels (sr. mgmt, mid-level).
- After obtaining internal buy-in of the final Design and Delivery from security leadership, traverse the organization from top to bottom, starting with the most senior leaders as makes sense (C-Levels), to executives (VPs, Directors), on down to the managers. Present the details of the program, and obtain feedback. They know their area best so it’s better to not impose a structure and recruitment plan on them. Give them control over how they want to participate. Weigh-in leads to buy-in.
- Share the goal of at least one Champion per team/group, but ask how to best structure the Champion representation in each leader’s area.
- Also ask how to best recruit Champions in their area… it could be via all-hands, team meetings, or 1:1 through each of their reports.
- When you get to those who manage individual contributors, emphasize that this is volunteer program and ask if they have anyone specific in mind who may want nominate to participate. Have the manager check with them or offer to chat with them.
- If the nominated Champion is in, develop and follow an onboarding plan that includes adding them to the Security Champion Tracking Sheet, invite them to slack channel, and anything else that needs to be set up.
- Adjust the design, delivery, and communication/presentation according to the feedback collected.
- Plan the kickoff event: a meeting with all the Champions where the details of the program are explained.
- Plan the vendor-led knowledge-focused meetings and capture the flag events as far in advance as possible, sending invites to the Champions at least a month in advance.
- Do the kickoff and start the meetings! We’re rollin’ now!
