Security Champion Book Club Success Guide - The Security Champion Program Success Guide

In the Security Champion Program Success Guide blog, I invite industry professionals to offer their opinions, thoughts, experiences, and viewpoints about Security Champion programs in order to expand our collective knowledge and encourage healthy conversation. In this post, Fivetran Black Belt Security Champion Zack Arnold explains the tips and tricks of running a successful book club based on the one he started for the company. Enjoy! — Dustin Lehr

Many security champion programs encourage members to read books relating to the industry, but selecting a title and dedicating the time to read can be daunting. By having a shared selection, a deadline, and shared accountability in the form of a meeting, a book club can help solve these challenges, as well as improve understanding of the content and develop community within the SC Program through group discussion with others who have a diverse set of skills, roles, backgrounds, and ideas. To assist you in developing your own book club, I have based this guide on my experience creating and running a cyber security book club as part of the Fivetran Security Champion Program for the last six months, with more members joining us at every meeting.

Before Getting Started

You will need to do a few things before launching any book club. As Maxie Reynolds says in “The Art of Attack: Attacker Mindset for Security Professionals” (the first selection in our book club): the first law of the Attacker Mindset Framework is to “begin with the end in mind.” You must know your objective. While the second and third laws aren’t particularly applicable here, the fourth law of the Attacker Mindset Framework says that everything you do must help achieve that goal. You must ask yourself, what are my goals, and does founding and running a book club help achieve them?

Once you have genuinely answered those questions and decided to move forward, you need to determine a few more things:

Do I have the time and interest to manage this project? Writing surveys, compiling results, recruiting and motivating members, and leading meetings takes a surprising amount of time.
Who is my audience? Is this for a general audience, highly technical users, or a mix across the company?
How and how often will you meet? Is this a local group, made up of one shift from one office where you can meet at a local pub or an onsite meeting room? Or is it a global group where you must meet virtually and consider time zones and cultural differences? Will you meet monthly after finishing the book or weekly after a certain number of pages or chapters?

Determine these things, write them down, and develop a description. It will help you answer questions from management and potential members. Now it is time to get started!

Gathering Participants

The most crucial element of any book club is its members. Without members, a book club is just a monthly book recommendation. So, how do you get started finding people and growing the group? First, create a group or mailing list that is easy to manage, and for members to join, and leave. If the group allows for a description, include the one you previously created. Then, ask people if they are interested, and if so, add them to the group and share the description while encouraging them to invite others. Promote the group in company chats, electronic signage, and appropriate meetings, or cross-promote with relevant teams and ERGs. If you have a gamified security champion program, try to get membership in your book club and meeting attendance added as point-earning activities. Continue providing updates and summaries to non-members, reserving most communications as “members-only” while making inviting people or sharing content internally easy. In the Fivetran Security Champion Book Club, we announce the book nominations, book selection votes, the winning book, meeting recordings, and the date and time of the meeting, everywhere we can. We limit live participation to members, but people can easily join or leave the group without any involvement from the moderators.

Selecting a Book

Our book nomination process is pretty simple: we have a form that allows anyone with a company email to submit the title, author, and, optionally, ISBN for up to three books at a time. The form always remains open, with a static link in the group description & any documentation, and it is promoted in group emails, posts, and replies. For example, if someone mentions a cybersecurity book that isn’t on the list somewhere during a chat or other communication, you should reply with a link to nominate the book and join the book club.

Selecting a book each month requires more work, but it is still relatively easy. If you have the resources, or your company already has a subscription, several tools allow you to create a ranked-choice poll. You can use Google Forms by following this tutorial if no ranked-choice voting tool is available. List every nominated book and the available formats, including a description link. Voters select a first, second, and third choice. After voting closes, you should tally the results: First choice votes are worth 3 points, second 2, and third 1. The title with the greatest point value is that month’s selection. In the event of a tie, hold a second round of voting, including only the top performers.

Once a title is selected, it should be announced first to the group/mailing list. The announcement should include a longer description, an author’s bio, links to where the book can be borrowed or purchased, and available formats. Tip: Members LOVE Audiobooks. By selecting titles with audio versions, you can drastically increase the number of people who finish the book. You can also include links to podcasts, videos, and articles about the book and author. During peak employee online time, share the selected title, a link to either the publisher’s page or a bookstore where they can find out more about the book anywhere appropriate internally, and an invite to join the group in the security champion group chat and other channels. Continue to promote the book within the mailing list and company-wide until voting opens for the following selection. Articles, interviews, videos, and podcasts are great for this. You may even want to ask the author and publisher about them speaking to the book club or the broader security champion program. Either may also have resources such as pre-made book club guides.

Motivating Your Members During Reading Time

Once the reading cycle starts, it is the host’s responsibility to help keep the members motivated, assist them in getting the most out of the book, and prepare them for the book club meeting. We initially read one title a month, but switching to a two-month cycle allowed more people to complete the reading. Reach out at least once a week with updates, relevant content, and offers for help. Send them some prompts and a link to an extensive list of questions to consider while reading. I’ve provided an example list in the resources section below. Your first message of the month should tell them what to expect at the meeting and include a description or link to the Pre-Meeting Survey (described next).

Before the Meeting

This is where crafting, promoting, and getting responses to a Pre-Meeting Survey becomes vital. Gathering responses encourages meeting participants to take ownership of content, feel heard, provide diverse views, and allows the host to focus on guiding the meeting – not presenting an hour-long lecture. This survey should provide fields where participants can review the book and provide up to three prompts/questions they thought about while reading, including their responses. For each field, instruct respondents to note if they want to present their response during the meeting, if they want to be credited but not to present themselves, or if it is an anonymous response. You should send this out early and provide several reminders as people finish reading at different times of the month, as the best replies come while the content is fresh in mind. See the “Pre-Meeting Survey” and sample questions provided in the Resources section below. Tip: Include a link to a list of sample questions as prompts in the Pre-Meeting Survey description.

Try to schedule the meeting as near the end of the month as possible, carefully considering the timezone and calendars of everyone involved. Remember to send the invitation out early in the month, including a copy of the agenda, the survey, and meeting rules. A good invitation helps set expectations and encourages participation.

You should also create a private version of the agenda for yourself as the host. The Host Agenda should include the full text of everything that will be read aloud at the meeting and who should read it. You should include the icebreaker question, the author’s bio, a book summary, some fun facts about the book or author, and the pre-selected reviews, questions, and answers. Having a second version prevents any spoilers for participants and means you don’t have to search for the right browser tab or hard-copy note.

At the Meeting

If you have prepared well, the meeting will mostly run itself. Like any good meeting, resolve all technical and personal needs beforehand. Remember to have water nearby, a good internet connection, and close all other distracting apps and tabs so you can dedicate yourself to the meeting. As the host, you should arrive early and encourage open conversation until the scheduled start time. Ensure you start no later than 2 minutes after the scheduled start time, and inform everyone you will be recording the meeting. As the meeting progresses, follow the agenda, and finish on time or early.

As host and guide, you want everyone to feel welcome, safe, and involved. Ask open-ended questions, reach out to quiet attendees, clarify questions, and encourage people to expand on overly-short answers. Follow up with additional questions, and if there is a lull in the conversation, pull up some of your favorite prompts not addressed in the survey responses. Finally, remember to relax and have fun.

After the Meeting

Like any dinner party, the host should remain gracious and grateful afterward. Send a message to all book club members thanking them for any participation. Provide them a link to the meeting recording, and encourage them to share it. Take the opportunity to get them excited about the next round, promoting the next book and reminding them that title nominations remain open.

Creating and running a security champion, cybersecurity, or any kind of book club may seem daunting initially, but if I can, so can you. Using the process outlined in this post and the resources below, you should have all the tools you need to be successful!

Resources

Security Champion Timeline

Realistically, expect your first meeting to be about three months from when you decide to start the book club. Each successive round will be a 3-month cycle, where you start reading one book while voting on the next. Your meeting will hopefully be the last Thursday or Friday of the month, and you can start reading the following Monday.

2 Months Out

Create a Group/Mailing List
Create the Nomination Form

6 Weeks Out

Open responses to the Nomination Form
Start Inviting people to the group
Create the Voting Poll, and add nominations as they come in

1 Month Out

Stop adding to the Voting Poll
Open and promote the vote

3 Weeks Out

Remind people to vote.

2 Weeks Out

Monday – Announce vote will close Wednesday AM.
Wednesday Morning – Close & tally votes.
- If a tie exists, open and announce a run-off to end COB Thursday.
Friday Morning – Announce the selection, and send the invite to the meeting.
Remind them that book nominations are open.

1 Week Out

Promote the selection outside the group.
Send an email to the group with a podcast, article, interview, or video related to the book or author.

Start Week

Welcome everyone, and remind them to start reading. Send the Pre-Meeting Survey & link to sample questions.
Continue to promote the group/selection externally, assuring people they have time to participate.

2 Weeks In

Check in with participants and ask if they have questions. Send a few prompts.

4 Weeks In

Remind participants that the reading cycle is halfway through, and remind them to complete the Pre-Meeting Survey as they finish the book or to check out and think about the prompts as they continue reading.
Schedule the meeting and send the invite to all book club members.
Promote the book and book club to non-participants, letting them know they still have time to join and read along.
Remind everyone that book nominations are open.

5 Weeks In

Open voting for the following book selection – inform members and non-members.

7 Weeks In

Monday – Announce Vote will close Wednesday AM.
Wednesday Morning – Close & tally votes.
- If a tie exists, open and announce a run-off to end COB Thursday.
Friday Morning – Announce the selection. Remind everyone that book nominations are open and that the meeting is next week.

Meeting Week

Remind participants to complete the Pre-Meeting Survey by email, chat, DM, and any other method necessary throughout the week. Also, remind them of the date and time of the meeting.
Promote the NEXT selection outside the group.
Send an email to the group with a podcast, article, interview, or video related to the book or author.
After the meeting – send the thank you email with a link to the recording. Remind everyone to start the new book next week.
Process the survey results and make changes as required.
Use the meeting recording to promote the NEXT book and meeting.

Pre-Meeting Survey

Use this survey monthly to gather participants’ reviews, comments, thoughts, and prompts to create the content for the meeting discussion.

Title

(BOOK TITLE) – Reviews, Questions, and Thoughts

Description

Please list what question you are answering, followed by your answer. Answers are anonymous by default, but if you want credit or to present them during the meeting, please identify yourself and your wishes for EACH answer. LINK TO PROMPTS & SAMPLE QUESTIONS.

Questions

Please provide your Review & If you want to be credited or to present – your name.
Question & Answer #1 – If you want to be credited or to present – your name.
Question & Answer #2 – If you want to be credited or to present – your name
Question & Answer #3 – If you want to be credited or to present – your name.
Anything Else? If you want to be credited or to present – your name.

Sample Agenda

Examples in italics

Introductions & Icebreaker

The host should have each attendee provide their name and title, if relevant, and answer a question unrelated to the book or author.

What is the best or Worst Cybersecurity book – fiction or non-fiction – you have ever read?

Authors Bio

The host, or a pre-determined volunteer, should read a brief biography of the author and two interesting facts about the author. They can find one from the book, the author’s or publisher’s website, or elsewhere, but they must remember to fact check as possible. ~2 minutes

According to *SOURCE WEBSITE*: “AUTHOR NAME started her career…”

2 Fun Facts about the author – She trained as a stuntwoman. She appeared in *POPULAR FILM OR TELEVISION SHOW* & worked as a children’s television presenter on the *POPULAR PUBLIC TELEVISION NETWORK*.

Summary

The host, or a pre-determined volunteer, should read a summary of the book’s content and themes. The host or speaker can either use one found online, in the dust jacket or write one themselves. TIP: Large Language Models AI’s like Chat GPT & Google’s Bard write excellent summaries. ~2 minutes

According to *SOURCE WEBSITE*: “Description on the book…”

Reviews by Book Club Members

The host, or the person who wrote the review and requested to both be acknowledged and speak, should read pres-selected positive and critical reviews of the book pulled from the survey responses. The host should ask for clarification, feedback, or responses from attendees. ~10 minutes

Submitted Questions, Answers, & Discussion

This should be the bulk of the meeting and provide the most participation. The host should pre-select a few questions to read and discuss from the survey responses. Prioritize questions where the submitter attends the meeting and has asked to share their response. Follow up with good questions/answers from people who want acknowledgment but don’t want to “present” and are attending, etc, until you get to anonymous submissions. If you need additional questions, have a few favorites NOT answered in survey responses ready to go. ~30 minutes

Announcements and Feedback

Any announcements, a reminder of next month’s book selection, request instant feedback on the format and schedule of the meeting.

Questions & Prompts

About the book

Before reading this title, what did you know about the subject?
Did you learn something new? If yes, what? If not, why do you think that is so?
Do you believe the book has lessons people can apply outside of cybersecurity?
What was surprising about the facts contained in this book?
Was there a section of the book that impacted you? Was it good or bad? Share parts of that section and its impact.
Did how the author wrote the book affect your enjoyment or ability to understand the subject? Give examples.
Were the terms and concepts explained well? Give examples.
Was the language the author used appropriate? Give examples.
Did your opinions on the subject change due to the information contained in this book? Has your interest in the subject matter increased? How so?
What other books or authors would you recommend on this subject?
Do you have any favorite quotes from the book?
Was the book too short, too long, or just right?
Did the form in which you consumed the book (paper, ebook, audiobook) affect its impact on you? If so, how?
What parts of the books were confusing, unclear, or underexplained?
What emotions did this book make you feel?
What was your favorite part of the book?
What was your least favorite part of the book?
To whom would you recommend this book?
Did your opinion of the book change or stay the same as you read it? If so, how?
What questions did this book inspire in you after consuming it?
How did this book compare to other books in this genre?
Was the book similar or different from what you usually read?
Did the book change your opinions or way of thinking at all?
What will you remember most about this book in a few months?
Did reading the book affect anything in your own life?
Did the book ever frustrate you or make you mad? Why?
Will the book be worth a re-read someday?
If the book was outside your usual reading wheelhouse, has it inspired you to read more books in this vein?
Will you be recommending this book to others? If yes, what’s your elevator pitch in one sentence?
If the book contained tools, worksheets, or further reading, have you used or will you follow up and use them?
What was your key takeaway?
Will this book help you solve a problem?
Was the book well-researched?
Has the book inspired you to make a change? If so, what and how?
Have you shared, or do you intend to share, lessons learned in this book with others?
Why were you interested in this topic? And did the book answer your questions?
How can you apply the lessons of this book at work?

About the Author

What did you already know about the author?
How does this book compare to other books or works of this author with which you are familiar?
Did you learn anything new about the author?
What would you ask the author of this book if given the opportunity?
Will you seek out other books by this author?
How might the author’s culture, demographics, and lived experience impact their perspective?

— Zack Arnold

Want to share your own viewpoint or case study about security champions to post on this site? Contact me on LinkedIn and let’s chat! — Dustin Lehr