Security Champions is a concept that gets more and more attraction. The function might go under another name, such as Security Masters, but the concepts are the same. In this post I will dig into what this role contains and how it can be applied to improve the security posture of an organisation. My experience with Security Champions is in Research and Development organisations, so my views are anchored in RnD. However I see no reason why Security Champions could not be applied in other kinds of organisations as well.

An image of a woman in a stream of data

What are Security Champions?

Security Champions are individuals throughout the organisation that takes an extra responsibility about security. Exactly how many there are varies, from one per dev-team to one per product or office location. The goal is to have a local contact that ensures that security is on the agenda.

This does not mean that the Security Champion is doing everything about security in their part of the organisation. The clue is in the name, Security Champion, they should Champion security. Keeping tabs on what is going on, asking questions and being a natural communication way between the organisation and the security department. This communication should be two-way, both from the security specialists to the organisation (eg. we have a new tool you can use) and back (eg. we are implementing this and could use help assess the risk).

An image of a pair of hands pulling on a rope

Why use Security Champions?

Security Champions are a great way to broaden the security team. To get the security team to reach the whole organisation is a big challenge, but by using Security Champions as a middle man one can gain a lot. In addition to just advocating for security throughout the organisation, they have a better understanding about their business area, and therefore they are also better equipped to find the risks. The main goal of the Security Champions is not to take them from their original tasks, rather to give them the tools to continue doing so while ensuring that they and their colleagues keep security and risk in mind.

In the end, Security Champions allow the dedicated security team to effortlessly spread information to, and collect information from the whole organisation

How to Implement Security Champions Efficiently?

To successfully implement a Security Champion program is not a thing that can be done overnight. It takes dedication and time. From experience, I would recommend the following steps to build a successful Security Champion program:

  1. Build interest in security
  2. Educate the Security Champions
  3. Give the freedom to make an impact
  4. Exchange information between Security Champions and the security team
  5. Motivate through networking between Security Champions in different parts of the organisation

Let us dig a bit deeper into each of these steps. First we have to find our Security Champions. The good Security Champions needs to have a genuine interest in security. That is not that common to begin with, but it can be nurtured. For example if you have security awareness training, this is a great occasion to motivate and build the interest in security. In addition, you can find the individuals who are interested and recruit them as Security Champions.

With our Security Champions found it is time to ensure that they feel important. Otherwise, the risk of them loosing interest will be rising. It cannot only be a hazel to be a Security Champion, it must give something back as well. That might be the possibility to learn more things over time. My recommendation is to arrange an initial Security Champion Training in areas relevant to your organisation, and then continuously (eg. yearly) arrange something new and interesting, such as inviting a guest lecturer or an internal conference.

During their time as Security Champions everyone needs to be able to make an impact. They need their freedom to drive security forward in their area. As with everything this is done through giving responsibilities as well as mandate to make decisions. In addition, they need to have the time provided to make a difference. Once more, being a Security Champion should not be a hazzle.

Lastly I recommend creating a network of Security Champions throughout the organisation. This network should meet regularly to exchange learning, as well as discuss news that have an impact on the organisation. This is also a great time to align the security work, ensuring that the Security Champions and the Security Team are working together towards a common goal.

An image of a group of people celebrating their achievement

Conclusion

Security Champions are a great way to extend the security teams reach throughout the organisation. By educating and networking we build a set of individuals that can work together to champion security, and keep it on the agenda everywhere. In addition, the Security Champions improves the information flow around security throughout the organisation, increasing the visibility of the security team, making it more likely that important questions reach them. ''

Overall the goal with Security Champions is communication and alignment. Ensuring that the organisation is aware of risks and actively works towards being more secure.

Photos

Photos from Unsplash

  1. Photo by mahdis mousavi on Unsplash
  2. Photo by Stijn Swinnen on Unsplash
  3. Photo by Samrat Khadka on Unsplash