The role of ‘security champions’ – ordinary employees within an organization tasked with improving the cybersecurity knowledge and awareness among their colleagues – is now viewed as a critical part of a modern, mature cybersecurity strategy. With Verizon’s 2024 Data Breach Investigations Report (DBIR) finding that 68% of all breaches involving human error, improving security awareness across the business can substantially reduce the chances of damaging incidents occurring. Jessica Barker, co-CEO at Cygenta, told Infosecurity: “Security champions are a great way of scaling up the security awareness and behavior program of an organization. They can help to promote a positive and healthy security culture and, in turn, can be an invaluable way of listening to different teams and parts of the business.” The theory may be sound, but ensuring security champions programs have the desired impact requires significant planning and preparation. Barker said: “When a security champion program fails, it is often down to poor planning at the outset.” During October’s Cybersecurity Awareness Month campaign, Infosecurity investigated the role security champions can play in creating a strong cybersecurity culture and how to ensure these programs work effectively – both from the perspective of the organization and the champions themselves.

How Security Champions Can Impact Cybersecurity Culture Security champions are uniquely placed to have a positive impact on an organization’s cybersecurity culture. Cara Annett, Security Awareness and Culture Director at global events business RX, Infosecurity Magazine’s parent company, highlighted the necessity of having security champions throughout a global and diverse organization, where less than half of employees’ first language is English. She told Infosecurity that the security champions’ feedback is critical for translating security messages into a localized context. This includes highlighting where there are blockers in enabling secure behaviors or where guidance might be lacking. For example, some RX phishing simulations used to reference Valentine’s Day lures. However, this did not make sense for employees in countries like Brazil and China where Valentine’s day is not celebrated. Local security champions were quick to point this out, enabling the business to amend the training for different regions. “Having their input with timing, messaging and how things are going to resonate with their teammates in critical. You can be so tone death without that,” Annett acknowledged. Security champions can also directly impact colleagues’ behaviors, often by providing simple insights and lessons. Marina Wanner, Procurement Manager for the LATAM region at RX, and security champion at the business, said that employees in Brazil previously scored poorly compared to other regions in reporting phishing emails. She learned through discussion with colleagues that many were unaware of how to report potential phishing emails, so providing simple lessons on where to locate the ‘Report Phishing’ button and who to contact in the security team when issues occur has led to a fast improvement in this area. Annett believes RX’s Security Champions program has had a significant impact on the company’s cybersecurity culture, with a notable increase in awareness in areas like how to use password managers, reporting phishing emails and using strong passwords. “Having people who aren’t from the security team that contribute to recommending more secure practices makes a big difference to the culture,” noted Annett. Building an Effective Security Champions Program Establishing an effective security champions program requires significant time, planning and resources. Barker said it is important such an initiative is not rushed through, with some organizations she has worked with wanting to set up a program within a month. “An organization has to be ready for a champions program. Most importantly, there needs to be resource and commitment in place to sustain a network once it has been set up,” she explained. There are a number of steps organizations must take in setting up and maintaining an effective security champions program. Recruitment Barker noted that the recruitment of security champions is often easier than organizations originally anticipate. “There are lots of places to find keen people who are interested in security, for example those who are first to complete the security training or report suspected phishes,” she said. Barker emphasized that technical skills are not a necessity for security champions, with soft skills like empathy and good communication particularly important for ensuring messages resonate with teammates. “Security champions should be guides, not guards. These networks are not there to police their colleagues, but rather to help support and enable them,” she noted.

"Security champions should be guides, not guards"