How Security Champions Can Change Your Culture
Overseeing cybersecurity at a data-focused company is a massive job, with attacks to monitor, updates to deploy, and the challenge of preventing employees from accidentally enabling a breach by clicking on the wrong link. Many companies have deployed safeguards such as two-factor authentication, but a persistent hacker can still get into companies as large as Uber.
Effective security requires broad awareness, especially given the number of remote-only employees hired during the pandemic. Many companies miss the opportunity to change behaviors because they can’t connect with how people do their job. I can walk into a developer meeting and tell them what they should be doing, but I have no idea how the security guidelines would fit into their work. It’s straightforward to conduct an annual company-wide training, but if the information isn’t relevant for everyone at the company, it can miss the point. Plus, learning security information doesn’t necessarily translate into employee actions without frequent reminders and incentives.
A better approach is to create an initial cadre of Security Champions (SCs) that will involve people from across a company, in all different functions, and leverage peer-based education and best practices to highlight the security risks each person is most likely to encounter. These volunteer employees will work with both your security team and their colleagues to learn increasingly complex security issues, and develop their skills so they can share these learnings with the people they interact with every day.
Security Champions vs. ‘The Office of No’
The security role is often described as “The Office of No.” Maybe if you’re in a James Bond movie, that might be fun. But in real life, constantly saying ‘no’ to well-intentioned employees is discouraging. If you enlist your coworkers to help out, it’s much easier for a peer to explain why an action is risky in the context of that coworker’s daily job.
With this in mind, I created an official Security Champions program at Fivetran. We use the ideas of gamification, tipping points, and real-world influencers to improve awareness at all levels and in all our locations around the world. You won’t need an army of SCs, but even one well-educated “security ninja” on each team will help you promote security at scale.
We started by finding allies — those who were already interested in security then created a framework to drive employee change from within. We educated our Champions, then they helped other employees use best practices related to their specific role. Employees are much more likely to listen to their peers than a top-down edict from the C-suite. By giving these new influencers a bit of special attention, a small security team can multiply their impact across the company.
We’ve had amazing success with this program, and have also learned a few things along the way.
- Content is king. You need to meet people where they are, and that means training on relevant topics with real info that audiences can relate to. You may try creating materials internally, but it’s helpful to hire a professional trainer that can reframe security policies into everyday language. Preventing even a single breach is worth the investment, but your SCs are volunteers so you have to engage them.
- Lead your audience along. Don’t jump straight into threat modeling on day one — you’ll lose people. Start with security basics, then create a training plan that focuses on more advanced content going forward. You want the lessons to build on each other in a specific order.
- Split up technical and non-technical tracks. Not every team needs to focus on cross-site scripting vulnerabilities. We’ve created different cohorts based on business roles and tailored content accordingly. Your Chief Revenue Officer doesn’t need to worry about XSS, but their team should be experts on identifying spoofed emails, modified contracts and phishing links.
- Set a schedule, but respect “spare time.” You need regular attendance, but people still have their regular job to do. Once a month is a good cadence. We have one meeting a month for our software-focused champions, and another that focuses on awareness topics such as passwords and phishing. This way each Security Champion only has to spend a few hours monthly.
- Promote ongoing awareness. Your goal should be company-wide awareness, so give your Champions ways to share their commitment. Create stickers and digital icons for SCs to showcase their involvement to other co-workers. You can also use a karate-like belt system to rank and acknowledge your Champions as they progress.
I’m really proud of how my colleagues across my company have latched on to this. We saw 10% of our company sign up initially and participation continues to grow each week. If you only get a handful of volunteer SCs at first, don’t worry — influencer programs take time to grow. Once you have participation, then you can share the knowledge and skills to better detect and discover issues, and eventually train SCs on how to fix and prevent problems.
Before we rolled out our program, we ran into some of the typical security challenges that any multinational company runs into — enforcing universal standards. Employees in different regions often feel isolated and struggle to keep up with corporate policies. But our Security Champions have said we’ve created one of the most inclusive approaches to security that they have seen.
Jenna Olovcic is one of our solution architects on our revenue team in Sydney, Australia, and our first Security Champion black belt. Jenna was already taking security courses outside of her day job and we rewarded her accordingly. She said what she appreciated was “the idea of finding a way to learn about security in our time zone, whilst also sharing our learnings with others with minimal impact on our current workload.” She’s even organized her own group focused on security that meets weekly, something you simply cannot mandate from above. And her colleagues say everyone is thinking about security more because of her achievements.
By making an aspirational role for emerging leaders who want to help their colleagues, I’ve had results I could only dream about. I think this is an important approach for the whole security industry, so I published a step-by-step “how to” guide at SecurityChampionSuccessGuide.org to help you deploy something similar.
As I noted, one phishing failure can cause a breach that will torpedo a company. The best defense is to ensure someone on every team at your company is thinking about security and sharing best practices with their teammates. By taking an in-house influencer approach to learning and supporting strong security across our corporate culture, security professionals can focus on providing guidance and researching trends and threats, confident that their Security Champions have their backs.