Here’s why your organization needs a security champions program

June 11, 2021

First and foremost, security is about protecting value. In today’s modern world, a lot of the things that we value are shifting from the physical realm to the digital realm. That is why cybersecurity is so important. But security practitioners need a better model for talent and knowledge distribution. They require standardized, automated workflows that can take the friction out of working cross-functionally between security and engineering teams to identify and fix cybersecurity issues in a way that scales.

So, what can organizations do to ensure cybersecurity is at the heart of what they do, regardless of the department or team? Consider implementing a security champions program to deliver critical business value and distribute cybersecurity knowledge seamlessly. Outlined below, you will find a deep dive on what a security champions program is, tips for developing one, and the benefits of doing so.

What is a Security Champions Program?

Most organizations tend not to have enough cybersecurity resources, regardless of company size. That said, there is a big untapped opportunity for innovation when it comes to people and processes. That’s where security champions programs come into play.

A security champions program enlists security-minded employees of all different disciplines from across a company for cybersecurity training and guidance. Once trained, these security champions become the voice for security within their various teams to drive crucial cybersecurity business outcomes throughout a business.

Security champions programs offer employees from a variety of backgrounds the tools and knowledge they need to serve as security watchdogs, identifying instances for improving cybersecurity processes and procedures within new and existing initiatives in their organizations.

What are the Benefits of a Security Champions Program?

Protecting the world’s digital value is not something that is just the job of security professionals, or just the job of developers. Cybersecurity is an outcome of the behaviors, interactions, decisions, and actions of many different people. Everyone is all in this together.

The benefits of a security champions program are boundless. Once trained, security champions can spot and address cybersecurity vulnerabilities before they become widespread and problematic. In doing so, they can save organizations significant time and money in the process.

By identifying these security advocates from across an organization and training them up, security leaders can break down knowledge silos by educating their colleagues on topics such as how AWS misconfigurations can lead to breaches and incident reporting. Through communication, everyone can better understand one another’s workflows, priorities, and problems, and exchange insights on what they can do to collectively solve them.

Security champions programs make cybersecurity more accessible, fostering a safe space in which questions can be asked, lessons can be learned, and security is brought to the forefront.

What Makes for a Good Security Champion?

Security champions are an organization's unsung superheroes. They have an insatiable appetite to learn about the cybersecurity landscape and possess a true desire to drive positive change in their organizations. The most effective security champions are ready to roll up their sleeves and dive right into the cybersecurity world.

While senior-level professionals make great cybersecurity champions, it’s important that junior- to mid-level employees are also encouraged to join these programs. From my experience, those just starting out make for great champions also, as they encourage incumbents to think differently. And by teaching newbies, seasoned leaders may discover new insights themselves.

What are the Top Tips for Creating a Security Champions Program?

So you have decided you want to institute a security champions program. Now what?

First and foremost, it is important to ensure you and your security team, regardless of size, keep the following in mind:

Foster a culture of excitement: Prospective security champions want to know they are a part of something meaningful. Foster a positive, purpose-driven environment in which all opinions are valued.
Be inclusive: Look for champions across all functions of an organization. Anyone can help bring awareness to and champion cybersecurity ideas and initiatives. It matters little what their experience is or how technical they are. That said, it is important to seek out experienced individuals to participate. They often lead the way when it comes to implementation and improvement suggestions.
Set specific and attainable goals for your champions: The role of a cybersecurity champion is to help enhance awareness for and acceptance of security functions, policies, and procedures within an organization. The role is not to create said policies and procedures. Don't expect them to do the heavy lifting!
Make it fun: Plan for team building events like capture-the-flag competitions and hackathons and other lighthearted activities to keep champions engaged and motivated.

Cybersecurity has many different facets, and it can seem complicated, but it’s not impossibly complex. With the right training and support, security champions can serve as invaluable advocates for security for any given product or team.

Jay Paz is Cobalt’s Director of Pentest Operations and Research. He has more than 12 years of experience in information security and 20 years of information technology experience including system analysis, design and implementation for enterprise level solutions. At Cobalt, he lays the groundwork for innovation and scale as he oversees operations and day-to-day management for Cobalt’s pentester community.

Microsoft’s Edna Conway, Chief Security and Risk Officer of Azure, will lead this session and provide a real-world, tangible approach to address security and resilience to support you in your journey to operational resilience.

Protecting employees from potential exposure could be a daunting task, but with the right property technology, your office space can become an interactive and responsive asset that helps you ensure new health protocol compliance.