Early in August I shared my story of developing a Security Champions programme that went viral, at SANS https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1565204404.pdf . Following that talk many discussions started like this… ‘thanks, that’s exactly what I need to do, but I struggle to get support to start my Security Champions programme’.
If you’re reading this, you probably already know that having a proactive engaged network of Security Champions is awesome. That’s because they:
- provide 2-way communications into business functions.
- create change to process and behaviours at the grassroots.
- can measure actual changes in behaviour.
But how to convince others?
Three tried and tested techniques to kick off Security Champions
The approach you choose will depend on your business, your stakeholders, and your own personality. Here are three (non-traditional) techniques that have worked for us:
Do you have to tell the boss? It doesn’t cost anything to have conversations with a few people and build up a group of like-minded individuals.
Here’s how you can start:
- Focus – Write down want you want to change. Think about what the future will look like if it happens.
- Create some questions – what questions can you ask to get people talking about your topic of focus? The best questions are ones that invite people to tell a story.
- Create a vision – that incorporates what you’ve heard when you ask people to share their stories.
- Buy coffee or lunch – get a small group of people who are inspired by your vision to an informal chat about how they can make a difference in their area of the business.
It worked for him. This is exactly what one of our clients did. He knew if he asked for a Security Champions programme it would be over-analysed. So, he went and spoke to people. It didn’t take long before he had a small group who were making a difference. All he did was buy them pizza once a week. After a few months he got some tangible results. So he asked his CISO for a small budget to hold meetings more formally and train the initial group to recruit others. The senior leadership team only became aware of the programme when there were 150 Champions, and the outcomes spoke for themselves. Now the programme is formally supported and boasts 600 Champions!
2. SOMEONE ELSE’S IDEA
At this organisation the COO put her hand up and said. ‘I think we need Security Champions, and I’ll be your first one’.
How did we get there? We were running an interactive cyber-workshop with the Senior Leadership Team when we got into a debate about what people could do to protect the business. They had proxy-card access. But the culture was not to display ID cards and to hold the door open for anyone (it was a shared building too)!
The COO was conflicted she wanted the business to be secure, but not at the cost of the culture! With some facilitation she concluded the desired behaviour should be, ‘I won’t expect people to hold the door open for me’. She knew as a leader her actions were influential and therefore made the decision to become the first Champion and influence a secure business that retained its culture.
Here’s how you can start:
- Interaction – If you get the opportunity to do cyber-training for your leadership team PLEASE DON’T sit them in front of a slide deck!
- Instead – show them how cyber-criminals can exploit businesses. Get them to think about the most important assets they hold. Then ask them to become a cyber-criminal. I.E how would you get to those assets now you know the tricks of trade. Immediately participants start to see the flaws in their own behaviours and business processes and start identifying protective measures for themselves.
3. WRITE A PROVOCATION
You have 5 minutes to pitch Security Champions to the board. What do you say?
Here’s one we prepared for a pharma client…
If you’d like to create your own version you can download a guide here… then select ‘ Creating Your Own Security Champions Pitch’.
“The speed of technical development means our customers expect services to be delivered digitally. Our growth is now directly linked to our digital transformation capability. However legacy systems and
processes make innovation slow. Our challenge to transform is not just a financial one, but the requirement to adapt processes and culture, enabling technology and people to work seamlessly whilst continuing to deliver excellence in customer experience.
The main setback we face is the introduction of technology through partnership, acquisition and internal development. This increases opportunities for unauthorised outsiders to access our systems and
data. We are at risk from an employee making an avoidable mistake when designing, using or understanding this new technology. This could result in our inability to trade, system shut-down, fines and loss of reputation/revenue.
Currently we have policies and process guides to instruct people on secure use of new technology. However, there is no proactive method of developing skills and facilitating the modification of
existing processes. This means that people know what to do and why but struggle with implementation. This will only get worse as the speed of digital transformation increases.
Creating digital security champions will provide people at the grassroots who can develop new skills across our workforce and facilitate process changes. This will ensure secure use and integration of new technology and will accelerate the speed and success of digital transformation in our business.”
Now we’d like to hear from you… what challenges do you face with Security Champions, and what would you like us to cover next?