If this report had existed 10 years ago, it most likely would have helped us move sooner. Not because it says security champions are a good idea, but because it shows us how to get clarity over much of the uncertainty we had.
Ant Davis, founder of Kindred Cyber and co-host of The Awareness Angle
We were stoked when infosec expert, Ant Davis, agreed to be guest editor for the first edition of our global research into the impact of security champions on risk reduction. The full report features the short version of Ant’s contribution. Here, you’ve got access to the full edit, revealing more about his own personal experience of setting up a security champions programme, and the ways in which security practitioners can extract real value from the findings presented in the 2026 report.
“Would people actually care?”
For a long time, I thought about building a security champions network in my organisation, but always came up with reasons not to.
It’s not because I didn’t like the idea, as I did. Yet, every time I had a conversation with my CISO about starting one, we would come to the same conclusion. We decided that it wasn’t right for our organisation. We would say we weren’t big enough, not mature enough, not dispersed enough or that we didn’t have the time, money or resources to give it what it really needed. We felt that it would take a lot of time to get it off the ground and that the returns it would bring were not clear. Could we spare the time needed to invest in it to make it a success? Once we had one, did we have the capacity to sustain it? If we did sustain it, how would we measure its success? We were already trying to do so much that it always seemed like it was a big strategic effort with no clear success factors.
Privately, I also questioned one thing. Would people actually care? Would they engage with the network and would they actually make a difference to my organisation? Would I end up with some people that fancied a career in cyber or were interested in it, but didn’t actually want to talk about it within their teams? How would I even measure the success of something like this? I had many questions but didn’t really have anywhere to go to get answers.
“The results surprised me”
Eventually, we decided the time had come and we built our champions network. The results surprised me. Not because it worked perfectly, that took some time, but because it didn’t take long for us to see the value. Very quickly, champions were having conversations we were not. They were spotting friction we didn’t know existed. They were making security make sense for people in their business areas in ways that related to actual working conditions and processes. The question I then asked myself was why did we wait so long. I wish we had done it sooner.
It wasn’t the structure or process that changed. It was trust. Our champions were trusted by their peers in a way that an often faceless security team was not. Champions had empathy, they understood how the work happened and how it was supposed to happen. Security was coming from a position of trust and not some distant enforcers of often unrealistic policy. Security felt shared and it gave people a sense of responsibility.
“What actually matters”
As I sat there, reading this report, I couldn’t help but think back to the hesitation I had all those years ago. If this report had existed then, it most likely would have helped us move sooner. Not because it says champions are a good idea, but because it shows us how to get clarity over much of the uncertainty we had. This report shows where programmes succeed and where they struggle. It shows what actually matters when it comes to making champions programmes effective. It removes much of the uncertainty that causes organisations to stall.
This report moves the conversation on from champions being a nice to have towards champions being a valuable defensive strength. Success isn’t accidental, champions programmes that deliver real impact share common traits and this report documents that. It shows there is a clear alignment to risk, meaningful support, realistic expectations and more importantly, measurement that focuses on what matters, not just vanity metrics. Many of the practitioners I speak with will be pleased to see this.
“Better ways to influence behaviour change”
We need a better way to empower our most powerful assets, our people. Many organisations will recognise that there needs to be better ways to influence behaviour change. We need to reach people where they are actually making those security-related decisions, and we need to reduce risk without relying on policy, punishment or more training. Champions offer that route, but only if they are given the right support, treated seriously and built with intent.
Far from a one-off snapshot, this research will deepen year after year, tracking how programmes are changing over time.
Answering questions like:
- How do champion programmes evolve as an organisation matures?
- How are people actually moving the needle on risk?
- Where is investment getting results, and where is it not?
Building a shared evidence base as a collective, grounded in the experience of real people and real programmes, provides organisations something that they badly need. Confidence. Not just the confidence to start a programme, but to sustain it, improve it and show it provides value as budgets tighten and scrutiny increases.
If you are reading this and you are feeling like I did 10 years back, unsure if a champions network is right for your organisation, or you’re concerned about the work involved and the risks of getting it wrong, let these findings provide you with both reassurance and direction. It’s a trusted, evidence-led path that shows that you don’t have to guess and that you aren’t alone.
Authored by Ant Davis, founder of Kindred Cyber and co-host of The Awareness Angle