Cyber security doesn’t stay still, and neither should your champions. The thing is, the dynamic nature of cyber security makes quantifying the impact of your champions a real challenge. But without understanding the effectiveness of your champions you can’t monitor progress, identify areas for improvement, or demonstrate its value to stakeholders.
Measurement was the theme of our recent Layer 8 Champions® Community Meetup, where 32 seasoned security professionals came together, led by Kate Brazier from bp. Kate runs bp’s long-standing and highly successful Cyber Ambassador Network (CAN), and she offered valuable insights into effectively managing and measuring your security champions programme.
We gleaned 11 key insights from these discussions, which we have turned into an Experts Guide to Measuring and Maturing your Champions Programme. You can download it from the hub now.
These insights can be divided into two themes: metrics and storytelling.
The metrics
When measuring the effectiveness of security champions, metrics are pivotal. You can use data and metrics as evidence that what you are doing is working, and how well it is working. You can then use that data to ask for more resources and mature your programme. Metrics will also help you identify which activities or methods work, and which ones don’t – and then make necessary adjustments.
As Kate explains: “Being able to measure and prove what the network is doing is invaluable, especially in this day and age when we are all being pushed for facts and figures. Providing measurable data not only gives the programme credibility, it also gives insights into other things.”
Many organisations use reward systems that provide points for completed activities. For example, bp has created its own Record and Reward app. These points not only motivate champions, but also provide a tangible record of their contributions, which can be showcased during performance reviews.
“We strongly encourage champions to include the fact that they are champions in their annual appraisals,” advises Kate.
However, attendees warned against collecting data for the sake of it. “Take a step back and have a balanced approach. Measure what you really need. Work out what does the board want to know? What are you being asked for? Then work out how you can measure that.”
It’s also easy to fall into the trap of dumping everything on your champion’s door, with the promise of recognition and rewards as an incentive. Don’t forget your champions’ main role is to raise awareness, not perform all cybersecurity tasks.
Storytelling
One approach to raising awareness, discussed in the Meetup, was crowdsourced security. This is where your team of champions is charged with testing assets for vulnerabilities, and then encouraged to share potential security-related incidents. Crowdsourced security is one of the fastest growing trends within the cyber security industry, and is predicted to be worth $135 million by 2024.
It can be particularly effective in uncovering threats, such as supply chain attacks that may not be easily detected by security tools, as one attendee explained.
“We’re extending the crowdsourcing concept into threat intelligence and hunting, where our team actually does the analysis of what would happen if a vendor’s email account was compromised. So we keep our champions on the front line, where they work in parallel with our security operations team to notify potential victims.”
This type of storytelling is a powerful tool, which can complement your metrics. Use cases, where champions have prevented security incidents through their interventions, clearly demonstrate the effectiveness of your champions programmes. Plus, they are great motivators. Not just for the champions who can see the impact they’re having; use cases will also inspire others to join your programme.
“Storytelling is incredibly powerful, particularly if you can really grab the hearts and minds of people,” explains Kate. “In our approach to cyber incidents, we focus on sharing the real narratives of what occurred.”
Survivorship bias
Crowdsourced security is also a good way to avoid survivorship bias, which was another topic raised during the Meetup. Survivorship bias is when you react to expected risks, which you think you can control, in order to ‘survive’. In cyber security, this means focussing on and only reacting to known threats or behaviours. While this approach may work in the short-term, purely reacting to expected risks prevents organisations from becoming fully secure.
As one attendee explained, only focussing on users who exhibit risky behaviour, ignores the context of behaviour.
“Survivorship bias is something I encourage all of you to look at. I decided to take a chance, and not just focus on risk. Instead I am focusing on encouraging good behaviour where people have the confidence to make business happen and click on links, knowing that they have the security champions to reach out to.”
Crowdsourced security can help avoid this type of bias, as champions with little cyber security experience will look at a problem from a different perspective. It’s when talented people from different fields are brought together to collaborate, that we can find new solutions to old problems. This approach is known as the Medici Effect, and it’s this ‘intersection’ of collaboration that is often ignored in cyber security.
So much was learned from this Meetup, which is why we set them up. To think differently and to encourage the Medici Effect! Different minds, from different backgrounds with different experiences, all coming together to create new solutions. By leveraging these insights from industry experts, you can optimise the contributions of your champions and then measure this contribution using the right metrics for your organisation.
If you want to get involved in our next Meetup, head over to our hub now, and sign up!