The Unwritten Rulebook on how to build better champions programmes – from those that really know image

The Unwritten Rulebook on how to build better champions programmes – from those that really know

In the face of escalating cyber security threats, it is alarming to witness the persistent idea that cyber security rests solely with chief information security officers (CISOs). 

Cyber security is a problem that affects the entire company. However, creating a culture where everyone takes responsibility for creating cyber secure behaviours remains one of the biggest challenges of our industry.

This was one of the key takeaways from our new whitepaper on building effective security champions programmes. The paper is based on the views of 32 industry experts, who attended a series of workshops to discuss their real experiences, real challenges and real solutions when establishing and maintaining a champions programme. Together, we learned valuable insights into how to create and encourage secure behaviours in the workplace. Then we put it all in our Unwritten Rulebook.

Why unwritten? Because it’s based on conversations which often happen behind closed doors. If they happen at all. It’s an honest, open dialogue about what works and what doesn’t when building a champions programme. 

Security Champions: the unwritten rulebook is on our Layer 8 Champions® hub, where you can download it now.

Here’s what we found:

58 percent of people showed up in search of ideas and eager to share experiences

Attendees were at different stages of their champions programme: some were just about to start, while other programmes had been established for five plus years, with around 800 champions around the globe. But whatever their experience, the one thing they all had in common was a commitment to make their champions programme a success. 

“I’m here to get ideas, to see where the opportunities are, and what the challenges are”

75% of CISOs feel unsupported by those from above

Senior executive sponsorship is crucial for a successful champions programme. So how do you get the board on board? Ideas from our candidates include leveraging relationships within the organisation and using language that resonates with leadership.

“If you have senior management buy-in and they want to make it happen, then it’s going to happen”

53 percent of attendees revealed their primary challenge is recruiting volunteers to become security champions

Unsurprisingly, this was one of the key topics of our workshops. Tried and tested methods from our industry experts include, word of mouth recommendations from existing champions, which generates trust and interest, and involving champions from the very start, to ensure alignment and engagement. 

“When you get champions talking about why they are champions, and what they’re learning, and what it’s doing for them it creates its own bubbling energy.”

49% agreed lack of management buy-in is detrimental to success

Unsurprisingly, one of the biggest issues around management buy-in is justifying the cost. How can you resolve this? The message from our workshops was simple: show them the value your champions programme is going to bring. 

“All you are asking for is a few hours per month from your champions. When you compare those hours of time to the risk and threat that they’re facing, it’s worth it.”

68% of organisations acknowledged how difficult it is to achieve change at a cultural level

Creating a culture of cyber security is a tough call. But it is possible, as our workshops proved. By fostering collaboration, knowledge sharing and communication, organisations can promote secure behaviours throughout the company.

“Effective leadership can foster team camaraderie and create a supportive environment for these initiatives.” 

The key takeaway from these workshops? Creating an effective champions programme depends on three key things:


Promoting a culture of collaboration, enhances awareness and encourages the adoption of secure behaviours, enabling organisations to effectively combat cyber security threats and protect their valuable assets.


Upskilling the security team in behaviour change and communication, enhances awareness and promotes secure behaviours through knowledge sharing.


Overcoming challenges IS possible with effective communication, clear expectations, and recognition of your champions’ contributions. 

Want to find out more about the unwritten rules of building an effective champions programme? 

Want to learn how to collaborate, educate and communicate?

Go to the Hub now to download Security Champions: The Unwritten Rulebook and discover industry secrets and expert insights.

News & Views

Take a look at some of our other posts