Security Awareness Blog

Creating a Security Champions Network

Editor's Note: This is a guest Blog Post from John Haren, Information Security Governance Specialist at Diageo with special responsibility for the Information Management & Security Awareness program globally. Below John describes how he has put together a Champtions Network (or often called Ambassador Program) for his organization. We are seeing this approach to awareness growing and asked John to share his story.

Do you work in a global organisation? Have you ever wanted to set up a network of security champions to help you get those key messages to employees in every part of the world?

I set up a Security Champions' group in 2013 at Diageo. I started with 4 people, one for each region. While this was a good start I quickly realised this needed to be expanded down into market level in order to be effective. I started with a top-down approach, where I approached the CTO for support and subsequently to the regional IT managers before approaching the line managers of the potential champions. This approach and subsequent support I received made the conversations with potential champions much easier. By having simple supporting documentation such as the "Champions' Charter" and "Champions' Role Profile" it helps everybody understand what it's all about. I sold the role to the potential champions as both a value-add in terms of how they support their business locally & how they support their colleagues in the IT teams but also as a development opportunity for their career. We now have about 45 champions across the globe. We have one monthly meeting with each region where we outline;

(a) What is happening this month as part of the annual Awareness program
(b) What we would like them to do to support dissemination of the messages in their local market/function
(c) Feedback from their market/function on what has worked well and where the gaps are (this is the key feedback loop which provides the biggest value to us as it gives us a picture of where a security intervention is required in a market)
(d) What additional material they might need to support local roll out of key messages

There are pockets of very engaged champions and then there are areas of challenge. We train the champions to raise initial capability and then support their continued understanding of security and of the value to their local business. I am currently trying to raise the standards across the globe by ensuring that the role (which is voluntary) is part of their annual personal goals and/or development plans. This will inevitably take time to implement with such a large group but it is time well spent as clear accountability helps to consistently improve the overall security posture of the organization.

We also engage with the regional IT managers on a quarterly basis (i.e. the ones we approached about the idea in the first place). This way there is continued support for the initiative and they understand the issues & risks and what their people are doing to help protect their markets. This approach has proven very effective to date as we get our messages out there in a format which the champions deem appropriate for their market, both from a content and a cultural perspective (don't underestimate the importance of this!) and we get that all important feedback on where the gaps in understanding are so we can do something about it.

Lessons Learned

  • Engage with senior management to get support for the champions program.
    Articulate the program as a ?win-win' for the champions and their line managers.
  • Ensure they see a benefit for them so it helps the program self-sustain.
  • Try to build the champions program into annual targets or development plans to ensure some "skin in the game".
  • Use the feedback from the champions to continuously improve the program.
  • Keep up the dialog through regular meetings and clarity of purpose. This is all about empowering the champions with the knowledge to understand security risk and having them talk to business people with authority about how to best protect their information. This can only happen through ongoing dialog and continuous program improvement.

BIO: John Haren is Information Security Governance Specialist at Diageo with special responsibility for the Information Management & Security Awareness program globally.