CISO “How to” Without the Bull: Security Champions

In the latest of my “no bullshit” cyber blogs, I’ll explain how to manage a team of decentralised security champions. My name is Nick Harris, and I’m the CISO in Residence at Assured

We’re hearing a lot about de-centralised or federated security these days. It’s all about expanding the security team at minimal cost. By connecting with others in the organisation, elements of security can be delegated, meaning more can be done. It also creates a great communication network for issues into the security team (e.g. friction or risk) or key messages out (e.g. incidents or changes).

Where the security team is small and/or the organisation is vast and geographically spaced, de-centralised/federated models can really work. I have previously built security networks of people, which we called “champions”: once for the broader business which we called “Advisors in Business Cyber” and one time for AppSec.

“We all like to be recognised for the position we have, skills we hold and efforts we put in.” Nick Harris

Done well, this kind of network can implement code testing into pipelines and even upskill developer colleagues. It can provide insights to the security team about how tooling adds friction or helps users’ roles. It even offers a ready-made beta testing group for changes and creates a fantastic communication channel to spread the word of security around the business.

Getting the basics right

So what needs to be considered if we want to build this kind of network? I think there are three key aspects to get right:

• Willingness

• Knowledge

• Recognition

Willingness:

This is the most important element. Recruiting nominated or “voluntold” people isn’t sustainable, as you need individuals who want to be there. Willing, passionate people will be more engaged and stronger proponents of the programme. This does mean you will have less people than you would have liked at the beginning, and they may be clustered in only some business units. This is ok. As word spreads, you’ll gradually swell your numbers.

To garner interest, I ran annual campaigns to recruit champions in cohorts. I included information in my monthly newsletter, carried out cyber-awareness month webinars with some publicity, ran posts on the company internal comms site, and even had a stand at the company annual conference. In all cases, there was an easy sign-up sheet with information about what a champion is, including what a weekly commitment would look like. I aimed for 1-2 hours, as this should be acceptable for new recruits’ line managers.

“Willing, passionate people will be more engaged and stronger proponents of the programme.” Nick Harris

For every applicant, I spoke to them individually to understand their level of interest—both in cyber as a whole and whether they have a niche they’re interested in. I also used this time to check they’d spoken to their line manager. Once you have your new cohort pencilled in, arrange calls with all the line managers to explain why this network is important, what it means to the individual (e.g. value to their team, continuous professional development, etc). It’s also important to explain what the time commitment is—the line manager is obviously going to care about this. In fact, getting line manager commitment is nearly as important as buy-in from your new champions.

This process will highlight the potential you have to work with. I found employees doing cybersecurity degrees and masters programmes, people interested in doing risk and supply chain risk reviews as part of their own programme delivery, and employees already strongly applying security to their roles. For obvious reasons, I took the approach that I would foster and nurture this interest, rather than impose the needs of the security team. If I felt there was a need and no-one with any aligned interest, then I wouldn’t try to force the champions into taking it on.

Knowledge:

People revel in knowledge. Some love learning and some of your champions might have long term aspirations of joining a cybersecurity team. To meet this latent demand, I built a pipeline of courses—starting basic and then layering on more depth and specificity. For this, everyone would complete the free Cisco course which I personally favour over the ISC2 Intro to Cyber Security. Cyber degree students were given a free pass on this.

Even so, every member of the champions cohort must have a foundational level of cybersecurity knowledge. Taking a cohort approach also means they feel safe in their numbers and can share their experience and progress as they continue though the training programme. From this point on, I used the BTL JuniorAnalyst pathway or its “introduction to pentesting” course (both free), and built a programme of courses through our available learning platforms (e.g. Coursera, pluralsight, LinkedIn Learning) that would suit the individual. Where budget permits, the more advanced levels can aim at CISM, CISSP, and similar.

“The feeling of being first to know gave them some feeling of prestige.” Nick Harris

I also made sure the champions knew about emerging security developments. This was so they could share this with their broader teams; but also the feeling of being first to know gave them some feeling of prestige. For the same reason, the champions became a great test group for security tooling, to provide feedback as part of a unique group of special early adopters.

Some champions were so passionate about certain areas, I could give them read access to some of the security platforms. For example, we’d rolled out a CSPM which was going well, but there was a great deal more to explore. So this particular champion with a passion for cloud and PaaS security became a great threat-hunting resource, finding and reporting issues they’d uncovered, and furthering their understanding of tooling at the same time.

Recognition:

We all like to feel part of something and be recognised for the position we have, skills we hold and efforts we put in. Recognition is a key part of sustaining the programme and giving it enough fly-wheel momentum that is self-sustaining without you putting the energy in. It’s also great to signpost your broader staff to their champion. The first aiders have done this well with signs hanging from the ceiling above their desk space, and fire marshals are often listed on a notice board. By all means, do the same.

“Recognition is a key part of sustaining the programme and giving it enough fly-wheel momentum that is self-sustaining without you putting the energy in.” Nick Harris

The equivalents I have used, are: an intranet site listing all the champions and their skill level, and a set of badges (bronze, silver, gold, platinum) which can be attached to their signature block. The colour of these badges is directly linked to the training programme explained earlier, whereby I gave increasingly impressive badges based on three pre-determined factors: course level completed, time served and if they were mentoring other champion cohorts (for gold and platinum). This way, the champions have something to aim for, to keep them in the programme, enhance their skills and ultimately better for the security team overall.

Line managers, marketing managers and internal comms were key in getting this up and running, building awareness of the badges and spreading the message to drive recruitment of champions and their success stories. Using these steps, I was able to build a network of people that could report security concerns, and give real understanding of friction from security tooling and workarounds. The group could also help tailor policies to those that read them, review risks and suppliers, implement security testing into CI/CD, run their own webinars on how they had implemented AppSec into the SLDC, speak at cyber-awareness month, and be part of beta testing of security developments.

There is huge value in the community that can be created between a coalition of the willing. Fostered and nurtured by the security team, a network of champions can surface insights and provide skills that the cybersecurity team may not possess. Done well, it’s a real force multiplier.