Security champions are people who have been chosen within an organisation to represent cyber security for a department, group, or company as a whole. The notion of security champions works in a similar way to the fire warden of an organisation, in that a role is assigned to someone to help others implement good practice.
A security champion is not an expert in cyber security, but may be given some extra training or resources to help them carry out their role. This role may entail delivering security messages to your team, being a first port of call for security problems, and communicating effectively to work out any worries or misunderstandings people may have with regard to cyber security. For example, if someone is worried that an email they received might have been a phishing scam, they can let the security champion know. Having someone that is already a member of their team may make people feel more confident to raise these concerns or queries as they are able to go to a friendly face. A security champion may seem more approachable than a security professional who perhaps is not well known to everyone in an organisation. In this way, a security champion facilitates a bridge in the gap between the security team and other teams, creating a better flow of communication and therefore better cyber security on a wider level.
As every organisation is different, the way in which a security champion works may vary too. Considering logistics and the cyber security needs of the company, a champion can really help to lead the way for positive practice. Finding someone who fits the role well is important to the effectiveness of the champions programme also. Usually, it is a good idea to assign the role to someone who has shown or expressed an interest in cyber security before. As this is usually a voluntary and unpaid position, a champion must have some kind of interest in cyber security to want to undertake the task. Similarly, someone who has consistently proven their own commitment and implementation of good cyber security behaviours will make a very valuable security champion. People who have expressed frustrations about cyber security in the organisation, or who have been involved in incidents, can also be excellent champions because they have commitment and experience. Keeping champions in-the-know about cyber security, and supporting them in their role is very important. This may take the form of them staying in regular contact with a security expert, attending a cyber security conference, or maybe creating a network for champions of various departments to keep in touch and offer each other advice.
With the right support and implementation, having a cyber security champion within an organisation can hugely increase the use of good practice. Their role creates better communication, increases the chances of issues being raised, and helps to build awareness. Cyber security messages can be amplified, their scope increasing, leading to an overall better cyber security culture within an organisation, and therefore consistently positive cyber security. Perhaps most importantly, champions programmes can facilitate two-way communications between the security function and the rest of the organisation, providing a way for the security team to receive regular feedback and input from a wide spectrum of their colleagues.