Webinar Series: Building a Successful Security Champions Program

Posted by Living Security Team
January 21, 2022

Share Article

Is your company built of Security Champions? The best cybersecurity weapon you have at your disposal is sitting right in front of you, your employees. Yet, at many companies team members are treated as security threats rather than as a resource that can be tapped to identify risks and shore up defenses. A Security Champions Program aids in improving the overall security culture of your organization by designating employees throughout the company to serve as an extension of your security awareness team. 

In our January webinar, hosted by our Senior Strategic Client Advisor, Jennifer Kinney, we had the privilege to feature three cybersecurity leaders who have built successful Security Champions Programs across their respective organizations:
  • Brettina Burney, Principal Security Risk Analyst at FIS Global
  • Jessica Baker, Senior Information Security Analyst at Mr. Cooper
  • Maritsa Santiago, Associate Vice President Technology, Information Security Risk Management & Awareness

Highlights from the webinar include:

  • How to recruit effective Security Champions 
  • Managing a Security Champion program across global organizations
  • How to build a "risk intelligence culture" across your organization
  • Leveraging Security Champions to foster personal & professional growth
  • Tracking the efficacy of your Security Champions program

Catch the replay below or continue scrolling to see the full transcript of our lively discussion with these Security Champion program pioneers.

Recording of Jan 20 2022 Webinar - Security Champions

 

Jennifer Kinney:

Thank you all for joining us today. My name is Jenny Kinney, and I'm a client advisor and the community facilitator here at Living Security. I'm really excited about today's topic on security champions for ambassadors programs. It's such a popular topic in our industry, and it can be an intimidating thing to start no matter how large or small your organization is. Or how mature your awareness program is.

So that's why we've invited three experts on this topic to join us today. So I'd like to introduce Brettina Burney of FIS Global. Jessica Baker of Mr. Cooper, and Maritsa Santiago of LexisNexis Risk Solutions Group. Now, fans of this webinar series may remember Brettina from the one we had last May on Program Communications. So we're glad to have you back, Brettina.

Today, we will be discussing their goal-setting process when it comes to their security champions programs. How they chose their champions, how they are keeping their programs viable and the metrics that they use to define success. I thank each of you for being here today. Now, to keep things interactive during the webinar, we're going to have a few polls throughout the presentation. We're also aiming to save some time at the end for your questions. So feel free to add yours to the chat, and we'll get to as many questions as we can before the end of the hour.

Two more quick items. We really do want you to interact with us. So we will raffle off two swag packs to those of you who answer polls or join the chat, ask questions, et cetera. And also all of the breaking security awareness webinar recordings can be found in the resources section of our website. So you may want to check them out later to see if there's any topics that you're interested in.

So to get started here, panelists, hello. I'd like to first have a quick round-robin for each of you so you can briefly summarize your security champions programs, and a little bit about your organization. Specifically, I'm interested in how you classify your program from a maturity standpoint. How long you've had your program and how many security champions you currently have in it. So Brettina, why don't you get started for us?

Brettina Burney:

Sure. Thank you for having me again, Jenny. I am with FIS Global, as you mentioned before. And you'll hear the tagline for our company, we advance the way the world pays banks and invest. And I am a member of the risk organization. So that's risk information, security and compliance. And I lead the awareness activities for our organization for that organization. And as far as our Champion Program, I would say, or classify our program as intermediate as it is right now. Although we've been in place for a little over a year now. We celebrate an anniversary in October of 2021. So happy anniversary

Jennifer Kinney:

Congratulations.

Brettina Burney:

... to us. Thank you so much. But we still want the program to be the best that it can be. And so we do have some strategic goals that we look to meet over the course of 2022. And we are also happy to say that we were able to double the number of participants in the program as of January, 2022. We now have 370 plus members in the program in over 18 countries. So we're super excited for 2022.

Jennifer Kinney:

Well, I'm excited to hear how you got there. So that's amazing. Thank you for that summary. Jessica, why don't you tell us about your program next?

Jessica Baker:

Hi, everyone. I am Jessica Baker. I am from Mr. Cooper Group, as Jenny mentioned previously. Our Security Awareness Program as a whole is very new starting about April of last year when I was brought on to lead it. Previously, we didn't really have much of a security awareness program. So following that in July, we actually started our Security Champion Program. So we are only about seven months in. So we are very green. And we currently have 25 team members. I have chosen to select 25 team members at a time. And then we cycle those team members out every six months. So that's how we have run things so far. Again, very green. A lot of potential. I'm super excited to be here and learn from these other ladies as well. So yeah, that's a little bit about us.

Jennifer Kinney:

That's what it's all about, sharing ideas. Thank you so much. And how about you, Maritsa?

Maritsa Santiago:

Hi, everybody. So I'm Maritsa Santiago. I'm with LexisNexis Risk Solutions Group. I am part of the Governance and Risk Management Group there and of which awareness is a part of that. Our program, it's funny that Brettina said her program is intermediate after one year, but our program is two years old with a pilot in 2019. And it's funny, because I say that we're still in the infancy stage and I was thinking we're crawling. We're almost walking. And we have about 220 champions. I'll talk a little bit about this, but we have a mix between business security champions and technology security champions because of the different views of the audience needs. But we are still learning. I'm going to learn from these ladies as well. I love the conversation about Champion Programs, and just what you can learn, and do, and how you can improve.

Jennifer Kinney:

I personally love how we're all in different places with it. So there's a little bit for everybody that's joining in to learn depending on the size of their organization how new their awareness program is, et cetera. So that's great. So I want to talk about, whenever you start a program, you have a problem to solve, and you have goals that you need to set, et cetera. So I'm interested in hearing about from the beginning, what was your initial goal-setting process? And Brettina, from our conversations before I know that you had a pretty solid goal-setting process. So why don't you take this one first?

Brettina Burney:

Okay. Thanks, Jenny. I will say in the initial planning process, we needed to establish the what, the why, and the who. So we needed to establish what this program was going to be. We knew it was going to be a gamify, an incentivized way of learning. And then we want to establish, well, why are we doing this? Well, we're doing this because we want to encourage a risk intelligent culture in our company. And then finally, who. Who are going to be our stakeholders? Who are going to be the people that will approve this program and socialize it throughout the company? And once we were able to establish that, then we're able to continue on with creating the structure for the program.

Jennifer Kinney:

Okay. Thank you, there. And then how about you, Maritsa? What about your initial goal setting process?

Maritsa Santiago:

Sure. So just to add on, actually thinking from the perspective of how we set it up. We had those same thoughts as Brettina just mentioned there. And so what we did was, we established the intention behind what you could get, what our team champions would be able to achieve as being part of the program. So what were those personal and professional growths that they could achieve and gain from being a champion?

Maritsa Santiago:

And the other thing that we did, and I'll just add on is that we did create some KPOs for our champions. So we thought about, how can we take what they're going to do and the ask that we have of them. And how can they really get some feedback for that and get some, just really get to take credit for it. And so we created KPOs or objectives for them. And in order to be able to put into their enabling performance reviews.

Maritsa Santiago:

So they would be able to establish, and go and look back at the end of the year and say, here's what I do did as it relates to security and it's being a Security Champion. We did the same thing for the managers of our champions. So before we have anyone become a champion, we have their manager approve them, and the manager agree as well that they are going to align and support their champion in that role. So we allow managers to be able to also take credit for the fact that they have champions on their team who are trying to better the organization and our culture of security. So those are just some of the things we did for setting goals specifically for those in the roles.

Jennifer Kinney:

That's great. And I love the fact that you are getting that approval so that there won't be a conflict of interest because I know all of us with productivity, there's so much on all of us. So sometimes, getting thrown more responsibilities that aren't part of just our regular job description can be hard to fill. So I think reaching out to the managers is a wonderful idea. And I'm encouraging everybody that's on the call to please take notes on this because sometimes, you'll hear a great idea, but you'll forget. So take notes on anything that you think could work well for you guys.

Jennifer Kinney:

And Maritsa, you talked on something that we're going to touch on in a few minutes, which is the what's in it for me? What's in it for me as a champion? So don't worry, guys if you're wondering how you can keep these folks interested. We'll be addressing that in a bit. Okay. So the next topic I want to hear about is choosing champions. Of course, there's always going to be fans, people that you're close to. Your friends, your fans, et cetera, that are going to just be natural fits for the role. But I'm interested in apart from that group, the smaller or large, it may be. How did you choose your champions? And we actually have a poll up right now. So this will help drive the discussion after I hear from each of you. I want to know everybody out there, who are the biggest fans of your program besides your parents, perhaps. Who are the biggest fans about your security awareness program. So we have some choices up there. So it'll be interesting to see once the poll ends. So Maritsa, so why don't you take this one first? How you went about choosing your 200 plus champions in business and technology, from what I understand.

Maritsa Santiago:

Right. Yeah. So we go about it a couple of ways. One, number one for us, most important thing was we wanted them to be volunteers. We do not, we stress this all the time with our leaders. We do not want anybody to be voluntold because when you're voluntold to do something, it's not something that you are committing to and that you're really wanting to do. And so you might not have the heart behind it to actually give your all with it. So firstly, we want volunteers.

Maritsa Santiago:

Secondly, we really push and go to town halls, just get anywhere we can to try and just tell people about our program so then they'll go, and they'll fall volunteer for it. I did a couple of those this morning as a matter of fact. Now, once we get volunteers, they come to our website, we want them to read about everything, and then we ask them to complete a Microsoft Form. And then that's part of the approval process that I spoke about. So we'd have that form go to their manager, but they read about the things that they are committing to as being a champion themselves before they complete that form and send it off. [crosstalk 00:16:59]-

Jennifer Kinney:

What questions are on that form?

Maritsa Santiago:

I mean, so some of the questions are such as what area of the business are you in? We ask questions around we say, here are the different expectations that we have of our champions. And so are you willing to commit to that? Here's the amount of time that we need. Are you willing to commit to that amount of time that we would need from you on a monthly basis? So we're putting those just expectations of what we're looking to get from them upfront so that there's no surprises on the back end if we come to them, if we ask them any questions or anything like that.

Maritsa Santiago:

And so once they submit that form, then they've really said, yes. I agree to all of those things. At that point, it goes to their manager. And again, we have the manager approval piece there as well.

Maritsa Santiago:

And then we also, I'll just mention this here, because I can't remember if we're going to mention this at all, but we actually have an off-boarding process that we developed as well. I don't think that we've used it yet. We've had people say, "Hey, I can't do this anymore." And so that's fine. But if we find that our champions are not actually living up to the expectations of what we're looking for with assistance that we're trying to drive, et cetera then we do have an off-boarding process to be able to politely ask them if they want to step back. So that's how we choose them, and then potentially would have to look to have them discontinue their services.

Jennifer Kinney:

Oh, that completely makes sense. And I know I volunteered for things before that in the moment sounded really exciting, and in reality hit and I was unable to fulfill the obligation. So I may have been on the receiving end of one of those, not for security obviously, but in other situations. I was like, oh, I thought I was going to have time for this. And I did not. So no, that's a great idea to have that plan up front. If somebody's not engaged, maybe they could be replaced with somebody else, and then you can take them away from the guilt of not replying to your emails-

Maritsa Santiago:

Exactly.

Jennifer Kinney:

That makes a ton of sense. Okay. Jessica, what about you?

Jessica Baker:

So we have somewhat of a similar process to Marisa, but again, our whole program is new. So last year, we sent out a company-wide email communication, internal communication side post that we were launching this program with our new logo. And then within that security awareness announcement, we also announced that we would be having a Champions Program. We as well, created a Microsoft Forms survey asking some of the very similar questions. What area are you in? How much time can you commit? Why are you interested in this? And then how much time do you spend on our internal communication channels because that's one place that people can be really interactive and we can grab people that may delete those emails, but they might be active on our internal sites. So questions like that.

Jessica Baker:

Originally, we had about 70 team members apply, which blew my mind, because I didn't know what to expect. And again, we narrowed that down to about 25 team members. The way that I did that was just looking at what they filled out. So what area were they in? We had team members from our India group. We had team members from our [Zone 00:20:28] team, from our Cooper side, all over the place. And then I also wanted team members who were higher up in the organization.

Jessica Baker:

So we had VP-level team members and individual contributors. I liked that because the VP-level could come from a leadership perspective. Our individual contributors, could come from everyday team members. Here's what we're needing, what we're missing, what we're interested in. So I liked having that perspective as well.

Jennifer Kinney:

Yes. And that just answered somebody's question in the chat, actually. Jennifer was asking, does anyone have a Champions Program who's membership consist specifically of company leaders and senior execs. So it sounds like you have a blend.

Jessica Baker:

Yes.

Jennifer Kinney:

Okay. And Maritsa, how about yours? Do you have any of the leadership team in yours or is it?

Maritsa Santiago:

No. We don't. I mean, we have some managers, but we don't have any VPs and so you're making me think, I need to push that harder. So thank you. It's all about sharing.

Jennifer Kinney:

No, that's interesting. I didn't mean to interrupt, but it was just perfect timing.

Jessica Baker:

Oh no, you're good. But yeah. And on top of that, just understanding why they want to be a part of the program. I really focused a lot on that because if they just put just for something else to do, I'm like, "Well, you're not really that interested." But if team members are saying I'm really interested in cyber security. I want to know what our organization is doing. That kind of stuff really interested me and I wanted those people on our team. So that's how we selected ours.

Jennifer Kinney:

Okay, perfect. And Brettina, what about you?

Brettina Burney:

So I will say that we have some similarities with our program as well, especially the registration form. But when we initially started the program, we reached out to those that were very active already in awareness activities. And then we had already put together an advisory board. So we asked for recommendations from our advisory board, and our advisory board spans across different areas of the business. So not just within our area of risk information and compliance, but also with legal, our marketing team, and other areas of the business so that we would be covering all areas. And so we started out with that pilot group for about six months, and then we opened up a waiting list for people who may have her about the program. And after six months with that pilot group, we reached out to those people. It was like our pilot group 2.0 and they were welcomed into the program. And then later in the first year, we opened up the program to the entire organization. Again, by use of the waiting list that we had created on a SharePoint site, and people were able to join in. So now, every three months or once a quarter, we go to that waiting list and invite those people into the program that are interested.

Jennifer Kinney:

Okay, cool. I want to go back to this poll real quick about who are your biggest fans. So the most popular was tech engineering at 51%. And then sales and marketing, big drop at 10%. And then the least biggest fan. Oh no. Few people that said that you have no fans, come on. We'll help you in the next conversation. Maybe get you some fans. Product was fairly low too. So interesting to know. So maybe those of us that are having trouble getting folks on board, we can start targeting those late adopters a little bit better. So that's interesting.

I think we have time to address a couple of the questions that we're getting in the chat. One is how about new hires? Are you letting them know about your Champions Program right away or if an onboarding or is it something that happens throughout, at a certain period in the year?

Brettina Burney:

I'll take the question. We have not yet implemented that in the program, but we really want to. We have had many that are new to the company. They have joined the program because they heard about it or others referred them. And they have said it's been really beneficial for them because they've been able to learn more about the company, and risk and security whereas otherwise they may not have been able to do so right away.

Jennifer Kinney:

Okay. Interesting. So it's just like a more organic process than any formal procedure at this point.

Brettina Burney:

Right now.

Jennifer Kinney:

Okay. Maritsa, Jessica, anything to add there?

Maritsa Santiago:

I think it's a great idea. I think we mentioned it in our initial... We have an E letter that we give our new hires. And we do mention that we have a program, but we don't really go into full specifics on it or like, "Hey, get involved early." So I'm just thinking, I need to open up a Word document and start taking notes of my own. Which I'm trying to do as I'm having a conversation.

Jennifer Kinney:

That's fine. And again, it will be transcribed if you need to go back and take a look. But, okay. So we have another question. So anybody that wants to take this, just a light overview of what, Maritsa, you mentioned the KPOs, or key performance objectives. What are some of the things that you do require ask of your champions?

Maritsa Santiago:

Sure. So we look, and again, it depends upon the audience. So our audience is different for business versus our technology teams. And when it comes to our business teams, we really look for them to do about three hours a month. Probably it's about the time that we ask three to four hours. Technology, it's a bit more than that. It could be up to maybe 10 hours per month because we ask our technology teams to do some things around threat modeling and identifying ways to identify process improvements within their own areas. To get involved in security conversations.

Maritsa Santiago:

So if they're not currently part of conversations that are going on around some changes, new changes that are happening to a product, for example. That they can start getting involved in those conversations, and giving that perspective or, I don't want to say challenges, but yeah. Essentially, challenging some of the thought process behind those changes. And where's the security in it, things like that. We also want all of our champions no matter who you are to know our InfoSec policies, standards, and procedures. Know those, know how they apply to your business area. I think those are some of the different things that we have as far as expectations for our champions.

Jennifer Kinney:

Okay. Cool. And then Ellen has a question for you specifically, Brettina, on just briefly, how do you manage such a large security champions group? Yours is the biggest at 300 plus. And I know this is a huge part of your role. So you have a lot of time to dedicate to it. And she also wanted to know what are they responsible for too?

Brettina Burney:

So I will say that this Champion Program is not my only part of my role here at FIS but I have a wonderful cohort, Stephanie McCormick, that I work very closely with and we created the program together. And we also have a larger team that helps out with the program. We just doubled it. So our fingers across that things continue overall and along very positively, but it is a labor of love. It does take a lot of effort and work. And what we're looking to do now is those that reach the champion level and beyond, we're asking them to help too.

Brettina Burney:

Honestly, because our group is so large right now, and we really want everybody in the company to be a part of it at some point, we just know that our team can't do it by ourselves. And so we've recently asked other members of the group to help with certain things like webinars, mentoring those who just start the program and whatnot.

Jennifer Kinney:

It's like the champions of the champions. 

Brettina Burney:

The champions of the champions!

Jennifer Kinney:

We need a trophy. Okay. So really, and we're getting some questions that allude to this as well. So how do you keep people engaged, excited? How do you keep them interested in it because it's like a little bit of the what's in it for me in order to keep them engaged. We talked about, of course they are getting manager approval. They can put it on maybe their performance plan, et cetera, to say I'm really stretching myself in other areas of the business. Of course, security is such a hot topic right now. Everybody wants their organizations to be more secure. So there's a sell for that. But let's see, Jessica, I know that this is one of your areas of expertise. So tell us what you're doing for your champions.

Jessica Baker:

Yes. So this might sound cliche, but I think it definitely starts from within the champion. Just like Maritsa said, we truly do want volunteers. We want people who are genuinely excited and want to be a part of it. And then following up with that, me I'm big on employee engagement. I used to be called smiley when I played sports, because I just smiled all the time. I love to crack jokes. I love to get excited about things. So I think just sharing that energy is super helpful.

Jessica Baker:

Something we recently started was doing training. So we do a topic of the month. So each topic, we are also having our security champions train on that. It's typically quick hit video with some questions afterwards. It does give our team members a little bit of a break from their day to day tasks.

Jessica Baker:

It is again, like Maritsa said, something they can add to their performance reviews at the end. And then also last year, we created t-shirts for our security champions. So that has our seal logo on it, which is our security awareness logo. Just something cool that they could wear to meetings, or around town, just like I'm a Security Champion at Mr. Cooper. So I love that.

Jessica Baker:

And then we also have an internal rewards system, and through that, we send out a public card basically that all of the company can see. And we can give them rewards, which in turn can become a gift card or they can use it for company swag or something like that. So really if you are on our champion team, and you're participating in things like that then you get a few different perspectives. And again, this is still a work in progress, but I am big employee engagement. So I'm sure there will be more things to come from that side of it.

Jennifer Kinney:

No, it sounds good. So it sounds like a mix of lots of different things. Soft skills, kudos, swag, rewards, et cetera. Okay. And you just have a natural cheerleader type personality for these people. I get that. I get that. Maritsa, what about you and your Champion Program?

Maritsa Santiago:

A lot of the same things that you mentioned there. I guess some of the other things, we do give them visibility opportunities. So going into the soft skills, that's one of the... What's in it is that professional growth opportunities. And so we want people to present. If they want to present, that we are behind them all the way. We provide toolkits to our whole company in general. But we push that to our champions to be able to take that information. Those PowerPoints, it's a plug and play. And just go take those to a team meeting, and talk about security for five, 10 minutes.

Maritsa Santiago:

So we give them the option and opportunity to be as visible as they want to within their own networks. We have some of our champions who really get involved in every one of the town halls, and have a security topic covered in every town hall. They might write communications specifically for their areas of the business. So that, I think goes a long way. And then recognition.

Maritsa Santiago:

So we do a monthly newsletter, or excuse me, a quarterly newsletter to our whole organization. And we always spotlight one or two champions in there. And so that gives recognition across the whole of the company of what they're doing and really talking to the why, why they're doing it. So those are some additional things. And then we do a conference.

Maritsa Santiago:

That is an InfoSec conference. We invite all of our technology champions there which is an extra level of learning along from the monthly webinars that we do, that's something that's even a bit more, if you will, in depth. So those are some of the things along with we were trying to get into doing some travel where they could come and meet InfoSec team in person. Those have gotten obviously messed up by the pandemic. But those were some other things where we were looking at doing. Is travel to get together, to be able to share ideas with each other, et cetera.

Jennifer Kinney:

Okay. No, that's great. Okay. So let's see. Before we get to your answer, Brettina, I just wanted to see. We were polling the program size. I know that security awareness departments in general are fairly new. They haven't been around for decades and decades. So looks like the most popular size is just one. So a lot of you folks out there are a team of one. So you need some champions. So make sure you're taking notes and you can get some help.

Jennifer Kinney:

And then let's see, the second most popular was four plus. So we're all over the board here. And then the others for two and three split evenly. So thanks for sharing about your team size with us, everybody. And no, Maritsa. I really like the what's in it for me ideas that you have. Because it sounds like they can almost build up their stock, and their brand within the organization. Become more visible, which is always a good thing as far as career opportunities are concerned. So that's a great idea. And Brettina, what about you?

Brettina Burney:

I just want to answer about the team size if your team is small and reaching out to other people. One takeaway from the program has been that many more people are passionate about this area than we ever thought. And so all you have to do is ask people. Start with your own network, and then go from there. And more likely you will have additional help that you need or require.

Brettina Burney:

And as far as engagement, we too like Maritsa and Jessica like to reward our colleagues. This is definitely a voluntary program and we know they'll have to take time out of their day to spend toward the program. And so a few ways that we recognize or reward them is our program has levels, and it has phases. So as they reach each phase, they'll receive a certificate that's been signed by our chief risk officer. And they'll also receive a badge they can add to their email signature. And then as they reach the end of each of those phases, they'll receive a swag bundle as another, thank you.

Brettina Burney:

We also have a thank you meeting with our chief risk officer. He is very big on recognition and likes to meet with the members of the program, and thank them for their efforts and spreading this awareness throughout the company. And I also think that consistency is key. So we've established social hours that we have monthly. We have two because we have global participants so we have to take into consideration their time zones.

Brettina Burney:

And then we have another meeting outside of those social hours, just to again, increase awareness about these different functions, and groups within the organization that are related to risk information, security and compliance. We have guest speakers that come once a month and our members are invited to that. As well as we try to make sure that the meetings that we have with our participants are informal.

Brettina Burney:

We have so many other meetings that we have to attend, and we have to be a little bit more buttoned up. So we want to encourage people to feel free to talk to others and network and not feel that way whenever they come to our meetings. And last, and certainly not least is that we can't expect people to be excited about the program if we're not. So every time I have a meeting or interaction with our team members, we just quite often outside of the meetings that we have scheduled, I'll put on the Brettina TNK face and personality and I go for it. So it seems to help people. You just never know how that may affect people and encourage them to continue in the program.

Jennifer Kinney:

Yeah. So a lot of patterns here. So contagious enthusiasm is really important. Appreciation, especially from leaders is really important as well. This all makes a ton of sense. We have a lot of really good questions in. And one of them was about running international programs. So I want to make sure we get to that, and Brettina, maybe you can handle that as well. Different time zones. And then of course there will be different regulations in different countries, and geographical areas. So we can address all that. I'm seeing the questions coming in. So I hope we'll get to as many as we can.

Jennifer Kinney:

Okay. So the last formal discussion question I had before we get to the Q&A was metrics for success. I mean, you have to prove that the program is worth your investment, worth your time. We even had a question about does your program have a budget? So keep that in the back of your mind for a question that we can answer here shortly. So, yeah. What are your metrics for success? What are your corporate stakeholders wanting to get from this. Just share whatever you have there. And Brettina, why don't you start with this?

Brettina Burney:

So I'll say we have a number of metrics that we utilize to continue to understand where we are in the midst of the program. For example, we measure growth by quarter. Are we growing the program like we wanted to quarter over quarter? This quarter, we grew exponentially. So that's one mark for success for us for the year. An active participation rate. Whenever people submit their activities, monthly, we gather that information, and we're able to determine what is the participation rate. And-

Jennifer Kinney:

How do you keep track of that? Like in a spreadsheet or something? How do you keep track of the participation?

Brettina Burney:

So we use Microsoft Forms. So when people submit their activities, it triggers a spreadsheet that collects all of that data for us. And then we also look at how many voluntary trainings, perhaps, people are completing as a part of the program. Everything we do is voluntary. So how many of those are being reported. As a result of being in the program, how many incidents are being reported because people know how to report those incidents, and know what to look for.

Brettina Burney:

But really, the biggest form of feedback I will say for the program really is feedback from the actual participants. If the colleagues are not happy with the program, then it's not a success at all. It doesn't matter what the numbers may actually show that they're doing, but if the user experience isn't great for them, then the program is not a success.

Brettina Burney:

And that's why, especially in the beginning, we spent a lot of time with our pilot group, even one-on-one meetings with them often just to see how we could enhance the program if what was working for them? What was not working for them? And that really has been very instrumental in us growing the program and making it what it is today. And that's the feedback from our actual colleagues. And that's not always the most quantifiable thing that you can look at. Outside of the actual numbers that we're able to gather, having that time with the participants and talking to them and seeing how they feel about the program makes the biggest difference for us.

Jennifer Kinney:

That sounds great.  So what's a lesson learned?

Brettina Burney:

Well, some people are using this program as a means of networking as well because the program is offered to different areas of the business. Some people maybe silo and for somebody in security, they may never actually work with somebody let's say in the legal department. But because of this program, they're able to meet with them and interact with them, and continue to grow their network. So that's one takeaway as well from the program. Like you mentioned before, building your own brand, building your network within the company. That's been a big takeaway as well.

Jennifer Kinney:

That makes so much sense. And it's such a benefit, because you get introduced to people that you may not have otherwise been introduced to. And so you can learn more about the organization. That's great. And Maritsa, I have a little bit of familiarity with your program considering we store together. So I know that you would also compare phishing simulation rates from those in your Champions Program to just the rest of the staff population. So anything else that you'd like to add about metrics?

Maritsa Santiago:

Sure. So I was going to mention the phishing simulation rates. Also, we look at the number of champions across our leaders, and we report those up on a quarterly basis to our leaders, just because we want the visibility to see our leaders are very competitive. And so we want them to see that, well, I've only got one champion and you've got five? Okay, now I need to go talk to my people. "Hey, do we have anybody who wants to volunteer for this?"

Maritsa Santiago:

So we use that to help to really drive more champion visibility and hopefully engagement of champion joining. And then we are in the process of creating a user risk score. And so we will also utilize that to see and help to determine whether our program is a success because just as we do with phishing, we want our champions. If we're training them more in depth, we want to see that they're having better results than our organization as a whole. And so we would want to see that they would have less risk than the rest of our organization because they're implementing all of these best practices that we're training them on. So those are two other ones.

Jennifer Kinney:

That's fantastic. And just to let all of you guys know out there, Living Security has a new product that's launching this year. That is all about a user risk score, which is a very complicated thing. So we work really hard to get this going. So if you have any interest in learning more about this product to develop a user risk score, just please do reach out to us. Maybe, Brandon, you can put the Unified link in the chat so if people are interested, we can let you know.

Jennifer Kinney:

So, okay. Lastly, we just have a couple more minutes before we get to Q&A. So I want to know, if there's anything that we haven't touched on yet, like a huge, yipee. Like Brettina, you're yipee about doubling your program number last month is pretty amazing. Is there anything else you guys haven't mentioned that's either a lesson learned, oh, okay, tried it didn't work or anything that you're especially proud of that's happened in your programs.

Maritsa Santiago:

I can start here in just saying that, going back to talking about showing the visibility to our leadership. We've seen a significant increase in the number of technology champions that we've had because of a couple times I've participated in conversations with our CTO. And then we have CTOs underneath our leader CTO. And where they really went out to their teams and they pushed hard for champions, and said, "Hey, we really want somebody who can represent us". Making sure that we have coverage in each of our different squad areas, whatever you call it in your organization.

And because of just that top level support that we saw coming out of technology leaders, we saw a significant increase in our technology champion numbers. And we're continuing to see those numbers rise on a weekly to a monthly basis. So just get those leaders. Get in their ears, get in front of them as much as you can. And they can really help to be your sounding board for advertisements, and getting you new volunteers.

Jennifer Kinney:

That's amazing. And having a strong technology group is just so important because I mean, they hold the keys to all the network security, app security, et cetera. So if they aren't security champions, every single one of them should be. So that is a huge win. And Jessica, anything from you?

Jessica Baker:

I would say I have more of a lessons learned perspective. Just really talking with you guys recently, and Maritsa, you bringing up that you guys have manager approval. That is something that I run into with this round of my team members. We've had some team members who are maybe from our call center groups and things like that. And they have a different way of scheduling, and how they attend the meetings and stuff like that. So that's something that I'm learning right now. So for those team members, for sure, it'll be really important moving forward to have that manager approval. Have the manager backing them up and being their champion as well for the program. So that for me, has been a lessons learned so far.

Jennifer Kinney:

Yeah. And I think that came later in the program too, as a lesson learned. Like oh gosh, we need to get manager approval so that people understand that they do have support from their leaders, which is just really critical. Brettina, did you have anything else. Any other [inaudible 00:46:49].

Brettina Burney:

Yeah. I had a couple lesson learns and that is the first was, it was very daunting for us to start this program as well too. We wanted to do it a long time ahead of when it actually went into implementation. But we said, we have to do it. We have to start. And that's what we did. Just start. It may look like it's a lot to do, but at least get the ball rolling. And I will say that now during the pandemic is really a perfect time.

Brettina Burney:

That's been a big takeaway from the program as well. So many have expressed that they missed that time with their colleagues in the office. And this program has given them an opportunity to interact with other people outside of their normal group. And it has even helped them through some difficult situations that they've had because they've been able to have that support group.

Brettina Burney:

I say we start off with a small family, and now we have a small community. And we really look at it that way. And so we just don't know what these programs can do for people outside of them learning about risk and information security. It could do so much more for them as well from a personal perspective. So I think if we look at it holistically like that, then we can help these programs get off to a good start.

Jennifer Kinney:

Absolutely. Sometimes you just have to set a deadline to get things done. Yeah, just do it. If anybody on the Living Security side can drop in the link to the latest mini box on new year's resolutions. We actually address that, how to take a big goal and divide it up into little chunks so that you can get it done. So it may be helpful for this discussion. So it's just like a two pager and a couple chat messages that you can read yourself and help me to read it. And then you can share with your end users, your employees.

Jennifer Kinney:

Okay. So Nick is going to help me with questions and answers that I may have missed. But there's two I've seen recently that I definitely want to get to. And you guys answer this whole question as well. And one is what are the things... Maritsa, this one's for you exactly. Because this is such a complicated topic and metrics can be so hard. So I know that risk score can be a very daunting project to even start. So what metrics are you gathering for that? And again, I hope if I'll be able to help you with this.

Maritsa Santiago:

Yeah. So some of the metrics we look at to begin with, phishing, they're one of the easiest to get. We also look at training. So those are also easy to get. Are people doing their training? Are they doing it on time? Those are usually easier to get. Another one that we just started pulling and looking at is around managers and timely terminations. So managers doing their actions as far as are they effectively terminating folks in the system before they leave so that their access is gone. That's another one that we've been looking at.

Maritsa Santiago:

Ultimately though, I will say, plug here for Unify. We are going to begin using Unify because it is such a daunting task. We've been working on this for over a year, probably a year and a half. And we're just about to get to piloting just a subset of what we wanted to look at. But Unify is going to really help to unify it all into one place for us.

Yes. And so we are excited to see how we can use Unify with what we've already been collating, and pull those things together. But those are just some of the beginnings. I mean, there's so much data. It's just finding out one, how to get the data. And then two, how to effectively read the data to give you actionable measurements. So that can really take some time, even though there's so much data out there.

Jennifer Kinney:

Exactly. Exactly. Okay. Well, thank you for the plug. I appreciate it. And then it seems like there was one other one... Oh, this one's for you, Maritsa as well, can you talk more about the difference between business or technology-based programs?

Maritsa Santiago:

Sure.

Jennifer Kinney:

I believe you're the only one that I heard doing that.

Maritsa Santiago:

Yeah. So we decided to take that approach because I feel that the audience needs are different for business versus technology. So with our business champions, we really do focus more on general cybersecurity best practices. So we're talk about phishing. We're going to talk about just some of the pieces that don't really get into the technology knowledge that you need. And that's been really successful for us because we're not doing too much where they feel like their head is underwater.

Maritsa Santiago:

But on the technology side, we are focusing heavily on threat modeling, secure software development, life cycle. Really, how do you just shift that security to the left when you're doing any kind of development? And so because that is such a more advanced knowledge base, sometimes that you need there, we are allowed to and able to have our webinars, and monthly meetings that go more in depth. Like we just did one today on pen testing. And it went more in depth that our technology teams could better understand. So how they could take that, and apply that, and utilize that as part of their efforts as they're going through their secure software development life cycle. So that's why we decided to do two different ones for our organization.

Jennifer Kinney:

It makes so much sense. And you can speak a more technological language when you're talking to the tech folks. And again, just they're so important. Like of course the end user, the human risk side, when it comes to phishing, social engineering, it's critical. We're all trying to improve on education and knowledge content for that. But gosh, if technology isn't following good security practices, shifting left, then you're really opening yourself up to more threats and vulnerabilities.

Jennifer Kinney:

Just, I'm going to take a look at the poll. So looks like 26% of you guys already have a program. So hopefully you've learned some new to improve it today. And then you're planning a program now. Well, perfect timing for you to join. And then not this year, maybe later. So again, when you do have time to maybe revisit this, set yourself a deadline. But we will have this recorded for you. Just you can access it all on our website in case you want to come back and revisit some of these ideas.

Jennifer Kinney:

Okay. Brettina, it seems like I saw a question for you here, but I cannot... We've got so many questions coming in. Nick, I may ask you to jump in and just pull some of the things that I have missed during this conversation and help us out.

Nick Marchiselli (Client Success Manager, Living Security):

Absolutely, Jenny. There have been quite a few questions about how these programs expand to global and remote organizations. And I know being a past program owner, this was a struggle for me. So I think everyone could probably provide some value there.

Jennifer Kinney:

Yeah. Brettina, I think that was one for you because you did mention the international scope of your program, if you don't mind taking it.

Brettina Burney:

No, I don't mind. I will say that strategic partnerships is very important when it comes to a global outreach. So I mentioned before, we have an advisory board. And one person on the advisory board is from the legal department. Compliance and legal. And she made a suggestion that if we wanted to reach out from a global perspective, that we need to contact the different HR. We have a different name for it within the company, but HR within those companies. And so I was able to obtain a list.

Brettina Burney:

For instance, in Germany and France, they have specifications for working there. They have a works council. So we met with the contacts there just to make sure that we gave them an overview of the program. To make sure that we weren't missing anything. If there's anything that would prevent someone from being in the program from that country. And we did that with China as well.

Brettina Burney:

So we have other countries that have been added recently, and we'll have to meet with those partners with that country just to make sure that all the considerations for the program are taken into account, and we're not missing anything for that area. And then two, there may be specific areas that have certain means of communication. For instance, within our company, let's say for the India region, our internal communication method of Yammer is utilized quite often. So we'll need to utilize that to reach out to our colleagues there about the program. Initially to invite them into the program. So those are few of the things that needs done to make sure if we want to reach our colleagues globally then, we can do so.

Jennifer Kinney:

Okay. And how about varying times of meetings? So like to cover different time zones? Do you guys ever do that?

Brettina Burney:

Well, let someone else answer.

Jennifer Kinney:

Yes.

Jessica Baker:

I was just going to tag on to what Brettina said. We have team members in India as well. And yes, the meeting situation is something I was actually going to talk about. Our first meeting that I set up with my champions, one of our India team members was like, "Hey, that's midnight for us. Can you?" And I didn't even think about it. So that was one of the things that really helped me understand, okay, what are the different needs with our team members?

Jessica Baker:

And also during Cyber Security Awareness Month, we used Living Security for the escape rooms. And it was really, really helpful to have Indian team member champions because they were able to run time slots for me, for our India team members that I wasn't able to run, or I had something else going on or whatever the case may be. And that gave a lot more opportunities for team members to participate because we did have those champions who had been trained on how everything worked to run those times where our India team members were more available.

Jennifer Kinney:

We need to find a good name for those. Like the champion champion or super champion or. Hey, one thing I forgot to do, Brandon, would you show everybody... I know that you guys have some little reward badges and stuff. If you could pull that up, that would be great. I'm just bossing people around right now. And then, Nick, are there any other questions that you saw that we need to cover? We have five more minutes.

Nick Marchiselli:

Yeah. So there were a few people who it seems have other championesque programs in their company whether it's a wellbeing champion for actual physical security or a privacy champions program. Does anyone have any thoughts they would want to add on tagging along or breaking Champion Programs out or things like that?

Maritsa Santiago:

I can say that we have a lot of different programs at our company. A lot. And what I tried to do with the team when we were looking at the pilot, and then looking into revamping for our first year was get some of the best practices that we maybe witness because some of our people were involved in other Champion Programs. What worked, what didn't work, and what should we just not even worry about trying at all. So not necessarily tagging along. I have thought about how can we incorporate conversation into some of those, but we looked at it for more of what has worked well, and what has not worked well with those programs that we could utilize and leverage to help with the creation of our program?

Jennifer Kinney:

That's a great idea. There's just so many efforts in larger corporations, especially because there's so many things that we need to address like diversity and inclusion. There's so many things. So it feels like we can be spread thin as employees. Now what's on the screen right now are some examples if the attendees here want to just get inspired for some ideas. So we have the security education awareness learning badge. And then we have, that's a cute little trophy, Brettina for the RIC Champion Program. So people can put that in their signature. And then on the right, it looks like so we have a little signature badge, I'm a security champion. And then that looks like a little picture frame that you could use maybe as of your Team's [crosstalk 00:59:18]-

Maritsa Santiago:

Yeah. Teams Active Directory. You can have that show up whenever your picture shows up.

Jennifer Kinney:

Okay. Yeah. It's like, I'm cool. I'm a champion. Okay. I like it. Okay, Brandon, you can pull that down now. Thank you. Appreciate it. Okay, Nick, three more minutes. What do you think we could do?

Nick Marchiselli:

Just to add to that last slide, we've even done swag where it'll say champion, which I know someone had already mentioned. I think that's really always well received. And the big question. One of the other big questions I'm seeing, obviously it's very dependent on companies is more of a budget conversation. Is there a cost per champion or how do you justify those costs and what does that come conversation often look like with leadership?

Maritsa Santiago:

Those are fun conversations.

Jennifer Kinney:

And you don't have to say exact numbers, necessarily. But do you guys have any kind of budget carved out specifically for champions? Or how is that working for you?

Jessica Baker:

I'll jump in here. I will say that I don't know if it's because they didn't have much before I came along, but I will say I'm very grateful for my leadership. Pretty much anything that I say, "Hey, we need money for this. Hey, we want to make t-shirts. Hey, we want to give them these rewards." My SVP is like, "Yes."

Jessica Baker:

I will say currently, we haven't spent a ton of money because obviously we just started this. And we got t-shirts and those showcase points. But my leadership is very supportive of security awareness. Security Champion Program. All across the board. So far I've been very luck to just have them say, "Yeah, approved." But I haven't asked for much. So we'll see how it goes as we grow.

Jennifer Kinney:

Any leaders on the line, please take note about how much people love the yes to the budget. Jessica, I think you are pretty lucky in that regard.

Jessica Baker:

Yeah. Very lucky. Yes.

Jennifer Kinney:

Okay. If we want to take that as the last question, we can Brettina, Maritsa, if you have anything to add to budget or else, maybe we can just take one more quick one.

Brettina Burney:

I'll just say really quickly that I think that's where it's important. That whenever you establish how you want the program to be structured, that you meet with those people who actually set the budget so that they are aware of your purpose of the program, and how it can benefit the company overall, and how it will make the company more safe, more secure, and ultimately save the company money because they won't have certain incidents that may happen because of what's learned by means of these program. If you can quantify that and show the benefit, I think the budget will be there. Well, hopefully.

Maritsa Santiago:

Yeah. I think I agree with you. As you show the ROI they will be open to more. To giving you more because they know that it's a small thing that's going to go a long way.

Jennifer Kinney:

Well, you guys are getting very positive reviews in the chat. I think a lot of people took something away, some action items that they can take and learn and grow their program in some way, which is so important. Our roles are so important. I want to thank the three of you, not only for joining us today, but for all of the blood, sweat, and tears that you're putting into growing your programs, and spreading the cybersecurity awareness message.

Jennifer Kinney:

There were some really good questions I saw that we didn't get to. So our plan is to hopefully follow up with you as panelists and maybe I'll create a blog post with maybe just some more takeaways and answering some more questions. So expect a little follow up with that. And then everybody on the line, we will have a blog in our little blog section on the Living Security website at some point, hopefully in the next couple of weeks.

Jennifer Kinney:

Okay. So thank you so much, everyone for joining. This was really helpful, and I appreciate everybody's time. And we'll catch you next month in the next Breaking Security Awareness webinar. Thank you.


 

Subscribe To Learn How To Prevent Cybersecurity Breaches

Additional Reading