They are the Champions: How To Build and Maintain an Effective Cybersecurity Champion Programme within your Organisation

thank you so much everyone I want to start by thanking b-sides London for welcoming us here thank you to the sponsors the organizers and of course to you all for coming along and listening to Kevin and myself talk about building a Champions program in an organization we're going to cover what a cyber security champions program is how you build one why they are a good idea what you can do to engage people keep them motivated we're going to talk about some ideas of how to measure whether your champions program is going well or not and some of the pitfalls some of the things that can go wrong so we're gonna try and cover you know a nice

introduction to champions there'll be some time at the end for questions so whether you have never heard of a champions program whether you are thinking of running one whether you're running one already hopefully there'll be something that you take away from what Kevin and I have to say today to help you so to start we're gonna introduce ourselves yeah well as you can see this is us so a little bit about me I've worked for Hargreaves Lansdown for about two and a half years now I am the cyber risk manager he's formerly information security actually change the drug tights with just because cybers a little bit more sexiest to use as a as a name right and the reason why

we're doing this is because when you look at defense technology only goes part of the way because let's face it phishing emails are the easiest way to breach any organization right where is that debatable okay you've got green ooh so jess you want to say a little bit about yourself so I've spoken to besides London a few times but if you're not familiar with me I'm one of the cofounders of side gender together with FC and I'm talking about this because my work is always on the human side of cybersecurity so generally working on awareness raising behavioral change cultural issues around cybersecurity in organizations and I've worked with a few clients who either were establishing a

new champions program or looking to have a more successful champions program and so Kevin and I we share this interest in culture in Champions and decided to come and share some of the stuff that we've learned with you all today so a little bit of background on Hargreaves Lansdown as this is a bit of a case study so auguries Lansdowne is Britain's number one private investment and super market if you like okay we started here not buy that today see one by two friends in a bedroom and the business grew very very very quickly you have around five million clients with almost 100 billion pounds of assets under management I do sleep at night all right

the point of telling you this is that Hargreaves grew so quickly there was a lot of work to do I felt when I got there two and a half years ago I felt tackling this in a traditional way would not have worked so engagement with people in the organisation and building a team of champions was something I embarked on which I worked together with Jess on and we see this a lot so genta a lot of our clients will have grown really quickly and so they're trying to think about how they manage culture how they communicate effectively with people how they try and encourage positive behavioral change so site enter I run together with FC and we work on the

human technical and the physical sides of cyber security we like to say that Maine's or areas of work alike the three T's so we do testing physical technical and cultural assessments we do training all sorts of different types of training we do lots of speaking about cybersecurity as well aside from this we do lots of other stuff and as I've already said one of the things that I've helped some of our clients with is building these champion programs making sure that they're effective so we're talking about champion programs today and you may have a question what is a champions program just a quick show of hands who runs or who has a champions program running in their organization

okay could you view wonderful alright so from my perspective what is cyber champions program it's made up of your most loyal staff your biggest fans and they're very very helpful they want to be part of security for whatever reason whatever their motivations are one of the things I don't do is hold back when it comes to my champions I want them involved okay so yes my boss I report to the C so for Hargreaves which makes things handy when I need to get something signed off get some money but I get them sitting with him shadowing for the day alright they get involved with the physical security guys if I've got my PCI DSS auditor on

I'll bring them in and get them involved let them see exactly how operates get them to understand the reason why it's important to have everybody understanding their remit in security for the stock we have a stock in our Greaves I get the guy sitting with the salt for maybe a few hours of the day if there's any type of incidents or red team or purple team I get them involved to a point and also get them involved in penetration testing so we've also got risk and we work with fraud so there's quite a few teams and what want them to do is have an appreciation and understanding of how the teams connect and also having the champions there made up

of different people there just like being okay but everybody's got a slightly different interest so I open up the doors so it's not just information security they can get involved in any part of the system and I think it's a great way of doing that Hargreaves because the champions generally in an organization will be people as kevin has said who have an interest in security for one reason or another so with clients that have never had a champions program before or people who've never come across the term the way I like to describe it is a bit like kind of thinking of health and safety and your health and safety representatives throughout an organization it's just the same but with

cybersecurity so I've found in some clients it will be people who ask the questions of the security team people who report a lot of incidents people who want to know more about personal security and asking some advice on that there are people that can make great champions I've also found in a couple of clients people who have actually found security difficult and who have complained about security they actually can turn into great champions because that people who want to engage and if you can get them to engage as champions they're usually really good at then going ahead and kind of flying the flag for security so one interest that Kevin and I really share is around culture and

we want to talk a little bit about culture because the champions program can be really effective in positively influencing the security culture of an organization so culture is one of those terms that can sound a little bit wooly but we're hearing a lot about culture over the last year in terms of security if you're not that familiar with you know working with cultures and culture in general is basically a way of life is the customs the beliefs usually of a particular group in society and usually those cultures are represented through rituals through art through customs through food when it comes to organizational culture there's been loads of studies of organizational culture what that means what it looks like and essentially

organizational culture can be understood as the values and beliefs that underpin the behaviors of people in your organization so the culture is kind of something that emerges through how people behave which is based on what they believe is the right thing the right way to be and organizational culture is really influential when it comes to security in all sorts of ways for example if you have a culture of fear where people are particularly punished you know if they click on a link or if there's an incident involving them and information security if you have that kind of culture of fear where people are very worried about security then what you're gonna see is people hiding

incidents people not reporting stuff so culture and security are really important everything from how technical controls are implemented through to things like reporting of incidents you're gonna see a huge impact on how security operates coming from the culture that you have around cybersecurity and so culture is really important because it can influence you know how you bring about change programs when it comes to security it influences your development cycle and whether security is built into that whether there's good communications between the teams and to extend that you have insider incidents and to the extent that you know about them the extent to which they're reported McAfee now sorry hasslein so following on from what Jay

said cultures take time to change and you can measure it in months probably years it takes to change mindsets up what's the point what's the point in having security champions I think having security champions enables a two-way conversation so you can get metrics from anywhere in the business and try and measure the successes of what you do we're in an industry which is very very difficult to quantify so we don't produce widgets all we do is ask for money and you say can we have X amount and then the response is well what we get for our money what are you spending on well we won't get a breach okay so is that constant battle asking for money

and trying to understand where the value is having a champions program really does help you do that you get a good feedback because you get an aggregated view from the business exactly what the business perceived security to be whether it's negative whether it's positive and those issues can be highlighted depending on where the areas that the champion sit and we'll go into that a little bit more in just a while but it's it's really key to understand that they're not the police you know you want to get these guys operating at an effective level where they just seamlessly blend in you know and I think that's really really important just to get the right results out of it as well

it's such an important point I've seen some people who think are great will have a champions program because then we'll have people out there who can tell on everyone else and who can report back and that's not really the way that you want to approach it it should be about having a healthy culture and being able to listen as kevin has said often people feel like communications from information security go one way you know and they're often told what to do with security this way having a champions program you're giving people a voice you're you're giving them a face in their department someone they can go to with their concerns with their questions with their worries and that is a really

healthy message to send that we as information security are listening to the business it also is a really great way of scaling up what you're trying to do in information security so it's a question I commonly get organizations that maybe don't have a lot of resource when it comes to cyber security you know don't have big teams find it very difficult to get their messages out there one great thing to do is to think about champions program because there you're really being able to amplify your messages you have people out there in the business who know the business who are known to their colleagues who can take forward your messages and relay them to the people

around them so it's a fantastic way of being able to scale up and for me it taps really effectively into the notion of social proof so social proof if people have seen my presentations before you might have heard me talk about it the social proof is basically the idea that we mimic behavior that we see from other people so if for example that this has been a study University of Pennsylvania and they recently found that if 25 percent of a group start behaving in a particular way the rest of the group are very likely to follow and mimic that behavior so if a quarter of you get up and walk out the room now Kevin and I are basically going to be

talking to ourselves more likely we're gonna follow as well because it's kind of human nature to think oh they must know something that I don't they must know the schedule better than me maybe they've heard a fire alarm maybe you know there's some reason why that percentage of people are all behaving in a particular way I'm gonna follow so that's social proof and social proof is most effective when the person modeling the behavior is someone we admire or we can relate to so by having people out in the business as champions you've got people out there that colleagues recognize that they relate to you know they know the work that they're doing they're familiar and so you're

kind of tapping into the idea of social proof as a way of really scaling up and amplifying your messages and this idea of culture that we've been talking about as I said have heard more and more about this in the industry over the last couple of years which has been absolutely fantastic to see people starting to recognize the importance of security culture one thing I do is I'm the chair of an organization called Club Caesar we're a members group non-commercial about 200 information security leaders in the UK in Europe and Beyond a members of clip see so and one thing we do is we get the CSO's together about 60 of them every year and we ask questions of them

the results are all anonymous and it's a way of us just finding out what's happening inside security from that group's perspective so one question we always ask them is what are the hot topics on your radar and this year this was this was the question these were the possible answers and we saw an overwhelming majority picking security culture as the number one hot topic for them the thing that they buy a hot topic we mean something they're starting to think about something they're aware that they should be working on their priorities for the coming year so we can see that culture is really important to see so it's really important to the security industry and a champions

program is a great way of trying to influence culture in a positive way so quick show of hands who has something like this a cybersecurity day which runs annually in their organization just a quick show of hands okay so a few of you for the ones that don't is brilliant because what it does is it promotes information security cybersecurity whatever you want to call it security it promotes it all right it brings it into the limelight and this is where I get my Champions to show off their wares okay so they get involved with the planning the running of the event we do all sorts of stuff ok run several different stations with different games and the

guys will man the stations do some password cracking lock-picking phishing email test I've I've been poned and all sorts of different cyber security days they also get involved with distribution of material now I have around about 60 to 80 champions at the moment they are spread quite evenly amongst the business so what we've got course Center there's probably a higher population but we've got a small detail of about ten people in the finance team we've probably got one or two for example so they represent their areas and getting them to hand out things like these little badges which is the things I want them to focus on right wear your badge don't click malicious links all

right use your Windows key and L for locking figure out what the objectives aren't the requirements for your organization and get them out there it gives them really really good presence in the business it shows the business that value that they're getting out of security functions or rather than just been a figure on the payroll or actually adding value by leveraging the other people in their department and it also gives them that familiarity so in terms of conveying messages your champions can convey convert the message to language that you're the local team will understand rather than you just speaking in tech terms all the time the fantastic thing about champions programs is you can make this model fit

according to the resources you have the kind of organization you have your requirements and what you want to get out of it so there's completely different models depending on the context and your particular organization depending on your budget there's all sorts of different things you can do and I've seen this approach taken in organizations that have really small security teams and really limited budgets through to organizations that have really large security teams and a fantastic really healthy budget to play with there's lots of different things that you can do some of the benefits are that you will engage with your champions to build threat models and help you to understand you know the kind of threats

that the different parts of the organization are facing you can have champions involved in security reviews in research and development I have seen some organizations have champion programs that are very kind of bug bounty heavy and that have kind of a hack the organization kind of approach one approach that I've seen really successful in organization that have a limited budget is a train-the-trainer one so essentially you you know if you have a really small team and you have very limited constraints around raising awareness then you have one person in the security team who trains some of the champions trains them not only in kind of some security material but also how to deliver that how you want it

delivered and then those champions go on and train other champions and it's almost like a waterfall kind of tree effect where you're building on top of each other in terms of the network it's a really good way of developing best practice enhancing decision-making you know making sure you're listening to the business lots of different things that you can do with your champions program depending on the needs so I've said there's lots of different approaches some approaches will make being a champion kind of part of somebody's job description and will actually pay them for it others it won't be part the job description and this is more common it will be something that people take on

and kind of a volunteer capacity and these approaches have pros and cons you know obviously if you're able to make it part of somebody's job description if people are able to get paid for it then that's really good in terms of recruiting people it can be more attractive to some people it's something that people feel more comfortable with because it's part of their job description you know they know they're gonna have the time for it it's something official but they may not be intrinsically motivated you know these are people who are doing it because they're getting paid because it's you know it's part of their time is part of their job description so that's a good thing but

it has the limitations sometimes in terms of whether they genuinely want to be doing it if you're not able to pay people which is more common and if you're asking people to volunteer for this position then it can be harder to recruit people but certainly not impossible but the people that you do get signing up to be champions are doing it because they want to you know because they're really motivated so engaging with those individuals and sort of long-term rich mention of those people is going to be stronger so depending on your options there's pros and cons and there's no one-size-fits-all there's no necessarily right or wrong way of doing this it's just about understanding what's right for you and

for your organization so in terms of recruitment and actually establishing the process from scratch that's pretty much it and you can find this on a wasp okay being heavily regulated in a heavily regulated industry you've got FCA gdpr PCI DSS yada yada yada it's really really key for us to make sure we're training people and giving awareness throughout the year and what I've done is I've mandated that information security actually does the induction or as part of the initial first-day induction that also puts an emphasis on the importance of security so you know within the morning within an hour these new recruits are engaging with me and guess what this is a perfect time for me to pitch so I talked about

all the activities that we do as a collective and security I try and make it sound really interested in exciting and why I often get the end of that is someone going come come I hear a little bit more and that's my recruitment process now to establish it obviously I've got people who have been there for a while I spoke to senior management they backed the idea I'd actually asked some of the directors to become security champions some of those positions are delegated or white did achieve was a really good mix of people throughout the business to represent each and every department so you cannot walk into my company without seeing a champion somewhere in one of the teams that you

can refer to so the first thing in terms of identifying for me I like to go all out so I have like I said somebody each department and then defining the actual role what what is it you are trying to achieve I always ask that question so sometimes people can have champions were champions sake but there's going to come a point where you need to keep maintaining that relationship and that interest so it's really important to have your objectives set out in the terms of reference so people understand exactly what they're getting engage with their managers and support them to do their jobs you get them to understand that this is just part of their job and not additional

there's nobody wants extra work to do do they alright at least I don't know anyway and nominate the actual champions as well so how do you identify them well I've already mentioned recruiting but who do you talk to amongst all different peer groups so throughout the business that talk in that language who shows more interest than was to engage with you are you having those conversations with them to understand whether they want to join the team have you had people apply for jobs and not been successful those are also really good candidates to look at and then you have to look at your communications channel because if I'm honest with you none of this stuff is just straightforward and

easy okay everybody has a different job to do they're working at different times they prefer to communicate in different ways and you have to kind of understand that so we use wiki's we use emails we use confluence pages we use all sorts of different ways to communicate we also have team meetings I'll do lunch and learns to be honest with you there's not much I wouldn't do for my champions because in showing that time and commitment is really important to invest as I've said about the wiki pages having a really strong knowledge base now you may have people in your business that want to become a champion but don't necessarily have the confidence they think it's too technical I don't want to

get involved I don't understand IT actually try and simplify it for them and give them that confidence because what do you relieve them to do report back on any issues problem areas that you want to target things that you want to fix in the organization so try and understand exactly what you're trying to achieve and maintaining the interest so you do all the hard work and then you get to a point where it almost becomes boring and what you're gonna do that's have another champions mean again right who's found the Bri or how many breaches in you try and make it a little bit more dynamic and actually have your team become you can have a little core team of champions

let them suggest what activities to do I do different things so I can bring champions to conferences they get involved with penetration test like I said and get them sitting amongst different teams as well and we have a different calendar of events so we bring in guest speakers you do learn from those we do all different types of things just to keep up their level of interest and then ask them ask them if they getting bored ask them if they want to do something different and put it on the table and just have that constant two-way dialogue so you've got a really rich relationship so this isn't me by the way these are the champions as I've

said often you are finding people as champions who aren't gonna be financially rewarded for taking on this role and so then you're thinking about how to engage and motivate people who are taking on this responsibility on top of what they already do so you're looking for people who have an interest in security I doing a lot of awareness raising for clients I often find people will come at the end of a session and ask questions about personal security so they'll ask me about you know they're worried if they're Gmail's been hacked if their instagrams been hacked they're worried about their kids they're wondering how they can stay safe at home and these people are ideal for being

champions because they're individuals who you know they're not experts in security that's not what you're looking for for a champion they're people who are motivated to find out more they're interested in finding out more and they've got an intrinsic reason for wanting to be a champion if you're a champion you know you're going to be exposed as said two more learning you're going to be finding out more about security and then you're able to take that way and apply it at home so finding the people who are interested in security for whatever reason whether it is people who are interested because of their personal lives people who maybe are thinking about transferring to security at some

point in their career people who have been involved in incidents and they've heard that eyes opened as to how important the security is these are all people who you may want to follow up with and say you know would you be interested in being a champion in having this opportunity to learn a bit more and get a bit more experience about cyber security it's really important to keep people engaged as kevin has said to make sure that people feel that they're rewarded that they're welcomed that they're included I think we're in a fantastic opportunity with cyber security in general and particularly with champions in the awareness of this subject has never been higher in the

news people are constantly being confronted with stories of data breaches vulnerabilities you know cyber attacks are happening on companies we're having companies talk about this stuff more and more internally with seeing cybersecurity as you know subjects in mainstream TV programs and films so people are aware of security in a way that they weren't even a few years ago and this means that people are more interested in it they just don't know where to go don't know how to find out more so try and tap into that higher level of awareness and interest in security by approaching people about being champions there's a carrot okay so how do you motivate these champions I think one of the most important things

is just simply to thank them for their efforts because thanks goes a long way for some people they don't need much more than that but a little bit of recognition for the efforts as well so send an email take the time outs just drop an email to their line managers and let them know their engagements been appreciated and it's actually done some good as well company recognition so Amazon vouchers don't cost too much if you've got some budget figure out some things on rewards that you can give to your champions I might be really interested here's some of the ideas that you guys have as well so giving away goodies and just having that chat amongst themselves and

communicating issues that they have is also really really good really cool thing actually I was over in the States last year and I went to a conference that was all about kind of awareness dickie in higher education in terms of cybersecurity and I was trying to a guy there who runs a champion program for a university it's the university in the states that has a lot of money but what they do was sounded really cool every quarter he sends out a box of kind of champion goodies to the champions and it has in the kind of stuff that Kevin was talking about earlier you know like maybe a post or some Flyers of the latest kind of security messages some

kind of giveaways and things that they want to distribute out the organization so these get sent every quarter to the champions and what this guy does to make it kind of a little bit more interesting he was a sort of larger-than-life character a lot of personality really fun guy and so he films videos of him packing up the box and puts them on the kind of intranet for the champions to see and he said that the champions respond really well to that that it's almost like Christmas every quarter where they get to see him like packing up this box and like ah here's the next poster it's going in and kind of making it sort of a whole fun thing so they're

amped and they're ready to receive this box full of goodies that there then excited about distributing out to people so I think I think you also spoke about some really good stuff earlier about bringing in external speakers kind of giving your champions and some exclusive content if they're people who are interested in security then giving them a little bit of extra learning is you said bringing them along to a conference asking them if they want to maybe do a certification if they want to actually get a qualification in security and maybe you're able to support them in that something that just offers them a little bit of extra learning and helps add to their CV their

professional development or support them in security at home I think there are all great ways Sally and I think one of the other things is not to forget exactly what you want these champions to achieve for you so share the successes of what you're asking them to do if you've had a reduction in in breach notifications or report or an increase in reported fishes because people are taking more notice of the emails and tell them that let them know they're actually making a difference because that's why they're with you in the first place so I think that's really yeah I think that's actually the most important point because champions are gonna be people that want to have a positive

impact and so being able to communicate them to them that they're achieving that is gonna be one of the most important things of actually keeping them engaged we're all busy people and you're champions knowing that actually them spending the time committing to this is actually working then I think what better reward can you give them but than that I've seen some other organizations do kind of special champion mascots and they've had the champions like pick the mascot themselves and then that mascot will go on to like mugs t-shirts whatever it might be stickers and that's like a fun way of kind of building up that team dynamic I guess so goodies are a good thing but I think the rewards in

terms of achievement and in terms of feedback to people's line managers that's probably going to be even more effective than goodies so speaking of being effective how do you measure whether the champions are working whether it's a successful thing to do because obviously this is gonna be taking up your time it's gonna be taking up their time and people always want to know you know how are we measuring security and what's actually working one of the key things to do of course is checking in with your champions making sure you're trying to have regular conversations with them it keeps them interested but also it's a way of hearing back from them what's working what's not what support they need that

maybe you're not provide at that time also when you have a Champions program as Kevin said earlier it's thinking about what behaviors in the organization do you want to influence if you identify those behaviors and then you shape your communications around those I would highly recommend doing a measurement of those behaviors before the champion program starts or before they start concentrating on your particular issues and then do a measurement after it's been rolling for sometime so thinking about the behaviors you want to see change and then measuring whether that actually happens is going to be the best ways of getting that feedback there's lots of different ways people often think kind of the human side awareness

behavior culture that's really hard to measure and that's not true that's a myth there are lots of things you can do to measure whether your awareness initiatives are working whether behavioral change is happening whether you're developing a more successful security culture there's plenty of things out there that you can do if you want to talk to me about how we do that scientist and I'm happy to talk about that after this presentation but other things you can do of course is if it you're incident reporting if you see your incident reports go up after you've started a champions program then I would say that's a really good sign it's not that you're having more incidents of

course it is that the champions are facilitating the feeding back of those incidents what you're seeing is a positive change in your culture where people feel more able to identify incidents or more able to report them and that's really effective pitfalls so does anyone remember this game on my show my age actually bought an Atari the other day an old one penny me that's something different there are lots of pitfalls with this and just goes that suggests his comment about value for money and benchmarking and showing exactly what the attractiveness of a team is really important definitely try and catch up with Jess about that because we've done the benchmarking exercise which is fantastic I could then give that report to the

exec and they know exactly what value they're getting out of the business all right but in terms of engagement checking with them regularly I literally have a list of all my champions and I make a point of contacting each and every one of them face to face each month if I can I do my best just to do that they're too busy to engage and everybody's got a day job how can you build in what you're asking them to do as part of their role and an additional thing so you can avoid that if you just give them a little bit of your time and if they're too overwhelmed well why are they overwhelmed what can you do to

reduce their stress maybe it's not right for them maybe their jobs pressuring them or maybe what you're asking them to do is way beyond and above what they're capable of doing so ensure that you're measuring that as well unable to answer questions is one of the things I always get soon as I recruit a champion they say to me well how am I going to answer technical questions a question for you is is it their job to do that maybe it isn't but if you do want them to what are you giving them so I give them a confluence page for example they can refer to it or I just say direct it to my team you don't have

to answer everything we'll don't be pressured you can park what you've been asked and then ask me later on and I'll answer it for you so you just take that pressure off them just a little bit champions acting like police I mean it does anyone have an issue with champions trying to throw their weight around the new organization I can't put my hand though because I don't you you dude can you share your example do you care to do that you are not but you can understand how power can go to someone's head all right so it's just important to make sure you're dealing with that from the outset and you yourself if you run the

champions program like I do being overwhelmed with questions now if I stick my head above the parapet and put my hand up and say I want to build champions that's part of the job right it's what I've signed up to but you can put things in place to help myself like as I go back to a wiki or asking your team to help you out so you don't have to be the person that they link in with all the time sometimes it's gonna be the seaso because I'm not around but make sure they've got someone to go to all the time if they need to contact your team I think also having them and I know this is something you do

is having them as a network where they can support each other so that they're not always coming to you with their questions actually if they're getting a question that they know someone else another champion has had then they can reach out to each other communicate with each other independently of you that can take some of the pressure off you to always be the one that they're coming to and having that mesh network so like I said getting the guys to sit with the pentest crew the sock the physical security team get those relationships established so they don't have to come to you if it's a physical issue they go to the physical security guys and so on it's quite

simple so before we go to questions and I'm gonna warn you I've actually got a question for all of you as well but before we get to that we just want to summarize what we've been talking about today if you are running a Champions program or if you're thinking about running one these were the key things that we wanted you to kind of take away and think about planning and preparation is really important some people have spoken to me about champions program and they kind of think it's like a silver bullet and it's not that at all as Kevin said you know it does take hard work and it's gonna take time for you to develop and turn into a

success the more you plan the more you're able to you know think about the logistics of how it's gonna work the more you're able to prepare the more successful it will be so spend some time upfront thinking about that thinking about your organization also being really realistic about your time and how much time you're going to be able to commit to this that's a really important thing to be honest about with yourself up front as Kevin said motivation you know how you motivate people what the currents going to be because this is not the kind of situation where a stick is gonna work you're not going to be able to really have a go you're champions especially if they're

volunteers so you need to think about actually what can you do to keep them engaged how can you motivate them and actually as Kevin said earlier one of the most successful things with that is asking them what do they want why are they being a champion so what can you do to make sure that you reward them and keep them happy and also how are you gonna measure it how are you gonna be able to answer to the seaso or the board or whoever it might be the rest of your team as to whether this is actually working think about your metrics and thinking about that upfront means you can start measuring from the beginning no

one-size-fits-all so Kevin's been able to talk about the case study that he has in terms of Hargreaves Lansdown I've seen lots of different approaches to this that for me is a really big benefit that no matter what organization you're dealing with there's gonna be a way of tackling this that will be successful for you and it's a great way of scaling up of reinforcing your efforts and of trying to positively influence the culture that you have around security it's also a chance to listen and this is something I mentioned Club C so earlier so I speak a lot with CISOs and it's something that CISOs have been increasingly saying to me they recognize that security is no longer just about

telling people what to do that approach doesn't work we need to listen much more than we talk and this is a really effective way of being able to listen to the business so they for us were the key points about what we were trying to convey in terms of the champion program we're really happy to take questions now but I wanted to kick it off by asking a question of all of you so I was recently speaking to the CEO of a really large global company and this is a company that wants to have more of a positive impact in the community around them they're really aware of their corporate social responsibility and as a security

team they have lots of money and they're able to do some really cool stuff but they're aware that you know the area around them geographically the organizations around them don't have the same budget that they do so they were asking me what can we do if we're a company with a healthy budget and we're able to do loads of cool stuff with security what can we do to have outreach beyond this company what can we do to actually be positive in the community and I thought what better than a cross company champion program so we always think about champions program or I've always come across them where they've been internal to a company where it's been thinking about positively

influencing the security culture in that organization but can we think about a champions program that works across companies so we're able to actually scale up what we're trying to do so it's not just about making one organization's safer and more secure which is of course a good thing but what can we do to actually make many companies many organizations more secure and so I was interested whether people think that could work if you think it could or it couldn't I'd love to know your opinions on it if you are interested in trying to develop something like that then please do reach out you know either speak up now or come and find me after find me on

Twitter email me whatever it is but I'd love to talk to people about maybe trying to develop something like that so happy to take opinions comments questions on that or on anything that we've spoken about today cool do we have yeah we have a question at the front I think there's a mic so often there are suggestions on the crowd I would imagine that cross company can work but my goal is that the company into the community first because there's less potential cause with publishers that would be I mean my what was going to have a tour extent do you hazard speaker that in your experience have there been any problems about giving the access to the

champions government how do I deal with it somebody that you don't want them [Laughter] it's not a challenge I've had and I'm quite clear in my mindset why I want to achieve so from the data everybody understands where they are so I tend to have quite good successes with champions I think the key thing is to set out your store formerly doors if you're not clear in terms of the agenda I make everything formal there's a terms of reference everybody knows what to expect ok so this isn't just a little thing that I'm doing on the side and everybody comes for a little bit of a sandwich and a child cake that's not gonna cut it no

my environment is very heavily regulated so when I have my auditors come in whether is ISO PCI I want to demonstrate that actually we're adhering and we're very compliant by giving extra awareness training so metrics are built in like I said doing a cultural assessment to show benchmarking where you were before to where you're trying to get to all those things should be concentrated on and as long as there's a really strong focus and you don't just onboard anybody who don't be desperate I think if you've got four people wanted to be a champion you know trying to get to a hundred do you know what they're gonna deliver a lot more value for you with those four

people if you concentrate all you have on them than having on you know the other ninety six idiots in there running around so I think it's just really important to set your stall out and be really clear yeah I completely agree I think this is where the preparation point is really important in a launching a champion program without having an idea of what you're trying to do what you want from the champions if it's very vague and open that's more likely to lead to that kind of confusion about what the role looks like and people may be delivering in a way that you didn't have in mind but if you put in the preparation at the start of this is what

the role is this is what it looks like here's the terms of reference do you sign up to that you are not the police yeah that's thinking that for me is the key thing upfront and then you find that the people who engage with that are the kind of champions that you're looking for one last word is just to lead by example so set the example to follow because they're doing something that you don't have a blue for necessarily sister question Oh mr. Mike on please that's the only fire engines and therefore necessary services at what level you have informative easily for themselves experience I'd like to you I hope these regards for you Maya Pina the

Fox Company possible anywheres but as I think your your two primary barriers I think one was touch with obesity my hands for me but one needs I would expect her soul are these issues they're sweet heels for this versus tooth and outsider looking at business pasta teases us to do there's legend uncle dentist name of mother so they're gonna look at you is absolutely actually pursuing as opposed to cocaine surely they don't have that I think you saw by the community happy day architect west coast's but the other one this is the one where highly disturbing awareness name is most likely GDP honor this negative is there a way to lose your costume that's at least a lot even think

I do too when initiatives but beat Maskull is you can't pedal see Tommy effectively not such as long engines and explosion years longer terms of effort cetera Ethier in so you gotta focus in here people not necessarily useful often Susan needs a new server to okay thank you I appreciate every good points for true yes is the points really in terms of sharing this region particular incidence and even particles cultural teeny particles particularly in supply mastectomy however I do you think the particular industry sort of third sector challenges well mr. football run internal to engage in that space because it's like general operated since is horses and I already do a lot of collaboration report in

other areas of there so it may be much more likely to get that talkative kind of approach each dress thank you yeah I appreciate that that probably makes more sense keeping it sector specific in terms of the kind of threat landscape and everything like that so yeah I appreciate that thank you we have another question or comments here if you guys have any advice to come out sort of chocolatey where they deferred into in terms of program or formalize it may be wrong but you found that in your company there chat we both say base protection champions health and safety quite engagement so should that knew there was a general perception that an attack she may be necessarily yeah so

I have come across this challenge in previous life so a suggestion was made I want though I had my security champions and there were also risk champions then the Ford guys wanted to get four champions as well is just a champion overload really isn't it so actually what we did is we sat down and that what would it feel like the core competencies and actually we were able to merge the groups together and I didn't think that's got to be possible in every single organization it just depends on the dynamics but it is possible to have those conversations to see if you can actually get some mutual gains so maybe try that approach yeah I'm seeing that happening in another

organization right now where they currently have in a date of protection champions and they're thinking about broadening that outer security so they're having those conversations right now and I think that's all you can do is try and really discuss well what are the aims what the objectives what are we trying to achieve here and can we collaborate on this rather than yeah having a champ everyone was a champion for something or the same people or all champions for everything do we have any other questions or comments we have another wall at the front doesn't like that's on its way so to what extent to heaven see our new champions Bourbons with actual organizational structures for

information security and within different business units very common would you have the champion work alongside security officer in that business unit and the other one is related to debt how does this relates to a DevOps environment where you're trying to get there developers would be more secure who or monthly yeah so I'm gonna free plug a couple of things secure warrior an immersive labs I think those guys have a really good tools in terms of engaging developers and having that language I didn't think it would be appropriate for that for champions necessarily unless they're already developers and they understand to be chucked into the why pull the lion's den because I know a developers can be like

right very passionate fantastic creatures and could you just remind me your first question again yeah we don't really have it in that way so in terms of what I do at h-hour I don't align it in that way because we don't have security officers in that kind of makeup but like I said what we do do or I have deliberately done is I've reached out to the management / Department whether it's HR marketing finance etc and I will place all have nominated somebody who is interested in doing it so I don't think is about making people do something is about making them want to so a lot of my job is about selling the the role to

them and trying to align it to exactly what they're doing in that discipline whether it is finance or marketing that makes sense on that note I think we're out of time so I just want to thank you all thanks to Kevin for us and yeah it's been a pleasure speaking to all thanks for your time thanks for your attention [Applause]