Schulung

Security Champions in the Enterprise: Multipliers Instead of Lone Fighters

TL;DR
  • Security Champions are employees from business departments who act as multipliers for information security. They do not replace the security team but extend its reach into the organization.
  • A typical Champions program has one Champion per department or per 20-30 employees. Champions invest approximately 5-10 percent of their working time in the role and retain their original function.
  • Selection is based on voluntariness, interest, and communication skills — not technical expertise. The best Champions are people who are respected and trusted in their teams.
  • Enablement includes initial training (1-2 days), monthly community meetings, access to information, and direct communication with the security team. Champions do not need certifications but a solid foundational understanding.
  • The greatest value of Champions lies in early detection of problems, practical communication of security topics, and feedback from departments back to the security team.

The Scaling Problem of Information Security

In most mid-market companies, the information security team consists of one or two people: the Information Security Officer (ISO) and perhaps one IT security specialist. This small team is responsible for the entire security architecture, policies, awareness training, incident handling, and compliance evidence.

The problem is obvious: two people cannot be everywhere at once. They cannot sit in every department meeting, accompany every project from the start, or speak individually with every employee. The result is that security topics often come to the table only when a problem already exists: an incident, an audit finding, or a regulatory requirement that is not being met.

Security Champions solve this scaling problem. They bring security competence into business departments without requiring the central security team to grow. They are the eyes and ears of information security in the organization: close to daily processes, familiar with the specific challenges of their department, and able to communicate security topics in the language of their colleagues.

The concept originally comes from software development, where Security Champions in development teams have been established for years (under terms like "Security Advocates" or "Security Liaisons"). Extending the concept to the entire organization is the logical next step.

What a Security Champion Is and Is Not

A Security Champion is an employee who, alongside their regular role, takes on additional responsibility for information security in their team or department. The role has clear boundaries that must be communicated from the start.

What a Security Champion is: A point of contact for security questions in the team. A mediator between the security team and the business department. A multiplier who carries security messages into the department. An early warning system that identifies and reports potential risks. A role model who exemplifies security-conscious behavior.

What a Security Champion is not: A replacement for the security team. A security expert who answers complex technical questions. A person responsible for implementing security measures. A controller who monitors colleagues' behavior. An additional full-time job.

The distinction is important because both extremes endanger the role. If Champions are exploited as a substitute for missing security resources, they quickly become overwhelmed and frustrated. If the role is too vaguely defined, it degenerates into an honorary title without impact.

Building the Champions Program

Building a Security Champions program follows defined steps that ensure the role is properly positioned from the start, the right people are selected, and the necessary support is provided.

Step 1: Secure Sponsorship

Before launching the program, you need executive support. Champions invest part of their working time in the role, and this time must be accepted and planned by their managers. Without a clear commitment from executive management that the Champions program is desired and supported, it will fail due to lack of time allocation.

The argument to executive management is simple: a Champions program costs less than an additional full-time position on the security team but achieves a significantly greater impact because it brings security competence decentrally into the organization. The average investment per Champion is 5 to 10 percent of working time — approximately two to four hours per week.

Step 2: Define the Role

Create a clear role description that covers tasks, expectations, time commitment, and support from the security team.

Typical tasks of a Security Champion include: participating in monthly Champions meetings, forwarding security information to the team, answering simple security questions from colleagues, escalating complex questions to the security team, participating in the security assessment of new projects and tools in the department, observing and reporting potential risks, supporting awareness measures (e.g., conducting short team briefings), and relaying feedback from the department to the security team.

Step 3: Select Champions

Selecting Champions is the most critical step. The wrong people in the role can doom the program from the start.

Voluntariness is essential: Champions who are forced into the role will view it as a burden and invest minimally. Advertise the role and invite interested employees to an informational meeting.

Communication skills over technical knowledge: The Champion must be able to explain security topics clearly and build trust with colleagues. Technical expertise is desirable but not decisive because it can be built through the training program.

Respect and influence in the team: The Champion should be someone who is listened to in their team and whose opinion carries weight. This does not have to be the manager (in fact, a manager in the role is often perceived as control) but rather a peer whom colleagues trust.

Diversity of perspectives: Ensure a mix of departments, hierarchy levels, and experience levels. A Champions network consisting solely of IT-savvy employees will not reach the departments where the greatest need exists.

The recommended number is one Champion per department or per 20 to 30 employees. For an organization with 200 employees and eight departments, that would be eight to ten Champions.

Step 4: Enable Champions

Initial training takes one to two days and covers the following topics: information security fundamentals (CIA triad, threat landscape, regulatory requirements), the Champion role (tasks, boundaries, communication with the security team), current threats and trends (phishing, ransomware, social engineering), the organization's security policies (what applies, where the documents are, who the contacts are), and practical exercises (recognizing phishing emails, evaluating suspicious situations, raising security questions in projects).

After initial training comes continuous development. Monthly Champions meetings (60 to 90 minutes) are the heartbeat. In these meetings, the security team discusses current threats and incidents, Champions report from their departments (observations, questions, feedback), awareness measures for the next month are jointly planned, and Champions receive training on specific topics.

Step 5: Integration into Daily Work

The Champions role must be integrated into existing structures so it is not perceived as an add-on task that drops off first when workload is high.

In department meetings: A standing agenda item "Security Update" (5 minutes) where the Champion addresses current topics. This can be a warning about a current phishing campaign, a reminder about a new policy, or a tip for securely using a specific tool.

In projects: The Champion is involved in new projects in their department to address security questions early. This does not have to be a formal security review but can be a brief conversation: "What data does the new tool process? Where is it stored? Who has access?"

In onboarding: The Champion welcomes new employees in the department and provides a brief introduction to the security topics particularly relevant to the department. This supplements the formal security training in onboarding with practical, department-specific context.

Maintaining the Champions Community

A Champions program lives through its community. Champions must feel like part of a group pursuing a shared goal, exchanging experiences, and supporting each other.

Communication Channels

Set up a dedicated communication channel for the Champions: a Teams or Slack channel where information is shared, questions are asked, and experiences are exchanged. The security team uses this channel to share current warnings and information. Champions use it to ask questions and report observations.

This channel also serves as an early warning system. When a Champion reports a suspicious email received by their department, the security team can send a warning to all Champions within minutes, who in turn spread it in their teams. This information flow is faster than any formal communication.

Recognition and Appreciation

The Champions role is voluntary and comes on top of regular work. Without recognition, Champions lose motivation over time. Recognition does not need to be expensive but must be visible.

Options for recognition include: mention by name in corporate communications, invitations to security conferences or workshops, an annual Champions event (dinner, team building), a certificate or award, consideration of the role in professional development and annual reviews.

The most effective form of recognition, however, is the experience that one's own work makes a difference. When a Champion sees that their report led to a swift response, that their feedback improved a policy, or that their colleagues have become more attentive — that is more motivating than any formal award.

Managing Turnover

Champions rotate: they take on new tasks, switch departments, or leave the organization. Plan from the start a process for transitions: who takes over the role when the current Champion departs? How is the successor trained? How is the handover organized?

A proven practice is the buddy system: each Champion has a deputy who steps in during absences and can take over the role during transitions. This also ensures the department is not left without a Champion when the current one is on vacation or sick.

Measurability and Effectiveness

As with any ISMS measure, the Champions program must be able to demonstrate its effectiveness.

Quantitative metrics: Number of reported security incidents and suspicious observations (target: rising, especially in the first months), phishing click rate in departments with Champions vs. without Champions (target: Champions departments perform better), participation rate in training and awareness activities (target: rising), number of security questions in projects (target: rising), incident response time (target: declining, because Champions report faster).

Qualitative metrics: Feedback from Champions in monthly meetings, feedback from employees in departments (e.g., through employee surveys), quality of reported observations (are only obvious phishing emails reported or more subtle risks too?), the security team's assessment of collaboration with departments.

Typical Challenges and Solutions

"I don't have time for this": The most common challenge. Solution: clear agreement with the manager on time commitment (in writing), task prioritization (not everything needs to be done immediately), integration into existing meetings instead of additional appointments.

"My colleagues don't take me seriously": This can happen, especially when the Champion is younger or less experienced than their colleagues. Solution: support from the security team (joint appearances in department meetings), backing from the department head, gradual credibility building through useful, practical information.

"I feel overwhelmed": Champions are not security experts, and some questions exceed their knowledge. Solution: clear escalation paths to the security team, a FAQ collection with answers to common questions, and clearly setting the expectation that not every question needs to be answered immediately.

"The program loses momentum after launch": Initial enthusiasm fades, meeting attendance drops, activities decrease. Solution: regular refreshment through new content and formats, recognition and appreciation, involving Champions in exciting projects (e.g., tabletop exercises), feedback rounds where Champions can voice their wishes.

Practical Examples: What Champions Actually Do

To make the role tangible, here are some situations from a Security Champion's everyday work.

The new cloud service: The marketing department wants to introduce a new social media management tool. The Security Champion asks three questions: where is the data stored? Who has access? Is there a data processing agreement? They forward the answers to the security team, which conducts a brief assessment. The result: the tool is approved but with restricted permissions and two-factor authentication. Without the Champion, the department would probably have just signed up and started using it without IT security ever knowing.

The suspicious email: A colleague shows the Champion an email they find suspicious but cannot definitively categorize. The Champion recognizes the signs of a spear-phishing email, reports it via the phishing button, and informs the team. Within 30 minutes, the security team has analyzed the email, blocked the sender, and sent a warning to all employees. Without the Champion, the colleague might have deleted the email — or worse, opened the attachment.

The project kickoff: At a new IT project kickoff, the Champion asks: "Have we defined the security requirements for the project? What data will be processed and how do we protect it?" The question comes from the project team itself, not from IT security, which increases acceptance and positions the topic as a natural part of project planning.

The onboarding: A new employee starts in the department. The Champion welcomes them, shows them the phishing report button, explains the clean desk rules for the department, and introduces themselves as the point of contact for security questions. "If you're unsure about an email or have a security question, just come to me." The new employee knows from day one who to contact and has a low-barrier entry point to the topic of security.

Distinction from Other Roles

The Champions program does not exist in a vacuum but alongside other roles with a security dimension. The distinction must be clear to avoid conflicts and duplication of effort.

ISO (Information Security Officer): The ISO is overall responsible for the ISMS, defines policies, conducts risk analyses, and reports to executive management. Champions support the ISO by carrying their messages into departments and channeling feedback back from the organization. Strategic responsibility remains with the ISO.

IT Security / IT Security Team: The security team implements and operates the technical security measures. Champions are not technicians and do not take on technical tasks. They are the bridge between the technical team and the business departments.

Data Protection Officer (DPO): The DPO is responsible for data protection. Champions can address data protection topics in their teams, but data protection legal questions are always escalated to the DPO. In practice, overlaps exist that are resolved through a clear responsibility matrix.

IT Coordinators / Key Users: In some organizations, IT coordinators or key users already exist in business departments. These roles can be combined with the Champions role if the person has the capacity. The combination has the advantage that the point of contact for IT topics and security topics is the same person.

Champions Program in the ISMS

The Champions program should be documented as a measure in the ISMS — in ISMS Lite, the program can be structured with role descriptions, training plans, and metrics. The documentation includes the role description, the current list of Champions and their departments, the training plan, protocols from monthly meetings, the collected metrics, and the annual program review.

For ISO 27001 certification, the Champions program demonstrates implementation of Annex A.6.3 (Awareness) and A.5.2 (Roles and Responsibilities). Auditors generally view it very positively because it shows that the organization does not view information security as the task of a single department but as an organization-wide responsibility.

A well-functioning Champions program changes how information security is perceived in the organization. It transforms security from an abstract IT task into a concrete, tangible responsibility anchored in every team. The ISO is no longer the lone fighter battling windmills but the coordinator of a network of engaged colleagues who collectively raise the organization's security level.

Further Reading

Document your Champions program in the ISMS

ISMS Lite helps you document your Security Champions program, track training activities, and maintain evidence for ISO 27001 and NIS2.

Install now