Security & Privacy Champions Bringing Awareness to Teams

Nowadays, it should be a matter of course that companies take security and privacy awareness measures seriously by dedicating appropriate resources and budget to them. As a company, you need to trust that each employee understands how to adopt and to apply knowledge about security and privacy to his/her daily work, but you don’t have a guarantee that this is actually the case for everyone. 

Training for the individual staff member – essential, but not the only priority

At eyeo, we already have plenty of awareness measures in place, such as mandatory security and privacy training as part of the onboarding process for new hires, the obligation of doing security and privacy eLearning every year on a training platform, and an ongoing anti-phishing training campaign. Regular internal blog posts and a monthly security and privacy newsletter also help us to disseminate knowledge, awareness, and information on new policies or trends, as well as news from the industry.  

Even though we are already working to boost individual knowledge, we have been looking at ways to establish a security and privacy-driven culture that addresses teams as a whole, with their daily routines, tasks, and tools. Because 

1. Most of the existing awareness measures primarily focus on the individual employee.
2. Such employee education usually focuses on a general understanding of topics related to data processing, data retention periods, or best practices in security and privacy, rather than on the day-to-day reality of work processes.

Ensuring security and privacy awareness at team level 

To bring awareness and knowledge on to the team level, we have introduced a new role at eyeo for our various teams: The Security & Privacy Champion. We decided to have a combined Security & Privacy Champion in each team, rather than separating the two responsibilities. The idea behind this is that we believe security and privacy are too closely related to be handled separately. The combined role is designed to support not only the existing teams within the company, but also the Security & Privacy team itself, to tackle information protection more effectively and in an approach which can permeate throughout the company.

The role of the Security & Privacy Champion can be defined as the primary point of contact to the DPO, ISO, or the IT department, and vice versa, for any security and privacy-related topics within a team. 

To enable every Security & Privacy Champion to fulfil their roles accordingly, a customized and tailored training program has been introduced. The program includes topics like data processing and data retention periods, but also covers an overview of internal policies, e.g. on remote-working or password policies, as well as on the corporate ISMS and DPMS systems and the associated responsibilities and duties to both systems. An important part of the training curriculum covers the initial review of the teams’ processes, focused on personal data handling, but looks at advanced security topics like analyzing email headers and fraud tactics.  

The day-to-day processing of personal data & the role of the Security & Privacy Champion 

With the individual review on the teams’ processes, each Security & Privacy Champion receives insights into how personal data processing is integrated into the daily work within the team. In the long term, this should give the Security & Privacy Champion the ability to identify possible issues and problems whenever processes are changing or new ones are introduced. In addition, it is designed to prevent shadow IT, which is usually a substantial risk even for security and privacy-sensitive companies.

The tasks of the Security & Privacy Champion include keeping an eye on any personal data processing within the team, but also passing on information within the team, e.g. on a new work-from-home or password policy, or specific security threats like Emotet emails targeting the accounting or HR team. The Security & Privacy Champion also takes care of addressing all of this to team-mates in the Security & Privacy team on a regular basis, e.g. at regular team meetings or workshops.    

A 5-Step approach to implementing the Security & Privacy Champion concept

Here are a few of the lessons learned that we can share and provide advice on regarding how to introduce the Security & Privacy Champion concept at your company: 

Step 1: Get the management on board first and ask for an upper management sponsor for the planned initiative.

Present management with the role descriptions, the goals, an estimation of the expected effort, but also make clear the risks of not having such champions. Outline what kind of support and training you will provide to the champions and how it will benefit the entire company. Having the support from management is key for making this a success story. 

Step 2: Let the management take this to the team managers first, to get their buy-in and support.

Not only with regard to resources, but also to ensure the backing of the Champions. 

The implementation team should then set up a meeting with the team managers, explain the concept, and give enough space for open questions. It’s important to outline that the work of Security & Privacy Champions should not detract from the team’s regular work. It also should be outlined that reviewing the team’s processes is only related to personal data or security matters, and is not intended as a mechanism for improving on or judging the way a team has organized their work or their processes.  

Step 3: Start with a pilot with just a few teams, not with the entire company.

This allows you to learn, adapt, and improve the learnings from the pilot and to get better acceptance and efficiency across the entire company. Choose the teams wisely, e.g. a technical/development team, a back-office team like Finance or HR, but also a customer-driven team like PR or Sales. Such a diverse team pilot provides you with a pretty comprehensive overview of the diverse needs and issues already present in the company. Additionally, it allows you to customize the training and workflow to the individual needs because, for example, the daily challenges that a software engineer has to deal with are different from those of a social media manager or an accountant. 

Step 4: Schedule a kickoff with all Security & Privacy Champions to talk about expectations, individual needs, the support you will provide them, and especially the next steps.

Implement regular group meetings with all champions to give them a floor for raising questions, discussing issues and tackling challenges. Attend an operational team’s regular meeting whenever there is a need to support the Security and Privacy Champion on a certain topic.

Step 5: When the pilot is completed, undertake a review, make adjustments, and plan for rolling it out to the entire company. 

The world needs more champions. Having a role like Security & Privacy Champions within a company is a big step forward.  

Peter Meyer is the Manager of the Security & Privacy team and of the Public Affairs team at eyeo. Peter started his career in 2000 at the first commercial Adblocker company Webwasher and later worked for companies like Secure Computing, McAfee, and Intel Security. From 2013 until 2018, he was employed at the eco Association as project manager,  and was the lead for the EU Project “Advanced Cyber Defense Centre”, and for the German security projects Botfrei.de and SIWECOS. He represents eyeo in several working groups, and as a regular speaker at conferences. Peter has also published several articles on topics like IT Security, IT awareness, malvertising, and fraud prevention.