In the previous article, ‘Building Security Champions', we covered what champions are, why you need them, and our plan to make an amazing program.
The #1 most important rule of recruiting security champions is that you must attract them. Do not “voluntell” someone to be a security champion. That person is not going to do their best for you, and they certainly won't enjoy the experience. Attract the right people instead of forcing them.
How does one ‘attract' champions?
Perform Outreach
Security Champions at work!
Use lunch and learns to teach about security
Arrange security training
Anyone who asks questions or attends all the events is a potential champion
Use interesting titles for events if you can
Add a note to your email signature, saying you are looking for champions
Put a sign on the fridge in the kitchen
Talk about it at the all-staff meeting
Send an email to all of IT
Observe
Pay attention to who responds, attends events, asks questions, and who is ‘always there’. Those are the people you need.
Adjust Your Attitude
Change your team's mantra to “I am here to serve you” and your team will attract even more candidates. Saying “you are my customers” to the rest of IT if you are a security professional, is basically the truth. Plus, you always get more bees with honey.
#2 most important rule of recruiting: ensure their manager is on board. You don't want this person to have to fight to do work for you or feel conflicted. Ensuring their manager is comfortable.
In the next article, we will talk about how to engage your champions (which will result in you finding even more).
