Question: Has the organization established a security-champion or ambassador network?
Why This Matters
Peer advocacy spreads culture faster than top-down messaging. Champions translate security language into daily context.
Maturity
0 — Unaware
No designated security advocates.
No designated security advocates.
1 — Ad Hoc
Volunteers occasionally assist with campaigns.
Volunteers occasionally assist with campaigns.
2 — Defined
Champion roles defined per department.
Champion roles defined per department.
3 — Managed
Regular meetings and knowledge sharing sessions.
Regular meetings and knowledge sharing sessions.
4 — Integrated
Champions drive training delivery and incident feedback.
Champions drive training delivery and incident feedback.
5 — Optimized
Champions recognized formally in performance plans.
Champions recognized formally in performance plans.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Identify enthusiastic volunteers in each team. |
| 1 → 2 | Define champion charter and scope. |
| 2 → 3 | Conduct monthly check-ins and update forums. |
| 3 → 4 | Involve champions in awareness delivery. |
| 4 → 5 | Include security metrics in their goals. |
Enablers
- People: CISO, Department Heads, Champions
- Process: Nominate → Empower → Recognize
- Technology: Collaboration platform (Teams / Mattermost)
Evidence
- Champion list and charter
- Meeting minutes
- Communication samples
KPIs
- Number of champions active
- Events or initiatives led
- Peer feedback scores
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Collaboration | Mattermost / Slack Free | Champion channel |
| Tracking | Airtable | Roster and activities |
| Recognition | Google Slides | Spot awards |
Common Pitfalls
- Unclear expectations for champions
- Program runs once then stops
- No recognition or leadership support
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | 7.3 (Awareness) |
| DPDP Act 2023 | Sec 10 (Accountability) |
| NIST CSF 2.0 | PR.AT |
| NIRMATA Mapping | AC-Q10 extends security culture through peer networks. |