Purina’s Champions Program Is the Best I Have Seen

In my most recent book, Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing, I highlight the use of “champions," which are co-workers in your organization who can help spread security awareness training to better lower human risk.

A human-to-human champions program has the ability to personally communicate the various cybersecurity risks, educate and demonstrate the desired appropriate cybersecurity behaviors as effective adjuncts to supplement the larger-scale pre-recorded videos, quizzes, and written policy. 

It is one thing to see a recorded video telling you not to click on a phishing link and another to hear a co-worker sitting next to you tell you about the time they accidentally clicked on a rogue link and what happened. That co-worker can share what happened to them and what they do today to prevent repeated exploitation.

They can listen, empathize and demonstrate as part of their daily job what works for them, and what may work for you. They might be able to help a co-worker who seems to click on everything better than a stern warning letter from management or multiple educational videos. There is just something about the shared human experience, especially when it is a co-worker who cares. 

Unfortunately, a one-on-one human experience does not scale. Your organization is not going to pay a ton of people just to sit next to you full time to tell you when you should or should not click on something. Most organizations justifiably rely on large scale security awareness programs, which contain a bunch of great content (like KnowBe4’s). But it cannot hurt to add in a champions program to fine-tune your education and messages. Sometimes, simply having another set of eyes and ears can help.

Examples
I was once having a run of “bad luck," clicking on multiple, repeated simulated phishing tests during a busy part of my career. I could not believe I was falling for the phishing tests, but I was. First one, then another, and then another.

It was very humbling. Then, a co-worker met with me to ask what was going on in my life and asked to see the phishing tests I had failed. They were able to see a commonality…a common emotional trigger…that was shared across all the failed tests. They then suggested I try a new technique…bothersome as it was…for a few weeks to see how it impacted my responses to other simulated phishing tests.

I have not (knock on wood) failed one since.

I was also part of another larger organization that was (and is) beset by real phishing attacks. In one of their training videos, they had a co-worker get up and share that they had been successfully phished. This co-worker was no ordinary co-worker. This guy was one of the smartest people in the company, if not THE smartest person in the company. And he shared how he had been successfully phished by a real nation-state attacker.

He shared why he got phished, how he missed the warning signs, and how hours had passed before he started to wonder if he had been phished. He said that even though he was embarrassed, he decided to report the possible phishing attack just in case. It turned out it was a real phishing attack that had gained access to our internal systems and only because he reported it were we able to stop the attack before it really progressed. It had a profound impact on most of us. If the smartest guy in the company was able to be phished, so could the rest of us. Human-to-human. 

A mature champion’s program also communicates the organization’s commitment to lowering human risk by showing that it values fighting those risks with multiple, cooperating resources. It is not one person pushing out the message, but a team of people supported by the organization. 

Nestlé Purina PetCare’s Ambassador Program
I recently came across one of the best examples of champions programs I have seen in my career, at Nestlé Purina PetCare, run by IT Security and Compliance Manager, Heather Reed. 

Purina calls their champion’s program participants Ambassadors. I like that. They have at least one Ambassador for each (mostly non-manufacturing) department, for a total of 65 Ambassadors (and growing) for about 5,000 employees.

They meet monthly to discuss a centralized message to push to the rest of the company. They use these coordinated message sessions to educate their co-workers about global technical security implementations such as MFA, Windows Hello, USB blocks, use of password managers, etc. Heather works with the Internal Public Relations team to make sure the messaging is best tuned for what they need. This also helps to develop ongoing relationships and better communications across the enterprise.  

More importantly, communication is a two-way street. The Ambassadors also communicate back to Heather on a regular basis with issues they are discovering in their workstreams, such as people trying to use unapproved cloud solutions, people trying to gain access to data that they should not have, etc. It has created a timely, two-way communication stream that improves security and compliance.

Heather says Ambassadors share their personal stories with their co-workers about their own phishing failures, such as falling for Facebook frauds, kidnapping scams, gift card scams, identity theft, etc. They show vulnerability which helps their co-workers relate to cybersecurity as part of their everyday life. It helps the employee personally and benefits the organization.

A quarter of Ambassadors ask for “stretch assignments” to help out the organization even more, but also to build to their own cybersecurity experience for when additional cybersecurity positions open at Purina. What is better than getting a trained cybersecurity employee who has already worked in the trenches at your organization?

Heather has great metrics to back up the success of her program. Employee groups with Ambassadors reported 20% more phishing attack attempts, 100% training compliance, and far lower rates (50% lower) of users who clicked on simulated phishing tests. There is your reason alone to have your own champions program if you do not already have one.

Ambassadors become the go-to cybersecurity experts in their peer groups and escalate issues to Heather when it is more serious. It is hard to quantify how important it is to have this extra, very valuable point of connection where people can spot badness quickly and report it sooner. 

Early on, Heather reached out and asked many cyber-friendly employees to become Ambassadors, but over time she has new people who are excited about the program asking her if they can become an Ambassador. 

Imagine employees asking you if they can add something to their already incredibly high workload to better help their fellow employees and the company?

Heather said that external auditors often cite the Ambassador program as a key strength of the organization. Purina’s CEO and executive leadership fully support the program.

But I think one of the best measures is if people in the program are happy and having fun. In the one-day cybersecurity event that I attended and spoke at I saw a room full of happy and smiling Ambassadors. I have been to places where the champions seemed like they were selected under duress and were not happy to be there. 

This was not the case at Purina. Heather had baked delicious homemade cookies. Other people were passing around small treats. Gifts, swag, and awards were handed out. Personal stories and successes abounded. It was clear to me that Heather and Purina are doing something right. 

If you want to decrease human risk, start your own champions program as an adjunct to your larger security awareness training program. If you want a great champions program, follow the lead of what Heather and Purina are doing. 

I jokingly told Heather that she could start her own consulting firm helping other companies build great champion programs. She just smiled, handed me a cookie, and said she was very happy with the program and team she was able to build. Meow!