The right sponsor, the right ask, at the right moment
Ant Davis
Getting leadership backing for your champions network
At some point the informal network you've been quietly building needs to become something more deliberate and more visible. That transition requires backing from someone with more organisational reach than you have.
This is the conversation most practitioners either avoid or get wrong. Let's talk about how to get it right.
Why you need a sponsor
A champions network asks people to do something beyond their job description. It's almost certainly voluntary, there's no direct reward, and it's done in their own time.
That's a big ask. And without visible organisational backing, it's a very hard ask to sustain. People need to feel that what they're doing is valued, and not just by you, but by the organisation. A senior sponsor signals exactly that. It tells your champions this isn't a fringe initiative run by someone in a strange corner of the security team, but something the organisation has chosen to invest in.
A sponsor also helps practically. They can open doors that would otherwise be closed, get you in front of teams you'd struggle to reach on your own, and remove blockers that would take you months to navigate around. And when someone pushes back on the network, and someone always does, a sponsor gives it a legitimacy that you alone cannot.
Find the right person, and it's probably not who you think
Your first instinct will probably be to go straight to your CISO. I don't think that's right.
The CISO already cares about security. You'd hope so anyway. Their endorsement is expected, which means it carries less weight with the people you're trying to influence. What you need is someone whose endorsement means something to the populations you want to reach.
Think about who has reach and credibility in your organisation. Every organisation is different. In a tech company, a CTO talking about security lands differently than the security team talking about security. An HR director championing a security culture initiative gives it legitimacy in the people space that an endorsement from someone in a security role never would. A CFO talking about fraud risk connects it to something the business already tracks and worries about.
The right sponsor is someone with a reason to care and an audience that trusts them. Your job is to find that person and give them a reason to say yes.
The ask is smaller than you think
One reason practitioners avoid this conversation is they assume they're asking for a significant commitment. They're not.
You're not asking your sponsor to run anything, own anything, or become a security expert. You're asking them to amplify your message, and even then, only occasionally. A mention in a town hall. A post on the internal Slack or Teams channel. Showing up at a champions launch event to say a few words. Occasionally forwarding something you've produced to their team.
Low effort, high impact. Frame it that way and the ask becomes much easier to say yes to.
Align with what already exists
You don't have to build the infrastructure from scratch. Most organisations already have networks that work. Pride networks, mental health ambassadors, wellbeing groups, sustainability champions. These all have governance structures, communication channels, engaged members, and, crucially, organisational credibility. They've already made the case for why volunteers doing something beyond their job description matters.
Look at those networks and understand how they're structured. How they recruit, how they communicate, how they maintain engagement. Align your model to theirs. Get onto their steering committees. When you position security champions as peers to initiatives the organisation already values, it stops feeling like a compliance obligation bolted on from IT.
That positioning changes everything. It changes how potential champions feel about joining, how leadership perceives the investment, and how the network is talked about internally.
The case you're making
When you go into this conversation, have two arguments ready. A risk argument and a culture argument.
The risk argument is about coverage. As a solo practitioner or a small team, you can't be everywhere all of the time. A champions network extends your reach into parts of the organisation you'd otherwise never touch. It gives you signal back about where the real risks are sitting. And it means that when something happens, and something always does, you have people already in place who know what to do and who to call.
The culture argument is about belonging. Security feels like something that happens to people rather than something they're part of. A champions network changes that. It creates a group of people who feel a genuine connection to security, who can talk about it naturally in their teams, and make it feel normal and relatable rather than imposed.
Together, those two arguments make a compelling case. Each one on its own is weaker. Use both.
Don't skip this step
The informal phase is valuable and I love it, but it has its limits. The right sponsor, making the right ask, at the right moment is what takes a network from an informal collection of contacts to something the organisation recognises and supports. That backing is what lets you go further.
