Communication and security evangelism
You can have perfect policies and great tools, but if nobody cares about security, you've accomplished nothing. The Security Champion's most important job isn't technical — it's communication. Making people understand why security matters, keeping it top of mind, and turning skeptics into allies.
This chapter covers how to communicate about security in ways that actually work: telling stories instead of lecturing, creating channels where security feels approachable, running regular touchpoints that people want to attend, and using gamification to make good behavior rewarding.
Why security communication fails
Most security communication is terrible. Here's why:
It's boring. "Remember to use strong passwords" has all the impact of "Caution: Contents may be hot." People tune out immediately.
It's preachy. "You MUST follow these rules" creates resistance. Adults don't like being lectured.
It's scary. Constant warnings about hackers and breaches create anxiety or, worse, learned helplessness. "We're doomed anyway, why bother?"
It's irrelevant. Generic security advice doesn't connect to what people actually do. A designer doesn't care about SQL injection.
It's one-way. Newsletters nobody reads, mandatory training nobody remembers, policies nobody references.
It's invisible. Security only shows up when something goes wrong. No positive touchpoints.
The goal isn't to make everyone paranoid. It's to make security feel like a normal part of work — like code review or backing up your files. Something people do because it makes sense, not because they're forced.
Principles of effective security communication
Lead with stories, not rules
Humans remember stories. We forget statistics and bullet points.
BAD: "Phishing attacks increased 65% last year. Always verify sender identity."
GOOD: "Last month, an employee at a company like ours clicked a link in an email
that looked exactly like a DocuSign notification. Three hours later,
attackers had downloaded their entire customer database. The email
was from 'docusign-notifications.com' — one letter different from real."
Where to find stories:
- Security news (Krebs on Security, Bleeping Computer, The Record)
- Industry-specific breaches (your competitors, similar companies)
- Your own near-misses (anonymized)
- Security researcher write-ups
Make it relevant to their work
Different roles care about different things. Customize your message.
| Audience | What they care about | How to frame security |
|---|---|---|
| Developers | Code quality, shipping fast | "Secure code is quality code. Catching issues early means fewer emergency patches." |
| Sales | Closing deals, customer trust | "Security questionnaires are part of enterprise deals. Good security = competitive advantage." |
| Support | Helping customers, avoiding escalations | "Recognizing account takeovers saves customers from fraud and saves you from angry calls." |
| Finance | Money, compliance, audit | "Good security hygiene means smoother audits and lower insurance premiums." |
| Executives | Risk, reputation, legal | "One breach can undo years of brand building. This is business continuity." |
Keep it short and frequent
Long security emails get skimmed. Monthly newsletters get ignored. Better approach:
- Short, frequent beats long and occasional — 2-minute read weekly > 20-minute read monthly
- One message per communication — Don't bundle 5 tips; focus on one actionable thing
- Repeat important messages — People need to hear things 7+ times before they stick
Show, don't tell
Instead of explaining abstract risks, demonstrate them:
- Live phishing demo — Show how easy it is to create a convincing fake login page
- Password cracking demo — Crack weak passwords live (takes seconds)
- OSINT demo — Show what's publicly available about your company
- Real breach timeline — Walk through how an actual attack unfolded
Celebrate good behavior
Most security communication is about what NOT to do. Flip it:
- Recognize people who report suspicious emails
- Thank the developer who caught a vulnerability in code review
- Celebrate the team that achieved 100% MFA adoption
- Shout out the person who asked "is this safe?" before clicking
Internal communication channels
Create dedicated spaces where security is discussed, not just announced.
Slack/Teams security channels
#security-alerts — security incidents, urgent warnings, mandatory actions. Low volume, high signal. Everyone should join and enable notifications.
#security-questions — ask anything about security. No stupid questions, fast responses. Security Champion monitors actively.
#security-news — interesting breaches, vulnerabilities, articles. Light discussion, learning-focused. Optional but encouraged.
#phishing-reports — report suspicious emails here. Security Champion confirms real/fake. Creates a visible record of threats.
Making channels effective:
- Respond quickly — If someone asks a question and waits 3 days, they won't ask again
- Never shame — "Good question!" even if it's basic
- Share context — When alerting about a vulnerability, explain why it matters for your stack
- Use threads — Keep discussions organized
- Pin important stuff — Policies, incident response procedures, key contacts
Phishing report workflow
Create a simple workflow for reporting suspicious emails:
## How to Report Suspicious Emails
1. **Don't click any links or open attachments**
2. **Forward the email to:** [email protected] (or post in #phishing-reports)
3. **Include:** "Is this legit?" in subject
4. **We'll respond within 2 hours** during business hours
### What happens next:
- We analyze the email
- We'll tell you if it's safe or not
- If it's a real phish, we'll alert the company
- You'll get credit for catching it
Track and share results:
Weekly phishing stats (last 7 days):
- Phishing emails reported: 12
- Confirmed threats blocked: 4
- People who reported: Sarah ⭐, Marcus, Priya ⭐⭐, James
- Close call: Fake DocuSign caught before anyone clicked
Thanks for staying vigilant!
Security newsletter
A regular newsletter keeps security visible without being annoying. The key is making it something people actually want to read.
Newsletter structure
# Security Digest — [Month Year]
## This month's highlight
[One story in 3-4 paragraphs — could be a breach, a near-miss,
a cool thing someone did, or a new threat]
## Quick tip
[One actionable thing, 2-3 sentences max]
## What we fixed
[Brief summary of security improvements made — shows progress]
## Shout-outs
[Recognize people who reported issues, completed training, etc.]
## Upcoming
[Security office hours, training sessions, policy updates]
## Ask me anything
[Reminder that questions are welcome + how to reach Security Champion]
Sample newsletter
# Security Digest — January 2025
## This month's highlight: The $100K lesson
A company in our industry lost $100,000 last month to a business email
compromise attack. Here's how it happened:
An attacker compromised an employee's email account (weak password, no MFA).
They spent two weeks reading emails, learning the company's processes and
communication style. Then they sent an email from the employee's actual
account to the finance team, requesting an urgent wire transfer to a "new
vendor." The email referenced real projects and used the employee's normal
writing style.
Finance followed their usual process... which didn't include verifying
large transfers by phone. By the time anyone noticed, the money was gone.
**What saved us from this:** We require MFA on all accounts, and our
finance team has a policy of calling to verify any transfer over $5,000.
---
## Quick tip: Lock your screen
Windows: Win + L
Mac: Cmd + Ctrl + Q (or close the lid)
Do this every time you step away, even for a minute. It takes 10 seconds
to plug in a USB device or peek at your screen.
---
## What we fixed this month
- Enabled phishing-resistant MFA for all admin accounts
- Deployed new endpoint detection on all laptops
- Closed 3 vulnerabilities found in our Q4 security scan
- Updated our incident response plan with lessons from the tabletop exercise
---
## Shout-outs
- **Priya (Engineering)** — Caught a real phishing email targeting our
DocuSign process and reported it within minutes. This was a targeted
attack, not spam.
- **Marcus (Support)** — Noticed unusual login activity on a customer's
account and escalated before the customer even knew.
- **Everyone on the Sales team** — 100% completion on the Q4 security training!
---
## Upcoming
- **Security office hours:** Every Thursday 3-4pm in #security-questions
- **Phishing simulation:** Coming in February (keep it quiet)
- **New password policy:** Rolling out next week — same requirements,
better enforcement
---
## Got questions?
Reply to this email or ping me in #security-questions. No question is
too basic. Seriously — I'd rather answer 100 "dumb" questions than miss
one real incident.
— [Your name], Security Champion
Newsletter best practices
| Do | Don't |
|---|---|
| Keep it under 5-minute read | Write essays nobody finishes |
| Include real stories | Use generic security advice |
| Recognize specific people | Send to all without personalization |
| Show what you've accomplished | Only talk about threats |
| Make it consistent (same day/week) | Send sporadically |
| Include one clear action | Overwhelm with 10 tips |
| Write like a human | Sound like a compliance document |
Tracking engagement
Use your email tool's analytics:
- Open rate (target: 50%+)
- Click rate on links (are people engaging?)
- Replies/questions generated
If nobody's reading, change the format. Try shorter, try funnier, try different timing. Ask people what they'd find useful.
Security Champions Hour
A regular meeting where security is discussed openly. Not a lecture — a conversation.
Format options
| Format | Duration | Frequency | Best for |
|---|---|---|---|
| Office hours | 1 hour | Weekly | Drop-in questions, low commitment |
| Brown bag | 30-45 min | Monthly | Presentations, demos, learning |
| Security standup | 15 min | Weekly | Quick updates, team integration |
| Tabletop exercise | 1-2 hours | Quarterly | Incident response practice |
Running effective office hours
Setup:
- Same time each week (consistency matters)
- Dedicated video call link or physical room
- Promoted in Slack, calendar, newsletter
- Security Champion always attends
Structure:
0:00-0:05 Quick update (anything urgent, new policies, upcoming changes)
0:05-0:55 Open Q&A (whatever people want to discuss)
0:55-1:00 Wrap-up, preview of next week
If nobody shows up:
- Use the time to work on security tasks (visibly)
- Post in Slack: "Office hours open — slow week, so I'm working on X"
- Eventually people will come; consistency is key
- Consider combining with something else (coffee chat, lunch)
Building attendance:
- Invite specific people who might have questions
- Tease interesting topics ("I'll demo password cracking if anyone's curious")
- Bring snacks if in-person
- Make it genuinely optional — no guilt for missing
Monthly security brown bags
Deeper dives on specific topics. Rotate between:
Presentation topics:
- How a recent breach happened (external company)
- Demo of a security tool
- Deep dive on a policy (why we have it, how to follow it)
- "I tried to hack us" — results of internal testing
- Guest speaker (vendor, security team from bigger company, external expert)
Interactive sessions:
- Phishing simulation debrief (after running one)
- Tabletop exercise (incident response practice)
- "Spot the vulnerability" — code review challenge
- Security quiz with prizes
- "Ask me anything" — open questions
Sample agenda:
# Security Brown Bag — February 2025
## Topic: How Attackers Use LinkedIn to Target Us
### What we'll cover (30 min)
- How attackers gather info from LinkedIn profiles
- Real examples of targeted phishing using LinkedIn data
- What you can do to reduce your exposure
- Live demo: I'll show how I'd craft a phishing email using public info
### Q&A (15 min)
Open discussion
### Attendance
Optional but encouraged. Recording available for those who can't make it.
### Pizza provided
Gamification and rewards
Make good security behavior visible and rewarding. This isn't about manipulation — it's about positive reinforcement.
What to reward
| Behavior | Why reward it | Reward level |
|---|---|---|
| Reporting phishing | Encourages vigilance, provides threat intel | Small (public thanks) |
| Finding vulnerability in code review | Catches issues before production | Medium (recognition + small prize) |
| Completing optional security training | Shows initiative | Small (badge, shout-out) |
| 100% team MFA adoption | Group accountability works | Medium (team lunch) |
| Reporting a real security issue | Critical for early detection | Large (meaningful recognition) |
| Winning CTF or security challenge | Builds skills, creates enthusiasm | Medium-Large (prize, conference ticket) |
Reward ideas by budget
$0 (recognition only):
- Public shout-out in Slack, newsletter, all-hands
- "Security MVP" title for the month
- Priority for interesting security projects
- Profile badge or Slack emoji
- Thank-you note from leadership
Low budget ($10-50):
- Gift cards (coffee, Amazon)
- Lunch with the Security Champion
- Security-themed swag (stickers, t-shirts)
- Book of their choice
- Extra day of PTO (if leadership approves)
Medium budget ($50-200):
- Conference ticket (local security meetups)
- Training course (Pluralsight, Udemy)
- Better security hardware (YubiKey, privacy screen)
- Team lunch or happy hour
High budget ($200+):
- Major conference attendance (DEF CON, RSA)
- Security certification course
- Donation to charity of their choice
- Latest laptop/hardware upgrade
Leaderboards and points
Some teams respond well to competition; others find it annoying. Know your culture.
If your team is competitive:
Security Leaderboard — Q1 2025
1. Priya (Engineering) — 450 pts
2. Marcus (Support) — 380 pts
3. Sarah (Product) — 350 pts
4. James (Sales) — 275 pts
5. Everyone else — Time to catch up!
Points this quarter:
- Report phishing: 10 pts
- Complete training: 50 pts
- Find vulnerability: 100 pts
- Win security challenge: 150 pts
- Mentor colleague: 75 pts
If your team isn't competitive:
- Skip leaderboards, focus on collective goals
- "We've blocked 47 phishing attempts this quarter — thanks everyone"
- Celebrate team achievements over individual rankings
Security challenges
Periodic challenges that make security interactive:
Monthly challenges:
| Month | Challenge | Prize |
|---|---|---|
| January | Report 3 suspicious emails | Security swag |
| February | Complete new phishing training | Early access to something |
| March | Participate in tabletop exercise | Team lunch |
| April | Find a typo/issue in our policies | Book of choice |
| May | Enable MFA on personal accounts | $25 gift card |
| June | Complete password manager setup | Password manager premium |
CTF (Capture The Flag) events:
Run internal CTF competitions:
- Use platforms like CTFd, PicoCTF, or OWASP Juice Shop
- Teams of 2-3 people
- 2-4 hour events
- Mix difficulty levels so everyone can participate
- Prizes for top teams, participation prizes for everyone
Handling security fatigue
Too much security communication creates fatigue. Watch for signs:
Symptoms:
- Low newsletter open rates
- Nobody attending office hours
- Cynical responses to security topics
- "Not another security thing"
- Compliance without understanding
Causes:
- Too much communication
- Irrelevant content
- No visible results from effort
- All warnings, no positives
- Lack of autonomy ("just do this")
Solutions:
| Problem | Solution |
|---|---|
| Information overload | Reduce frequency, increase quality |
| Irrelevant content | Segment by role, personalize |
| All doom and gloom | Balance threats with wins and recognition |
| Boring delivery | Add stories, demos, humor |
| No feedback loop | Ask what people want, actually respond |
Signs it's working
- People asking security questions proactively
- Phishing reports increasing (they're noticing!)
- Voluntary attendance at optional sessions
- Security mentioned in conversations you're not part of
- New hires asking "where's the security training?"
- Executives referencing security in decisions
Common mistakes
- Talking at people instead of with them — Conversation beats lecture
- Only communicating during crises — Regular positive touches matter
- Generic enterprise language — Write like a human for your actual team
- Expecting immediate behavior change — Culture change takes months
- Punishing mistakes publicly — People stop reporting if they fear shame
- Measuring inputs instead of outcomes — "We sent 12 emails" vs. "Phishing clicks dropped 40%"
- Security Champion being the only voice — Recruit allies, share the load
- Not iterating — What works changes; keep experimenting
- Ignoring feedback — If people say it's too much, believe them
- Making everything mandatory — Optional engagement builds real buy-in
Workshop: launch your security communication program
Part 1: Set up channels (1 hour)
-
Create Slack/Teams channels:
- #security-alerts (everyone joins)
- #security-questions (everyone joins)
- #phishing-reports (everyone joins)
- #security-news (optional)
-
Write channel descriptions and pins:
- Purpose of each channel
- How to report phishing
- Link to incident response procedure
- Security Champion contact info
-
Announce the channels:
- Post in main company channel
- Include in next all-hands
- Add to new employee onboarding
Part 2: Create first newsletter (1-2 hours)
-
Gather content:
- Find one good security story from the past month
- List security improvements you've made
- Identify someone to recognize
- Pick one quick tip
-
Write the newsletter:
- Use the template provided
- Keep it under 500 words
- Include one clear call-to-action
- Make the subject line interesting
-
Send and track:
- Schedule for consistent time (e.g., first Tuesday of month)
- Track open rate
- Note any replies or questions
Part 3: Schedule Security Champions Hour (30 minutes)
-
Pick a time:
- Check calendar for conflicts
- Consider time zones if remote team
- Thursday afternoon often works well
-
Set up recurring meeting:
- 30-60 minutes
- Weekly or bi-weekly
- Same time each occurrence
-
Promote it:
- Add to company calendar
- Mention in newsletter
- Invite specific people initially
- Post reminder in Slack before each session
Artifacts to produce
After this workshop, you should have:
- Security Slack/Teams channels created and announced
- Channel descriptions and pinned posts
- First newsletter draft ready to send
- Newsletter template for future months
- Security Champions Hour on the calendar
- Phishing report workflow documented
- At least one gamification element planned
Self-check questions
- Why do stories work better than statistics for security communication?
- What are the three essential Slack channels for security communication?
- How often should you send a security newsletter?
- What's the difference between office hours and brown bag sessions?
- When should you NOT use gamification or leaderboards?
- What are signs of security fatigue in your team?
- Why is it important to celebrate good security behavior?
- How do you handle it when nobody shows up to office hours?
- What should you track to know if your communication is working?
- Why should security communication be personalized by role?
How to explain this to leadership
The pitch: "Technical controls aren't enough — people need to understand and care about security. I want to set up regular communication channels: a monthly newsletter, weekly office hours, and a way to recognize good behavior. This builds a culture where security is everyone's responsibility."
What you need:
- 2-3 hours per week for communication activities
- Small budget for recognition ($100-300/quarter for gift cards)
- Slot in company all-hands occasionally
- Leadership participation (forward the newsletter, attend office hours once)
The ROI:
- Faster phishing detection (measured in minutes vs. hours)
- Fewer security incidents from employee mistakes
- Better security questionnaire answers (sales cycle impact)
- Lower training costs (engaged learning vs. compliance training)
Metrics to track:
- Newsletter open rates
- Phishing report frequency
- Office hours attendance
- Security question volume in Slack
- Phishing simulation click rates (should decrease)
Conclusion
People can't do the right thing if they don't know what it is. Communication is half the job. The other half is making the right thing easy enough that they don't need to be reminded.
What's next
Next: working with incidents and learning lessons — how to handle incidents when they happen and turn them into durable improvements.