The pattern is familiar in small and medium businesses. There is one technical person who somehow ended up "doing security." They review every IT request, panic about every phishing email, and burn out within 18 months. The business has no security culture, just a single overloaded individual.
A security champion programme distributes the load. Champions are non-security staff in each team who act as the local point of contact for security questions, raise concerns early, and feed back what is actually happening on the ground.
You probably already have champions
They are the people who notice odd things and raise them. The finance manager who reads invoice emails carefully. The customer support lead who flags suspicious password reset requests. The engineer who pushed back on the last vendor with weak SSO. Find them. Make their role official.
What a champion actually does
- Acts as the first line of triage for security questions in their team.
- Receives 30 minutes of focused security briefing each month.
- Reports incidents and near-misses upward.
- Carries practical security advice into their day job (vendor reviews, hiring, project planning).
- Recognises and reports phishing or suspicious patterns within their function.
A champion is not a security expert. They are a translator. They speak the language of their function and they know enough security to ask the right second question.
How to set it up in 30 days
Week 1: identify one champion per major function (finance, sales, customer support, engineering, HR). Look for people who have already raised security concerns informally. Get manager sign-off that 2 hours per month is part of their job.
Week 2: run a 90-minute kick-off. Cover what the role is, what it is not, who to escalate to, and the most common threats their function faces.
Week 3: set up a private Slack or WhatsApp channel for champions. Share weekly tips, near-miss summaries, and recent threats relevant to Nigerian businesses.
Week 4: run a tabletop exercise. Walk through a fake phishing scenario or vendor breach. Watch how champions respond. Refine.
Recognition matters
Champions take on extra cognitive load. Recognise it. Mention them in all-hands. Pay for relevant certifications when they want one. Let them lead the response to incidents they catch. Without recognition, the programme decays within a year. With it, you build a security culture that grows with the business.