As organizations grapple with how to stay ahead of the evolving cybersecurity threats, many are adopting a culture of security. A security culture is built around the idea that cybersecurity is everybody’s business, not just the IT or cybersecurity team’s responsibility.
Getting an entire organization to buy into a “security first” mindset, however, is no small task. This may be especially a challenge for an information security or IT team that’s used to working in silos and is not well-equipped to communicate its messaging organization-wide.
That’s where security champions come in. A cross-departmental team of security champions can evangelize your security-awareness program, reinforcing your key messages and ultimately helping to change behavior at all levels of the organization.
Security Awareness Training Has Limits
Security awareness is an imperative component of a security culture. Since employees lead digital lives that cross the boundaries between the workplace and their personal spaces, organizations can’t just focus on securing their perimeter. Security awareness helps fortify what infosec professionals like to call the weakest link in an organization — people — by creating awareness of how their behavior, whether on company premises or off, impacts their employer’s information security.
Oftentimes, however, organizations build their awareness program entirely around training modules and maybe supplemental educational materials such as newsletters. While high-quality training is an effective practice that should be a component of every awareness program, it’s limited in scope.
To affect the culture, your organization needs security champions who can reach across the entire business operation and consistently communicate the security message as it aligns with the organization’s mission and objectives. These champions become trusted resources for their peers while at the same time bridging the communication gap between the security practitioners and the rest of the business functions.
The Roles of the Security Champion
The idea of security champions is especially popular with DevOps, as software developers who need to scale rapidly are shifting their mindset to embed security into the applications they create. However, security champions or ambassadors can benefit all types of businesses, not just those that build their own applications.
Security champions can play a number of key roles:
- Act as an extension of the security team, promoting and monitoring cybersecurity policies within their own departments or teams
- Socialize potential solutions with their peers and provide a feedback loop to the IT/infosec team
- Function as an intermediary between the IT team and other parts of the organizations in communicating when policies impede operations and workflows — and helping create and implement sanctioned workarounds
- Serve as role models who share not only their passion for cybersecurity but also their knowledge of best practices and their insights, as well as modeling a commitment to a security culture
- Work within cross-functional teams to create an open dialogue with stakeholders in different parts of the enterprise
- Build relationships with the company leadership, whose support of security plays an integral role in the security culture
How Security Champions Enable Security Awareness
Your central security team is expert at best practices and understanding how people, processes and technology work together. However, they’re not necessarily experts at communicating, nor are they necessarily poised to create a bridge to the rest of the organization.
They likely don’t speak the language of the other departments. They may not even understand how the policies and processes they implement impact the people in the trenches — that is, the rest of the employees who have to use those policies and processes every day while meeting their own objectives.
Sometimes, the IT team may be viewed as headache who makes life difficult for the rest of the organization. Security champions can be at the forefront of changing this “us vs. them” mentality to an atmosphere of collaboration. Because they do speak the language and understand the pain that some security procedures may bring to other teams, they can help close the divide in the organization-wide understanding of how security and business objectives intersect and why security should be owned by everyone, not just IT.
Examples of how security champions make a difference can be seen at industry giants such as Microsoft and Cisco.
According to Microsoft, its best protection strategy is to partner with its employees, “arm them with knowledge and empower them to live a secure lifestyle, at work and home.” At Microsoft, security champions “serve as a voice of influence,” helping “drive awareness, accelerate consumption and create feedback loops,” as well as helping “understand how enterprise security education is landing across the organization.”
At Cisco, the Corporate Security Programs Organization (CSPO) team saw the need “to influence the influencers and to hit the masses,” and it set out more than a decade ago to launch a program for security ambassadors who could drive the dialogue on how to change practices toward better security.
One ambassador alone persuaded 800 employees in one of the business groups to take security-awareness training, resulting in a “staggering” 98 percent completion rate. The ambassadors became credible sources and when the CSPO needed to create a message that would be “heard” by a large target audience, the ambassadors could be tapped to be that messenger because they had already established the audience’s trust.
Impacts of a Security-Champion Program
Gartner estimates that in 2017 only 10 percent of enterprises had a security-champion program but expects the number to grow to 35 percent by 2021. One reason, perhaps, is that enterprises see these types of programs, in the words of Gartner, as a “low-/zero-cost way to accelerate your security message.”
Accelerating that security message has become an imperative. Consider this: the Privacy Rights Clearinghouse, which tracks publicly disclosed data breaches, shows 831 breaches in 2017, with more than 2 billion records exposed in total. The number of records was highest ever, doubled from the previous year, while the number of breaches stayed about the same. Clearly, as more data becomes digital, the exposure of every organization grows, and even small organizations can become big in terms of their exposure.
At the same time, as more business processes become digital and the Internet of Everything takes off, the increased attack surface makes it much more challenging for the security team to be prepared for data breaches. At the estimated cost of $148 per stolen record (according to IBM/Ponemon Institute) — and that’s not counting potential fines from regulators — your organization can’t afford to ignore the need for a strong security culture.
Security champions are, essentially, change agents. To own security, employees need to be inspired and be able to connect how their everyday actions (even something as simple as reading their email or surfing the Internet) can have long-lasting implications. A strong team of security champions are your best advocates because they not only serve to provide that inspiration but also to help connect the dots on why security matters.
As Gartner’s research director Joanna Huisman puts it: “A good security champion program improves the integrity and reach of your security culture, and by localizing the security representation throughout the business, your reach into the organization will become that much deeper.” Without that deep reach of your security culture, you’re much less likely to succeed at protecting your organization.
Data Breaches, Privacy Rights Clearinghouse
Finding Security Champions in Blends of Organisational Culture, Internet Society
Avoid Unnecessary Pain with a Security Champion, CSO Online
Building a Network of Security Champions, CIO Review