Robert Downey Jr. once said: “I think that we all do heroic things, but hero is not a noun, it’s a verb.” No, Mr. Downey, hero is a noun. However, the man makes an interesting point: in an organization a cybersecurity hero is defined by what they do to help protect the company’s infrastructure from security attacks. We’ll get back to Mr. Downey’s idea later, but when we look at the role of security champions, we’ll see he is definitely on to something.  

In a National Cyber Security Centre (NCSC) blog, the UK organization states: “It’s very easy in cyber security to fall into the trap of describing people as the weakest link; ‘they shouldn’t have clicked on the link’ goes the cry; ‘why did they open that attachment?.” Instead, suggests the NCSC, people should be at the heart of security: “We think people are the unsung heroes of cyber security. We want to put people-centric thinking at the heart of cyber security.” And that’s where security champions come in too.

In this article, we will look at who a cybersecurity hero is and why businesses need a modern-day IT Superman. We will suggest that organizations should take a page out of the NCSC’s playbook and make people as important a part of a layered security approach as their physical infrastructure and security software.

What Is the Difference Between a Champion, an Ambassador and a Hero?

Cybersecurity champion, ambassador and hero – these titles are often used interchangeably, but there are subtle differences you should consider before you write your job advertisement. You can call your hero anything you like, but technically only the hero title is one that implies the incumbent’s role is that of a change agent.

What Is a Change Agent?

Implementation Management Associates (IMA) differentiates between change champions and agents. For our purposes, we are going to temporarily lump champions and ambassadors into a similar category (see below). Says IMA, “Champions believe in and want the change and attempt to obtain commitment and resources for it, but may lack the sponsorship to drive it.” In contrast, a change agent has responsibility for implementing changes. According to IMA, “while it is great to build a critical mass of change Champions, these individuals don’t have accountability for actually getting the change implemented.”

Let’s take a look at what champions, ambassadors and heroes do. It appears “hero” is the winning title for the cybersecurity change agent in your company. However, it also looks like you may need a hero, champion and ambassador to promote, entrench and implement a multi-layered cybersecurity policy at all company levels.

Who Is Your Change Agent?

Which definition of a word you choose to use for your change agent is subjective. Here are some suggestions from Merriam-Webster that will help you choose a job title for them.

Cybersecurity Champion – The person in this role would be the liaison between SecOps and an organization’s management teams. They could be responsible for soliciting security funding and providing feedback about the efficacy of the company’s security policy. (Note: Technically, a champion can be anyone, even someone without security skills, who contributes to a network of security champions or champion program in an organization.

  • Definition – “An authorized representative or messenger.”

Cybersecurity Ambassador – This title fits the person who spreads the organization’s cybersecurity message to employees, clients and customers. He or she would liaise with IT, security and marketing departments. They could also be responsible for soliciting security resources.

  • Definition – “A militant advocate or defender.”

Cybersecurity Hero – The hero gets their hands dirty. In this role, the security hero actively helps train security teams, advises on what resources are needed, receives and analyzes security reports, is a first responder to security incidents and understands security technology trends. The hero has their finger on the pulse of the organization’s security infrastructure.

  • Definition – “A person admired for achievements and noble qualities.”

As we will see, a hero sometimes changes hats to be a champion and ambassador too. And in the real world, an organization needs input from all three personas.

What Influence Does a Change Agent Have?

A change agent’s main responsibility is to implement change. But, a change agent can be an influencer too.

Writing for ToolBox, Dennis Stevenson says a change agent:

  • Thinks Ahead – There’s an old saying that the only constant in life is change. An organization’s security strategy is constantly evolving as criminals change their attack methods and new technologies try to keep pace. A change agent alternatively dangles carrots (customers will take their business to the most secure company, so let’s be the best at security) and cracks the whip (shows documentation on breach statistics) to get management buy-in to better security.
  • Has a Passionate Mindset – Not content with addressing security challenges, a change agent is an evangelizer, motivated to spread the security message to other employees, management and customers.
  • Is Self-Motivated – Because a change agent is often self-taught in many areas (they practice lifelong learning), they are able to keep motivated even when things are going wrong. Like any other type of emergency worker, change agents can’t give up. This trait promotes a company-wide “Can-Do” attitude.
  • Is Perceptive and Understands People – A change agent needs to be able to change people’s minds about security, not just implement solutions from what Stevenson calls “Ivory Towers of Technology.” Being more security-aware reduces security risk.

In Intuition’s “The Impact of the 6 Principles of Influence on Cybersecurity,” the author suggests: “Organizations can substantially improve how they address the human aspect of cybersecurity by utilizing the tactics of their cyber-antagonists to change behaviors and reduce risk.” The author uses the example of the Social Proof Principle, which capitalizes on the fact that people usually trust what people they trust endorse, to explain this sneaky but effective tactic. For instance: “One of the most powerful ways to promote safe cybersecurity behaviors is to capitalize on the social proof principle by creating the perception that cyber best practices are the social norm.” To do this, organizations need internal champions, ambassadors and heroes to sing the praises of best security practices.

Benefits of a Hero for Organizations

What are the advantages of employing a cybersecurity hero? Because their main priority is a company’s security, heroes are adept at manipulating the means to achieve their goals and simultaneously getting buy-in at the executive level. Where necessary, they bring in the big guns to convince management they need funding, are doggedly determined to visibly align business objects with security requirements and are knowledge experts in security techniques and tools.

By doing these things, heroes can save an organization from tepid security policies and a bureaucratic mindset that prevents organizations from hardening their security infrastructure because of a reluctance to pay for the necessary resources.

In a LinkedIn article, “Who will be our next hero?”, Andrew Bonehill looks at real cybersecurity heroes in three case studies and at how their thinking has benefited the organizations they work for:

Hero 1: Bringing in the Big Guns

Frustrated by the inability to get security funding, the company hero employed a reputed consultancy service to produce documented proof of vulnerable security areas in the company and a plan clearly laying out “how technology, people and process would close these gaps whilst aligning with the core executive objectives.” After successfully implementing the new strategy and observing the benefits, the company agreed to fund further security initiatives.

A hero always has an eye on security trends and thinks to the future. A hero is globally networked with other security experts and is not shy to use social engineering tactics to manipulate the guys holding the purse strings.

Result: The company reduced risk exposure and increased competitiveness in their industry.

Hero 2: Dogged Determination to Provide the Best Security

After the hero got their conservative company to buy into implementing a good defensive strategy, they initiated the next step: “Designing and implementing an architecture that delivered visibility to the whole organization.”

A hero keeps their eye on the ball and is able to simultaneously see the bigger picture in the long term and understand the security engine at code level. This hero acted like a snappy terrier at the heels of a reluctant finance department.

Result: Reduced number of security incidents and improved aligned between security and business objectives.

Hero 3: Effective Use of Technology Tools

Management sometimes has sketchy knowledge about how security tools can be used most effectively: in the cybersecurity world, plug-and-play does not always work. A hero has expert knowledge about how to use security tools and techniques most effectively. “Having the right tools and procedures accelerated the development of up and coming analysts while multiplying the impact of the experienced team members.“

Result: The hero was able to turn the security team into a profitable business unit instead of being just a resource-gobbler.  

How Can You Nurture Your Cybersecurity Hero?

Your cybersecurity hero has a tough job. They need you to provide them with the right tools and a secure environment to do their job. You also need to keep them happy. Alert fatigue, for instance, can really get a hero down and they just might start dropping the ball. Here are some tips to keep your hero at the top of their game.

Firstly, a cybersecurity hero in the real world usually does not have this title; it’s what they do that matters, not what they are called. (Robert Downey Jr. was clearly onto something here.) While a hero is part of the analysis, planning, and implementation phases, they are primarily results-oriented, and they are always busy — from checking code to wining and dining Finance. The following job titles usually indicate the person is a cybersecurity hero, or at least following a hero career path: Software Security Expert, Vulnerability Researcher, Penetration Tester, Cyber Incident Responder or any other specialist security role.

To nurture your hero, give them the resources they need to upskill, keep up-to-date with security technology and liaise with the global security community.  

In Conclusion: Do You Need a Cybersecurity Hero?

Yes. A hero, as we have seen, wears many hats at a number of levels:

  • Job description – Their skills include those from expert security roles, ranging from penetration tester to systems architect
  • Role – They may be security champions, ambassadors or change agents
  • Influence – They shape:
    • The way an organization thinks about security awareness
    • Flexible security policies to address future challenges
    • How security technologies are best implemented
    • The way business objectives and security goals are aligned

A hero can help you write a security playbook that addresses issues from top (executive buy-in) to bottom (best coding practices). The result: a more integrated, objective and professional approach to the volatile security requirements of modern cyberspace.

Some Useful Resources

 

Sources

People: the unsung heroes of cyber security, NCSC

Change Management Methodology: Change Agents vs. Change Champions, IMA

What is a “Change Agent?”, ToolBox

The Impact of the Six Principles of Influence on Cybersecurity, Intuition

Who will be our next hero?, LinkedIn

The Open Source Cybersecurity Handbook, Pete Herzog