A network of employees outside IT who promote cybersecurity to their colleagues can do wonders for an organization’s security culture.
Now that organizations rate cyberattack as their biggest risk, cybersecurity needs to be everyone’s business – not just the IT department’s problem. A cyber-secure work culture will make businesses more resilient to threats.
Employee behavior is one of the biggest factors behind cybersecurity incidents. Change how your employees understand cybersecurity with a cyber-aware work culture, and you’ll substantially reduce the risk of compromise.
One way of raising cybersecurity awareness at work is through a cybersecurity champions program. Technology researchers Gartner found although fewer than 10 percent of organizations had one in 2017, they forecast 35 percent would have a cybersecurity champions program by 2021.
Why cybersecurity champions change business culture
Lena Smart, Chief Information Security Officer (CISO) for MongoDB, calls cybersecurity champions the “cheerleaders and supporters of security” across an organization.
MongoDB is a database platform to build web and mobile applications. It powers everything from popular online game Fortnite to dating site eHarmony’s real-time communication system. The company is headquartered in the US and has 2,000 employees globally.
“We need to assure customers we’re keeping our applications secure and we want to show our internal customers they’re working in a secure environment,” says Smart.
MongoDB’s cybersecurity champions program was one of Smart’s first initiatives when she joined the company last year. A 20-year industry veteran, she implemented two similar programs in previous CISO roles at international electronic trading platform Tradeweb and another at New York Power Authority.
Smart says security experts inside an organization may have a limited perspective because they’re looking through a tight lens.
Having experts from other departments helps expand the view. It also makes other teams feel invested when it comes to security.
Chief Information Security Officer, MongoDB
Weaving security through software development
Security champions schemes are adopted most in software development, particularly with the trend toward DevOps. DevOps means combining software development and IT operations teams and processes to speed up development. As the need grew to scale DevOps projects faster while minimizing software vulnerabilities, organizations looked for ways to embed security into the development process. They called the approach DevSecOps.
“Security champions programs aim to build a better security culture and get DevOps to create secure software more reliably,” says Dan Cornell, Chief Technology Officer (CTO) with US application security company Denim Group.
Cornell is a big proponent of cybersecurity champions and has helped many organizations launch programs. He says their aims vary depending on the industry, regulatory environment and company culture. For DevOps, he says, champions make security knowledge more accessible to the development team.
It’s a way of pushing security knowledge to the edges of an organization.
Chief Technology Officer, Denim Group
Having run successful security champions programs outside of software development, Smart says the rules are transferable. “There’s no difference in how you set it up from one company to the next.”
The champions are colleagues from different roles, teams and departments. Smart particularly wants participants who don’t have “security” in their job title or responsibility. “The champions want to learn and understand security and how they can help the company to be more secure,” she says.
At MongoDB, the program is voluntary and relatively informal. Champions are encouraged to attend monthly meetings with ideas for training and other things they want to do.
Building cybersecurity culture from the bottom up
Organizations often approach cybersecurity culture from the top down, starting at the C-Suite (executive-level managers.) University College London (UCL) surveyed more than 800 employees in one organization and found attitudes toward security varied greatly between the company’s divisions. They recommended a bottom-up approach to help get buy-in from people at all levels.
The study’s co-author and lecturer at UCL’s Department of Security and Crime Science Ingolf Becker thinks a security champions program works because it’s a two-way street. “It promotes security at all levels, but it’s also an opportunity for management to get feedback about what’s happening on the ground.”
Smart says sometimes the best ideas for improving security comes from people who “don’t live under the scrutiny of the CISO every day. It gives you, as the CISO, a view you wouldn’t otherwise have.”
Champions making cybersecurity communication clearer
Smart measures the success of a champions program by how much feedback she gets on initiatives and efforts. For example, a new data-retention policy for a communication app the company was using: “Data-retention policies can be disruptive. We wanted to make sure we were asking the right questions and giving the right information to those affected,” she explains.
She put the champions to work. They met as a group and reviewed the draft memo. The champions took it apart, discussing what could be improved, what needed more information, and so on. That input, she says, saved her security team a lot of angst. “We finessed what was going to be a disruptive piece of communication,” she says.
She knew it worked because emails came in thanking them for the clarity of the message. People appreciated the efforts put in by those outside the CISO’s core team.
How to implement a cybersecurity champion program
Becker says security champions must not be security people. “They’re employees who are ‘one of us,'” he says. “I think most organizations could benefit from having this local expertise about what security means to an organization.”
He says at organizations he’s worked with, the program was often organic – started by people or teams who took it upon themselves to promote security. In those instances, formalizing the program helps to provide training and resources to develop it.
To start a program, Smart recommends CISOs get executive support. At MongoDB, she started by pitching the idea to her manager, the company’s CTO. “He loved the idea,” she says. “Support from the top is fundamental, or it won’t be a success.”
You must also work out what kind of commitment participants need, based on how often the champions meet and other tasks they do. The next phase is to promote the program and recruit volunteers – an online survey is a good way.
After pitching her idea to the CTO, Smart enrolled the company’s communication experts to raise awareness, including the benefits of the program to the organization. When employees stepped forward, their supervisors had to sign off. Smart had conversations with the managers who were uncertain and explained how volunteering could fit around the employee’s day-to-day role.
“Because it’s voluntary, some months you may have five people in the room and some months 20,” Smart says. “Don’t be disheartened if the numbers go down. They’ll come up again.”
To grow the program, look for ways to promote the champions’ work and impact. MongoDB includes “day in the life” stories about the champions in the company’s security newsletter.
Championing security helps develop careers
Gartner says cybersecurity champions programs are a zero- or low-cost way to accelerate your security message. Some organizations may offer incentives, and in DevOps scenarios, being a champion may become a full-time role.
At MongoDB, the champions aren’t there for perks, but there are benefits. They learn things and serve as leaders to their peers.
Smart, too, found an unexpected benefit: Two of the champions later joined her team. “They’re now a bridge between the old and new ways of security,” she says.
Becker believes just about any organization could implement a cybersecurity champions program. But there’s one caveat. “You must be willing to listen and change based on the input of champions,” he says.
Smart notes the champions share a common goal. “We’re all trying to solve the same problem: Keeping the data safe and the bad actors out,” she says. The program lets her talk to people she rarely speaks to about ways to improve security. “It’s a linking of the groups and a linking of the minds,” she says.
If you want to improve your security culture – and are willing to listen to employees with diverse perspectives – a security champions program is a great way to bring about long-lasting change.
This article was published in May, 2020.