{"id":35645,"date":"2023-09-20T00:34:41","date_gmt":"2023-09-20T04:34:41","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&p=35645"},"modified":"2023-09-20T04:33:42","modified_gmt":"2023-09-20T08:33:42","slug":"cybersecurity-champions","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/cybersecurity-champions\/35645\/","title":{"rendered":"Cybersecurity champions could be your secret weapon in raising employee cyber-awareness"},"content":{"rendered":"

Cyber incidents continue to rank as the top risk<\/a> for Financial Services companies. With 57 percent of banking executives saying their primary cybersecurity concern<\/a> is phishing<\/a> attacks targeting employees, \u00a0cybersecurity needs to be everyone\u2019s business \u2013 not just the IT department\u2019s problem. A cyber-secure work culture will make businesses more resilient to threats.<\/p>\n

According to Forbes, business-reported cyberattacks keep rising each quarter<\/a>. Meanwhile, \u201cThe cyber skills gap continues to widen, with 3.4 million vacancies for cyber pros globally this year, up from 2.7 million in 2021.\u201d<\/p>\n

Employee behavior is one of the biggest factors behind cybersecurity incidents<\/a>. Change how your employees understand cybersecurity with a cyber-aware work culture<\/a>, and you\u2019ll substantially reduce the risk of compromise.<\/p>\n

One way of raising cybersecurity awareness at work is through a cybersecurity champions program.<\/p>\n

Forbes reports phishing, malware-spiked emails, social engineering and compromised credentials account for nearly 30 percent of cyberattacks<\/a>. As all these are linked with lack of employee cyber awareness, everyone getting up-to-speed on today\u2019s cyberattacks could prevent many attacks.<\/p>\n

Why cybersecurity champions change business culture<\/h2>\n

Lena Smart, Chief Information Security Officer (CISO) for MongoDB, <\/a>calls cybersecurity champions the \u201ccheerleaders and supporters of security\u201d across an organization.<\/p>\n

MongoDB is a database platform to build web and mobile applications. It powers everything from popular online game Fortnite to dating site eHarmony\u2019s real-time communication system. The company is headquartered in the US and has 2,000 employees globally.<\/p>\n

\u201cWe need to assure customers we\u2019re keeping our applications secure and we want to show our internal customers they\u2019re working in a secure environment,\u201d says Smart.
\n\"cybersecurity
\nMongoDB\u2019s cybersecurity champions program was one of Smart\u2019s first initiatives when she joined the company last year. A 20-year industry veteran, she implemented two similar programs in previous CISO roles at international electronic trading platform Tradeweb and another at New York Power Authority.<\/p>\n

Smart says security experts inside an organization may have a limited perspective because they\u2019re looking through a tight lens.<\/p>\n

Having experts from other departments helps expand the view. It also makes other teams feel invested when it comes to security.<\/p>\n

Lena Smart<\/strong><\/p>

Chief Information Security Officer, MongoDB<\/p><\/cite><\/blockquote>\n

Weaving security through software development<\/h2>\n

Security champions schemes are adopted most in software development, particularly with the trend toward DevOps. DevOps means combining software development and IT operations teams and processes to speed up development. As the need grew to scale DevOps projects faster while minimizing software vulnerabilities, organizations looked for ways to embed security into the development process. They called the approach DevSecOps.<\/p>\n

\u201cSecurity champions programs aim to build a better security culture and get DevOps to create secure software more reliably,\u201d says Dan Cornell, Chief Technology Officer (CTO) with US application security company Denim Group<\/a>.<\/p>\n

Cornell is a big proponent of cybersecurity champions and has helped many organizations launch programs. He says their aims vary depending on the industry, regulatory environment and company culture. For DevOps, he says, champions make security knowledge more accessible to the development team.<\/p>\n

It\u2019s a way of pushing security knowledge to the edges of an organization.<\/p>\n

Dan Cornell<\/strong><\/p>

Chief Technology Officer, Denim Group<\/p><\/cite><\/blockquote>\n

Having run successful security champions programs outside of software development, Smart says the rules are transferable. \u201cThere\u2019s no difference in how you set it up from one company to the next.\u201d<\/p>\n

The champions are colleagues from different roles, teams and departments. Smart particularly wants participants who don\u2019t have \u201csecurity\u201d in their job title or responsibility. \u201cThe champions want to learn and understand security and how they can help the company to be more secure,\u201d she says.<\/p>\n

At MongoDB, the program is voluntary and relatively informal. Champions are encouraged to attend monthly meetings with ideas for training and other things they want to do.<\/p>\n

Building cybersecurity culture from the bottom up<\/h2>\n

While the C-Suite\u2019s involvement is crucial in setting the tone and providing resources, the real strength of a cybersecurity culture is in the entire workforce\u2019s commitment and enthusiasm.<\/p>\n

Robust protection against cyber threats means building a cybersecurity culture from the ground up. Within a good security culture, people engage with cybersecurity, leading to growing awareness which reduces business vulnerability to attack. When staff feel invested in the organization\u2019s security, they become its first line of defense. When you foster a sense of joint initiative, employees at all levels help build the culture and security becomes ingrained in their daily practices.<\/p>\n

UCL Department of Security and Crime Science lecturer, Ingolf Becker, says a security champions program works because it\u2019s a two-way street<\/a>. \u201cIt promotes security at all levels, but it\u2019s also an opportunity for management to get feedback about what\u2019s happening on the ground.\u201d<\/p>\n

Smart says sometimes the best ideas for improving security comes from people who \u201cdon\u2019t live under the scrutiny of the CISO every day. It gives you, as the CISO, a view you wouldn\u2019t otherwise have.\u201d<\/p>\n

Champions making cybersecurity communication clearer<\/h2>\n

Smart measures the success of a champions program by how much feedback she gets on initiatives and efforts. For example, a new data-retention policy for a communication app the company was using: \u201cData-retention policies can be disruptive. We wanted to make sure we were asking the right questions and giving the right information to those affected,\u201d she explains.<\/p>\n

She put the champions to work. They met as a group and reviewed the draft memo. The champions took it apart, discussing what could be improved, what needed more information, and so on. That input, she says, saved her security team a lot of angst. \u201cWe finessed what was going to be a disruptive piece of communication,\u201d she says.<\/p>\n

She knew it worked because emails came in thanking them for the clarity of the message. People appreciated the efforts put in by those outside the CISO\u2019s core team.<\/p>\n

How to implement a cybersecurity champion program<\/h2>\n

Becker says security champions must not be security people. \u201cThey\u2019re employees who are \u2018one of us,'\u201d he says. \u201cI think most organizations could benefit from having this local expertise about what security means to an organization.\u201d<\/p>\n

He says at organizations he\u2019s worked with, the program was often organic \u2013 started by people or teams who took it upon themselves to promote security. In those instances, formalizing the program helps to provide training and resources to develop it.<\/p>\n

To start a program, Smart recommends CISOs get executive support. At MongoDB, she started by pitching the idea to her manager, the company\u2019s CTO. \u201cHe loved the idea,\u201d she says. \u201cSupport from the top is fundamental, or it won\u2019t be a success.\u201d<\/p>\n

You must also work out what kind of commitment participants need, based on how often the champions meet and other tasks they do. The next phase is to promote the program and recruit volunteers \u2013 an online survey is a good way.<\/p>\n

After pitching her idea to the CTO, Smart enrolled the company\u2019s communication experts to raise awareness, including the benefits of the program to the organization. When employees stepped forward, their supervisors had to sign off. Smart had conversations with the managers who were uncertain and explained how volunteering could fit around the employee\u2019s day-to-day role.<\/p>\n

\u201cBecause it\u2019s voluntary, some months you may have five people in the room and some months 20,\u201d Smart says. \u201cDon\u2019t be disheartened if the numbers go down. They\u2019ll come up again.\u201d<\/p>\n

To grow the program, look for ways to promote the champions\u2019 work and impact. MongoDB includes \u201cday in the life\u201d stories about the champions in the company\u2019s security newsletter.<\/p>\n

Championing security helps develop careers<\/h2>\n

Gartner says cybersecurity champions programs are a zero- or low-cost way to accelerate your security message<\/a>. Some organizations may offer incentives, and in DevOps scenarios, being a champion may become a full-time role.<\/p>\n

At MongoDB, the champions aren\u2019t there for perks, but there are benefits. They learn things and serve as leaders to their peers.<\/p>\n

Smart, too, found an unexpected benefit: Two of the champions later joined her team. \u201cThey\u2019re now a bridge between the old and new ways of security,\u201d she says.<\/p>\n

Becker believes just about any organization could implement a cybersecurity champions program. But there\u2019s one caveat. \u201cYou must be willing to listen and change based on the input of champions,\u201d he says.<\/p>\n

Smart notes the champions share a common goal. \u201cWe\u2019re all trying to solve the same problem: Keeping the data safe and the bad actors out,\u201d she says. The program lets her talk to people she rarely speaks to about ways to improve security. \u201cIt\u2019s a linking of the groups and a linking of the minds,\u201d she says.<\/p>\n

If you want to improve your security culture \u2013 and are willing to listen to employees with diverse perspectives \u2013 a security champions program is a great way to bring about long-lasting change.<\/p>\n","protected":false},"excerpt":{"rendered":"

A network of employees outside IT who promote cybersecurity to their colleagues can do wonders for an organization\u2019s security culture.<\/p>\n","protected":false},"author":2568,"featured_media":35646,"template":"","coauthors":[3807],"class_list":{"0":"post-35645","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-cybersecurity-training-cybersecurity","7":"emagazine-category-leadership","8":"emagazine-tag-careers","9":"emagazine-tag-education","10":"emagazine-tag-professional-advice"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/cybersecurity-champions\/35645\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/secure-futures-magazine\/cybersecurity-champions\/22413\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/secure-futures-magazine\/cybersecurity-champions\/20542\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/35645","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2568"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/35646"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=35645"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=35645"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}