If you work for a large organization, chances are you’ve been asked to complete computer-based security awareness training, such as an anti-phishing behavior management course.
“The problem is that these traditional security awareness approaches are not flexible enough to meet the cultural or local needs of diverse audiences, especially in global corporations,” says Joanna Huisman, research director at Gartner.
“ By 2021, 35% of enterprises will implement a security champion program, up from less than 10% in 2017”
Security leaders consistently struggle with communicating the importance of a culture that is security-aware. Employees often see security as a responsibility of a single group, making it hard to achieve truly shared accountability for an overall secure environment.
How security champions help
Creating a security champion program is a low-/zero-cost way to accelerate your security message. It forms a network through which a consistent stream of security information can be broadcast at a local level.
Security champions are members of the business, IT, development or delivery team who receive additional training on pertinent security issues. They may not get into the technical aspects of security issues, but rather act as local gurus who can answer questions, recommend training, and work with security experts to find answers to deeper questions or escalate issues.
“A good security champion program improves the integrity and reach of your security culture, and by localizing the security representation throughout the business, your reach into the organization will become that much deeper,” Huisman says.
Gartner predicts that by 2021, 35% of enterprises will implement a security champion program, up from less than 10% in 2017.
Build your network of champions
Huisman offers four key recommendations for security and risk management leaders overseeing information security programs to ensure a successful security champion program.
- Make clear connections between the security champion program and business objectives to get executive support for the program. Resist using the "My program is the most critical investment you will make" approach. Rather, security leaders will have a much more persuadable audience if their program is a cornerstone of any effort intended to achieve business objectives.
- Build a network of champions that is inclusive of all roles and geographies across the enterprise. The right mix of representatives will come through manager nomination and volunteering. It is important to identify employees who have a solid understanding of how their respective communities work, and have the influence to be heard and drive change.
- Present the role of a champion as a developmental opportunity and integrate it into performance development plans. The champions should have a way to assess their performance, the contributions they are making to the team and the impact they are having on their community. Build in a recognition and reward system to drive interest and output.
- Allow champions to take creative liberties with the content to better suit their audiences. Package all materials into toolkits for consistency across the enterprise, but allow champions to tailor the content and the execution in their local markets.