How to Build a Network of Security Champions Within Your Organization

Improving security awareness with specialized programs is essential for small businesses and large corporations alike, but is it enough?

According to Joanna Huisman, research director at Gartner: “The problem is that these traditional security awareness approaches are not flexible enough to meet the cultural or local needs of diverse audiences, especially in global corporations.”

Gartner suggests a security champions program can help “accelerate your security message” at little or no cost to company. Internal gurus with different skills can act as security mentors, researchers, moderators, negotiators, and trainers.

Enterprises may benefit from building such a network of security champions (NoSC) that will promote and improve the security behaviors of employees in the long-term. It looks like it is a good time to jump on the bandwagon, before your competitors do. Gartner predicts: “By 2021, 35 percent of enterprises will implement a security champion program, up from less than 10 percent in 2017.”

What Is a Security Champion?

OWASP defines this role player as:

Sponsorships Available

Sponsorships Available

Sponsorships Available

• An active member of a team whose brief it is to help decide if and when to engage the “real” security ninjas in the basement. Membership in this team does not exclude them from membership of other teams; in fact, their role as a champion usually requires this person wears multiple hats
• A member of a product or other type of team that acts as the “voice” of security for it, e.g. the finance department might select Sue to act as their security liaison on issues relating to finance, and Joe might be the security voice for Human Resources
• The go-to person who assists in the triage of bugs and other security issues for their team

We will mention some alternative models for the champion role in the conclusion. First, let’s explore what is (Read more...)