Security Champions in the Field - From pure Awareness to a genuine Security Culture

As a (C)ISO, do you sometimes doubt whether your security program is having an effect beyond the technology, despite the extensive investments you have made to date?

• Whether your messages are getting through to all business units, including your location in Ticino?
• Whether employees from your BI department in Lausanne, where sensitive data is processed, are complying with directives and best practices, even when the end of the month is approaching?
• Whether potential risks are reported across the board instead of being ignored?
• Whether all managers throughout the company are pulling in the same direction instead of in different directions?
• How you could grow your team and impact without hiring more people?

If you find yourself asking these questions, we have a solution for you - budget-friendly and tried and tested. In our article “Security Culture is more than Awareness “, we list five success factors for a successful safety culture:

• Leadership awareness from head to toe
• Target group-oriented content and communication
• Measurement of goals
• Support from Security Champions in the field
• Continuous improvement

This article is dedicated to the building block Security Champions in the field, highlights ways in which companies can take the first step and what they gain from doing so.

The initial situation: Too few resources for growing demand

In our mandates, we see time and again that cybersecurity teams are under pressure. Growing requirements, new regulatory requirements and technical challenges demand the utmost attention. At the same time, the available resources such as time, budget and expertise are too limited, forcing many security initiatives to be restricted to what is technically possible or legally necessary. As a result, the people behind the technology are neglected. Dispersed locations, different local cultures and languages make it even more difficult to reach everyone.

This means that local contexts, individual needs and dealing with risks in everyday life are often inadequately addressed. Communication is top-down and falls flat. Awareness reaches many - but often changes little.

Without a connection to the working reality of the teams, safety culture remains a nice goal - but no movement. Increasing your own headcount would be an option - but in most cases this is not up for discussion. Are there other options?

The opportunity: Security Champions as cultural mediators on site

Champions are locally based employees with a broader understanding of security - and the ability to mediate between central security and day-to-day operations. They know the language, processes and challenges of their teams and position security requirements in such a way that they are perceived as support rather than a hurdle. At the same time, they provide valuable feedback back to the central office - and thus improve the strategic direction of security work.

While security Champions have long been established in IT teams, they are still lacking in many areas of operational business - even though this is where there is enormous potential. Centralized awareness campaigns may reach many, but they change little. What is needed is topicality, proximity, relevance - and people on the ground who make security visible and bring it to life.

Tangible security culture - what a champions program can achieve

1. make leadership visible - security starts in everyday life

Instead of the CEO talking up security culture top-down in town halls, champions act as tangible, local representatives of the security strategy - visible, approachable and credible.

Practical impulse: Providing champions with the “blessing from above” demonstrates: The topic is not just an IT matter - it is a management mandate.

2. enable communication - bidirectional instead of top-down

Champions are a feedback channel: they listen to their colleagues, recognize uncertainties, take up feedback - and feed it back into the security team.

Practical impulse: Champions build bridges between strategy and reality - and turn security into a dialog, not a monologue.

3. enable involvement - participation instead of dictation

Culture is created through participation. With a champions program, security is no longer experienced as a collection of directives, but as a format that you can help shape yourself.

Practical impulse: Those who are allowed to participate take responsibility. Champions enable this participation - decentralized, effective, sustainable.

4. strengthen error culture - security also means being allowed to address mistakes

Champions help to reduce reporting inhibitions and promote a constructive approach to security incidents - before they escalate.

Practical impulse: Champions turn silence into action - and fear into an opportunity for improvement.

The lever: Increasing security without increasing costs

The introduction of security champions requires initial training to impart the necessary know-how, a solid understanding of their role and good integration with the central team. However, the return is high - not only in the form of improved security processes, but also in the form of measurable cultural effects.

Our experience shows:

• Vulnerabilities are discovered where no one else is looking.
• The exchange is faster, simpler and achieves more.
• Managers have direct access to a resource.
• The existing security know-how is often greater than expected.
• The motivation to work on an important topic is high.
• Training is targeted to where it is needed.
• Cooperation with the security team improves noticeably.

And best of all: All this happens without an additional headcount in the security team - but through the targeted activation of existing resources.

But the big question is: where and how to start?

Concept as start and goal

Everything starts with a concept. What should be achieved? Which tasks should be delegated? Over time, multi-level champions with different experiences and tasks will make sense - but in the beginning: keep it simple! Define small, achievable goals.

Selection of the pilot

You should start with a pilot, limited in time and scope, to gain initial insights before addressing a larger audience. But where exactly to start? The answer to this question is individual and depends on three factors: the role of the specialist department, the willingness of the employees - and the commitment of the managers.

Communication

Emphasize the benefits for managers and volunteers and sell them! However, communication does not end with initial marketing, but begins with it. Constant communication via dedicated channels is important and shows volunteers that they are not on their own.

Review & continuous improvement

Regularly review the goals you have set and obtain targeted feedback from the pilot. According to the 80/20 rule, the beginning is not perfect, but as a learning organization, the concept matures along the way.

Conclusion: Security Champions as a strategic cultural measure

Security Champions in the field are more than internal multipliers. They are the missing link between technical and organizational security architecture and an active security culture. They address the human factor like no other measure. Used correctly, they help to translate abstract security goals into concrete changes in behavior - and to support the pillars of a strong culture.

Security Champions bring culture to where it works: to the people.

Do you want to start with 5 volunteers instead of 10'000 emails? Let’s talk about what a pilot program could look like for you. Let’s exchange ideas without obligation.

How champions can contribute to a positive safety culture using the example of SBB:

• One size fits all was yesterday - efficient awareness made @SBB
• Selbstentwicklung, Inklusion und Innovation - Security Awareness bei der SBB

What happens when security culture is lacking?
Two examples of attacks in which a lack of security culture was identified as a factor:

• Insights from the Equifax hack
• CISA report on Microsoft