A global leader in offering research and advisory services, Gartner offers indispensable insights, advice and tools to business leaders to achieve their mission-critical business goals.
A well-designed security champion program will support long-term behavior change.
If you work for a large organization, chances are you’ve been asked to complete computer based security awareness training, such as an anti-phishing behavior management course.
The problem is that these traditional security awareness approaches are not flexible enough to meet the cultural or local needs of diverse audiences, especially in global corporations. Security leaders consistently struggle with communicating the importance of a culture that is security-aware. Employees often see security as a responsibility of a single group, making it hard to achieve truly shared accountability for an overall secure environment.
How Security Champions Help
Creating a security champion program is a low-/zero-cost way to accelerate your security message. It forms a network through which a consistent stream of security information can be broadcast at a local level.
Security champions are members of the business, IT, development or delivery team who receive additional training on pertinent security issues.
They may not get into the technical aspects of security issues, but rather act as local gurus who can answer questions, recommend training, and work with security experts to find answers to deeper questions or escalate issues.
Gartner predicts that by 2021, 35 percent of enterprises will implement a security champion program, up from less than 10 percent in 2017.
-
A good security champion program improves the integrity and reach of your security culture
Joanna Huisman, Research Director, Gartner
Build your network of champions
Four key recommendations for security and risk management leaders overseeing information security programs to ensure a successful security champion program.
1. Make clear connections between the security champion program and business objectives to get executive support for the program. Resist using the ‘My program is the most critical investment you will make’ approach. Rather, security leaders will have a much more persuadable audience if their program is a cornerstone of any effort intended to achieve business objectives.
2. Build a network of champions that is inclusive of all roles and geographies across the enterprise. The right mix of representatives will come through manager nomination and volunteering. It is important to identify employees who have a solid understanding of how their respective communities work, and have the influence to be heard and drive change.
3. Present the role of a champion as a developmental opportunity and integrate it into performance development plans. The champions should have a way to assess their performance, the contributions they are making to the team and the impact they are having on their community. Build in a recognition and reward system to drive interest and output.
4. Allow champions to take creative liberties with the content to better suit their audiences. Package all materials into toolkits for consistency across the enterprise, but allow champions to tailor the content and the execution in their local markets.