A strong security culture is the foundation of an effective security program. Building a security culture across the organization and engaging multitudes of stakeholders beyond the security team, however, is neither a simple task nor one that can easily be completed in the short term. Building such a security culture across an organization is a long game, and one that security and risk (S&R) professionals can’t play alone.
That’s why we’re revisiting essential research that explores how to build a security champions network, examining how security champion networks can help scale influence, embed security into everyday decisions, and foster trust across the business.
The premise remains simple but powerful: security culture – the set of attitudes, cognition, norms and responsibilities around cybersecurity – will not grow from mandates and training. Rather, security culture change is a nebulous task that requires vision, strategy and people. It also requires security pros to venture outside the confines of the security team and engage the wider organization.
What Has Changed?
Build A Security Champions Network was one of my first research projects at Forrester. We published the original research in 2019. I haven’t updated it since then because it’s stood the test of time. Forrester clients still regularly ask me about building a champions network and building security culture, although many are now naming it differently, such as a Security Embassador Program.
But the time has come to update this research. As organizations move away from security awareness and training (SA&T) to human risk management (HRM), security teams now have a far deeper view of the risks caused by and to the workforce, driven by the workforce’s behaviors.
HRM’s data-driven approach brings the power to understand not only people’s behaviors, but also how security tools and processes come together to protect the workforce. But, with great power comes great responsibility. Security and risk leaders must continuously and collaboratively work with the workforce to offer the right interventions, tools, and processes to the right people and teams at the right time.
Moreover, security teams are pushed to (and often beyond) their limits by the continuous onslaught of threats, budgets that are stretched thin, and toxicity infecting organizations. Extending the security team with champions helps build trust, engender awareness, gain visibility, and empathize with stakeholders who may not speak the language of security but still shape its outcomes. These networks are not just a tactical fix; they are a strategic necessity.
What To Expect From This Research
This research will guide S&R leaders through the process of building – or rebuilding – a network of security champions that reflects today’s realities. We will revisit our existing research, exploring what facets still hold true, which have changed with the times, and what new practices have emerged over the past few years. This will involve engaging leaders in interviews, as well as exploring the global best practices of how these networks are designed and built.
If anyone wants to speak to us about what’s hot, what’s not in this field, let my senior research associate Chiara know ([email protected]), and Chiara will schedule a research interview.
