A strong security culture is the foundation of an effective security program. However, building a security culture across the organization and engaging multitudes of stakeholders beyond the security team is neither a simple task nor one that can easily be completed in the short term. Building a security culture across an organization is a long game, and one that security and risk (S&R) professionals can’t play alone.
That’s why we’re revisiting essential research that explores how to build a security champions network, examining how security champion networks can help scale influence, embed security into everyday decisions, and foster trust across the business.
The premise remains simple but powerful: security culture — the set of attitudes, cognition, norms and responsibilities around cybersecurity — won’t grow from mandates and training. Rather, security culture change is a nebulous process that requires vision, strategy and people. It also requires S&R pros to venture outside the confines of the security team and engage the wider organization.
What’s Changed?
Build A Security Champions Network was one of my first research projects at Forrester. We published the original research in 2019. I haven’t updated it since then because it’s stood the test of time. Forrester clients still regularly ask me about building a champions network and building a security culture, although many are now naming it differently, such as a Security Embassador Program.
But the time has come to update this research. As organizations move away from security awareness and training (SA&T) to human risk management (HRM), security teams now have a far deeper view of the risks caused by and to the workforce, driven by the workforce’s behaviors.
HRM’s data-driven approach brings the power to understand not only people’s behaviors, but also how security tools and processes come together to protect the workforce. But, with great power comes great responsibility. S&R leaders must continuously and collaboratively work with the workforce to offer the right interventions, tools, and processes to the right people and teams at the right time.
Moreover, security teams are pushed to (and often beyond) their limits by the continuous onslaught of threats, thin budgets, and toxicity infecting organizations. Extending the security team with champions helps your security team to build trust, engender awareness, gain visibility, and empathize with stakeholders who may not speak the language of security but still shape its outcomes. These networks aren’t just a tactical fix — they’re a strategic necessity.
What To Expect From This Research
This research will guide S&R leaders through the process of building — or rebuilding — a network of security champions that reflects today’s realities. We’ll revisit our existing research, exploring what facets still hold true, which have changed over time, and what new practices have emerged over the past few years. This will involve engaging leaders in interviews and exploring the global best practices of how these networks are designed and built.
If anyone wants to speak to us about what’s hot — and what’s not — in this field, let my senior research associate Chiara know ([email protected]) and Chiara will schedule a research interview.
