This guest blog was contributed by Dustin Lehr, director of application security at Fivetran
Building awareness and improving compliance for security best practices can be one of the many eternal headaches for any security professional. You want your team to be safe and act responsibly, but a purely top-down approach can leave both employees and security teams frustrated at every turn. As more enterprises embrace data integration and other advancements in data-driven initiatives, keeping information safe and secure takes more attention than ever before. Yet, what’s best for security doesn’t always seem to align with every employee’s daily work priorities. So how can you inspire and incentivize employees to do the right thing?
With the growing combination of ransomware attacks, infrastructure vulnerabilities, and the ongoing scourge of phishing hitting enterprises, effective security needs to be a team effort. You need help from everyone to protect your organization from phishing attacks and to prevent security issues throughout an organization's software architecture and cloud infrastructure. You can’t automate everything - you will always ultimately need to rely on people to some extent.
So how can you get everyone on board? Creating a Security Champion program is an effective and proven method for building security awareness. It works because employees are much more open to hearing from their teammates who can help explain the reason for a particular procedure or policy in a context that applies to them. With this better understanding of relevance, employees are much more likely to adhere to security policies instead of seeking exceptions or workarounds.
To create a winning bottom-up program that gets the best results, these five tips will help engage your entire employee base while building a strong, security-focused culture throughout the enterprise.
1) Focus on the “why,” not just the “how”
Most employees understand the importance of physical security and safety to a company’s culture and workplace. Cyber security shouldn’t be any different. Most staff are not security experts and don’t need to be. Leaders think if they just tell people what to do, it will improve security at the company. But just saying something doesn’t mean it happens - helping people understand the reason why is necessary if you want change. Make sure to explain to your teams why they should focus on security, before telling them how they need to change. This is especially helpful for engineering teams looking to identify and implement good security practices - give that mission a greater sense of purpose.
2) The focus on security needs to start at the top…of every team
It’s important to have your executives and senior leaders regularly highlight the value of security as a company-wide priority, but this message needs to effectively trickle down and impact the priorities and actions of all leaders and managers across the company, no matter their level. When the message comes from your direct reporting line, you’re much more likely to pay attention.
3) Find your “allies”
Nobody likes being forced to focus on security, but you likely already have vigilant employees in your organization who truly care about security issues. These people will be your best advocates, and make great initial security champions.
These new allies can disseminate security guidelines and reminders to follow best practices, and the message will come from “the inside,” instead of from an “external” security presence (the security team). Since the champion is already a known and trusted teammate, their words will carry more weight.
It’s recommended to hold ongoing training and online seminars for your champions so they’re constantly learning knowledge and skills, and it is much more cost effective to have focused training for a handful of champions instead of the entire company. You can rely on the champions to disseminate the relevant information they learn in these seminars. Over time, the message to focus on secure practices will reach the late adopters and even the laggards at your company.
4) Recognition is one of your biggest motivators
Once your champions are on board, find a way to recognize and incentivize their security efforts in a way that works best for your specific culture. This could be as simple as providing a special icon that they can put on their profile image, or on their Zoom background to show their status in the program. It could be a shout-out at an all-hands meeting, or a mention in an internal company newsletter. Talk to your champions and find out what sort of recognition is important to them, and then use these kudos to showcase the importance of good security practices at your company.
Awarding “points” for specific actions like attendance, participation, and adherence to good security habits is an effective way to motivate them as well. You can even award karate-style “belt” levels and material prizes such as challenge coins, stickers, and T-shirts based on these points. The resulting visibility can make people feel that their actions are recognized and important, and builds on their own internal drive to do the right thing.
5) Empower, educate and evolve
Once your security champion program is established, you can utilize your belt or point system to set up different levels of trust and responsibility for each person. A beginner White Belt may just be asked to attend monthly live trainings and share what they learn with others. As champions rise through the ranks, they can move up to reviewing and analyzing security tool results, or signing off on risk exceptions. They can also eventually be trained to host the live trainings, or other events.
Empower your champions to protect your enterprise
Your security champions will be your saviors if there’s ever a disconnect between perceived corporate “needs” and security “requirements.” They can help see both sides of the issue, and guide the organization to a solution that supports business goals while also protecting the company.
A cultural movement at your company won't happen overnight. It takes time for change to happen. Using this guide, you can start to build a security culture that meets best practices, promotes employee engagement, and ensures security remains a top priority. Over time, you will see a major shift for the better as more people are encouraged to take an active role in securing your organization.
### About the Author
Dustin Lehr is the Director of Application Security at Fivetran, the leader in modern data integration. Dustin is also the co-founder of Katilyst Security, a passion project focused on helping companies create security culture through security champion programs. He has also authored The Security Champion Program Success Guide and runs the open discussion meetup “Let’s Talk Software Security.” Prior to Fivetran, Dustin was the head of Application Security at Staples.