What will the legacy of security leaders be in the years to come? Will they be remembered as the defenders of the cyber realm, heroes or will history view them as annoying barriers who did nothing but slow down innovation?
Many security leaders agree that too many times, the security team is viewed as the Department of No. Now, some may believe that the end justifies the means. Every third party needs to be audited in great detail, passwords should be unique and 32 characters long, while all data needs to be encrypted at all times. These may be good ideas, put forward with the best of intentions, but they can lead to unintended consequences.
In the 1800s, nitroglycerine was used by miners and anyone else who needed an explosion to clear rocks. However, it was extremely unstable and many people who worked with it died.
In 1864, a young man, Emil Nobel, was killed while working in a nitroglycerin factory when it blew up. His older brother Alfred was a scientist and a pacifist, and he made it his mission to make nitroglycerine safe.
After much effort, he discovered that nitroglycerin was absorbed to dryness by kieselguhr, an absorbent sand, and the resulting mixture was much safer to use and easier to handle than nitroglycerin alone.
Alfred made the world a safer place and through his discovery, probably saved hundreds of lives. However, misfortune struck once again when his older brother died of an illness. A French newspaper confused the brothers and reported that Alfred had died with the headline, “Nobel, the merchant of death is dead.” The paper went on to describe Alfred as the man who got rich by finding ways to kill more people faster than ever before.
Alfred was shocked. In his mind, he was a pacifist, a humanitarian, someone who wanted to help people. But he was being portrayed as a monster for discovering dynamite. This was not how he wanted to be remembered, so he thought long and hard about how to change the narrative to one that aligned with who he felt he was as a person.
So, he founded the Nobel Awards. Yes, those Nobel Awards which scientists covet in categories of science, chemistry, medicine, literature, along with the special ‘Nobel Peace Prize”. By creating a mechanism through which others’ positive contributions are recognised, Alfred Nobel redefined his own legacy.
Cybersecurity can be challenging. Sometimes there is no alternative but to be the Department of No. But it does not have to end there, and that certainly does not have to be the long-term legacy of security teams.
A champions’ program is a great way to have advocates spread across the organisation in every department who can embed the security message within an organisation. By building a group of security champions, security professionals are ensuring that there will be a constant stream and reinforcement of security messaging moving throughout the organisation.
But more than that, when done correctly, the security champions will feel empowered and recognised. It can become a badge of honour that others within the organisation want to wear. Through lifting up and recognising others, maybe some of the positivity will reflect back on the security team, and leave a more fitting legacy, much like that of Alfred Nobel.
Parting Thoughts on Building Security Champions
- Security champions are to be considered as local extensions and culture carriers of an overall security program.
- Champions do not need to be security experts, but they should be influencers in their areas.
- Provide champions with the right messaging content and allow them the liberty to translate and communicate that content in ways that are most effective for their audience.
- By localising an organization’s security message through champions, it will have tremendous reach that it may not otherwise have had.
- Ideally, champions should spend no more than two years in the role so that security professionals can circulate fresh thinking continuously and provide others with the opportunity.
- Consider having an application process coupled with an interview and manager recommendation.
- Champions are an integral part of driving the culture and sharing feedback on what is and is not working.
- Consider incorporating champions’ participation into a formal performance review and/or some other type of recognition.