What is a security champion?
The concept of a security champion (SC) first emerged out of the developer community. At that time, security champions were seen as the professionals that could bridge the gap between application development and security. In recent years, we have seen this role emerge in small-to-medium-sized businesses.
A security champion identifies and manages risk within an organization while also establishing, nurturing and driving a security-minded culture. An SC is not necessarily technical in the sense that they have a deep understanding of security, but they may have some technical responsibilities. An SC acts as liaison between the IT security team and all other employees.
Some of the key responsibilities of a security champion are to:
- Manage: recommend cybersecurity policies and best practices and give direction on action
- Mature the organization: help build a robust, multi-layered cybersecurity practice
- Define process: provide the team with the tools and education they need to uphold a high level of security
Since every organization and industry is unique, the SC will first need to do some groundwork to lay the foundation of understanding. It is their job to identify a common security framework to follow, perform a gap analysis and schedule recurring tasks. Security is not a one-and-done task.
When it comes to risk, the security champion will assess, analyze and implement controls to prevent, reduce and recover from an incident. These risks can range from a lost laptop to a data breach to lost productivity. If a data breach occurs, an Incident Response (IR) plan will be used to outline the recovery process.
Security champions are the extended eyes and ears of security teams.
Technology is always changing and laws and regulations that govern our use of technology are always evolving. This means that how employees regard security is always changing. As noted, security is not one-and-done. Take password best practices and standards as an example.
It is the role of the security champion to communicate change and to bridge the knowledge gap by translating technical standards into language that everyone at your organization can understand.
No Security Champion?
If you have questions about the role or purpose of a security champion, please visit our training page to register for the next webinar or contact us to schedule a meeting to learn about the risks of poor cyber hygiene at your business.