FTI Consulting | Has Your Company Chosen Its Cybersecurity Champions Yet?

Building a culture of cybersecurity through informal advocates and the new role of the “BISO” is a cost-effective strategy for tightening your cyber defenses.

Chief Information Security Officers (CISOs) are buffeted from all sides today. With the expansion of remote workforces, technology upgrades seemingly on a daily basis, and brazen cyber actors ranging from teens on Twitter to state-sponsored hackers, the task of keeping company systems secure is like trying to stand still in a hurricane. Adding to the CISO’s concerns is the struggle to obtain budget and support requests from staff.

There’s a hack for that. Or rather, there’s a cost-effective strategy that, when employed, can improve cybersecurity throughout your organization organically. It calls for establishing and enhancing a culture in which all employees adhere to security best practices from top to bottom, simply because it is the right thing to do. The strategy’s success rests on building a human network within the organization through business information security officers (BISOs) and “security champions.”

Meet the Team

The BISO role is relatively new but is becoming more common at large organizations. These individuals are responsible for executing the organization’s information security program within their particular business unit. The key to a strong BISO is knowledge of information security policies and procedures, as well as in-depth understanding of how the business functions. This facilitates effective implementation of the most critical aspects of a security program with appropriate buy-in.

Less formalized, the security champion is a current workforce member, but in some respects just as crucial as the BISO. They know the processes, technology and challenges within their team or department. They are passionate about cybersecurity best practices and the organization’s cybersecurity program. Influential among their peers, and leaders by example, champions are key to achieving security “herd immunity” by serving as exemplar employees when it comes to adhering to security best practices.

Although there may already be de facto security champions within your organization, establishing a formal program is vital to supporting the security culture.

Your Best BISO

Desired attributes of a Business Information Security Officer include:

• Detailed understanding of information security, risk management and modern security controls.
• Ability to communicate, collaborate and influence effectively across different functions within the organization.
• Ability to balance multiple demands from internal and external stakeholders as well as executives and subordinates alike.
• Ability to oversee the implementation and execution of business objectives and organizational initiatives.
• Strong business acumen, influence management, and systems design and thinking skills.
• Ability to interpret and apply laws, regulations, policies, and guidance relevant to the organization’s cyber objectives.
• Ability to exercise judgment when policies and procedures are not well defined

Formidable Informality

Together with BISOs, security champions enforce security programs without the need for significant operational or capital expenses. Here’s how:

First, champions and BISOs operate closer to the front lines of cybersecurity with tacit authority to oversee — and influence — the culture, including response from their teams. For example, team members know to instinctively report suspected phishing emails upon receipt. Another example might be the simple act of an administrator double-checking database configurations and restrictions prior to first use, thus avoiding the need for formal oversight by a cybersecurity team anxious about a potential multimillion-dollar cyber incident.

Champions and BISOs can also be the first individuals outside of the cybersecurity team to spot where policies, procedures or controls are not working. They can identify not only where the program might be falling short, but whether any teams or departments are failing to adhere to policy. Seeing both sides of the issue is invaluable for improving, and maintaining, compliance.

Getting Started

How do you implement the culture within your organization? Start small. Identify the department or business unit with the greatest cyber risk and focus your initial efforts there. Look in particular at high-risk positions, such as development teams or teams that handle sensitive information. Ask directly for individuals who may be interested in becoming a security champion. Meet regularly and provide training on the security program. Listen to feedback. Make it known that these roles genuinely contribute to the overall security of the organization.

Although the champion program may start as an informal working group, developing a more formal structure and providing incentives to continue building momentum is wise. It should be understood that these roles take up at least a small portion of the individuals’ full-time jobs. To smooth buy-in up and down the org chart, the programs should become a part of the security strategic roadmap, with a business case made to strategic leadership.

Understanding how to organize the culture may be challenging at first, but a solid audit of your organization’s cybersecurity landscape can be helpful (see sidebar, “Taking Stock”). Knowing where the vulnerabilities lie, and the actions to take, can help a CISO stand up to the fiercest winds.

Taking Stock

Elements of a cybersecurity audit include:

• The most vulnerable entry points
• Cybersecurity compliance issues
• Policies, procedures, and staff gap analysis and design
• Third party audit & assessments
• Dark web intelligence monitoring
• Information governance, privacy & security concerns

Authors:

• Katie R. Donnelly, Managing Director
• Matt McManus, Director

Compliments of FTI Consulting – a member of the EACCNY.