How to Become a Security Champion: a CISO’s Perspective

InsiderPosted | Category: BRM Capability | Contributed by Yabing Wang, BRM Contributor Network

Being in security for over 20 years, I’ve witnessed the dramatic threat landscape change, as well as the evolving cyber risks in various organizations along with all the amazing technology advancements in the world.

One of the results of that is for us to figure out ways to raise a security-aware culture, such that the corporations are not relying on a small cyber security team to mitigate cyber risks.

Of course, most cyber security teams are still responsible for multiple things, such as
  • provide guardrails and standards on how to do work securely,
  • identify and possibly implement security controls, and apply automation wherever possible,
  • handle detection, incident response, and other security operations tasks,
  • help to govern and manage cyber risks across the company

However, there is no way each company is able to hire a big team, or will have an unlimited budget on security. What CISOs (Chief Information Security Officers) would like to promote is a “shared responsibility model”, which highlights two parts

  • Security should be everyone’s responsibility. If you are an engineer, you know how important the code quality is. Same for security, you should consider security as part of the quality in product development. If you are a business operations person, you know how data quality and integrity are. Similarly, you should consider security as part of your criteria for your data analytics and reporting. If you are a customer success person, you know how trust is the key to the customers. Yes, security is part of the trust you want to deliver to them!
  • Your CISO and security team are here to advise, guide, and support you to do the right things. We can help educate the company on where to look for, what to do, and how to do it. In a world where threat actors are looking for any hole to poke, a human being is always the weakest link. If everyone can be a little more vigilant, that shuts many doors for bad actors to come in! Since we are not experts in the business area, we need your support to bridge the gap and raise the company’s security-aware culture.

There are multiple ways to partner with businesses. Some companies, especially big companies with complicated business models, may adopt the approach of building BISO (business CISOs) or RISO (regional CISOs) teams to be closer to the business units. They could report to the CISO or could report to business but dotted-line to the CISO.

These teams are more focused on certain businesses or region, and could hire people with specific backgrounds to support security work. For example, a BISO team member for e-commerce business may have different expertise than a BISO team member for a pharmacy business. 

However, most small and medium companies can’t afford to have robust BISO/RISO teams. CISOs most likely will rely on “security champions”.

Security champions are the people who as scattered across an organization and show an above-average level of security interest that can help improve security in their existing position, rather than being employed in a full-time security role. It’s more like a “satellite member” of the security team. There are two kinds of security champions

  1. In the engineering or product development world, a security champion is an engineer or a very technical resource. The objective is to ensure security is included in the early stage of Software Lifecycle Management (SDLC), and help govern risk mitigation in agile development.

  2. In other areas of an organization, a security champion is someone who can help articulate cyber risks and translate them to business risks, who can assist the business leader in coordinating risk mitigation, and who can bridge the communication and ensure the change management is smooth. Business Relationship Managers (BRM) are great candidates for this kind of security champions if your organization has a BRM role.

 The goal of a security champion is to help the business understand the risks and move the security-related effort (e.g. implementation or remediation) to a higher priority so the cyber risks can be properly managed and mitigated.

What do CISOs expect from security champions?

 

  • Carry some knowledge of cyber security, either security engineering or security risks. Understand security should not be a roadblock but an enabler for business
  • Understand more business context in your business area. Each company and each business line has its own focus, regulation, or risks.
  • Able to articulate the cyber risks clearly to non-technical people, and tie them to business risks. Be the frontline communicator for the security team.
  • Know who is who in the organization and how to navigate through it to gain alignment and support.
  • Work with stakeholders in the business to be the change agent, and to help with the change management such that the experience of implementing security controls is positive and seamless.

 

Fantastic!

 

I made some changes above. If you have any good editors, please ask them to help me polish the document:). Thank you

If you’re leading a BRM team, or if you’re a BRM and interested in becoming a security champion for your organization, you can try some of the following

  • Raise your hand so your CISO and security team know that BRM is willing to partner with them
  • Request your CISO and security team to help continuously educate BRMs on security risks and mitigation, regulation requirements, and others
  • Co-build an operating model with your security team to leverage BRMs as the security champions

CISOs and security teams are not about compliance only. We’re here to enhance protection, strengthen business resilience, and enable business. We’re here as an advisor to business on enterprise risks, and we want to be the partner, supporter, and enabler for the business.

 

We have a common goal as the business even though we come from different angles. I hope you see that too, and I hope to see more BRMs become our security champions!

Yabing Wang is the VP and Chief Information Security Officer at Justworks, a tech-forward payroll company supporting small businesses. She has been in the technology world for over 25 years and has over 20+ years of extensive leadership experience in cybersecurity across different industries.

She has built global security practices and strengthened cyber resilience at multiple Fortune 100 companies such as Allstate Insurance Company, Alight Solutions, Carrier Corporation, and H-E-B. Before her cyber journey, Yabing studied philosophy and computer science, and during the early days of her career, she worked in application development at Netscape.

27

Leave a Reply

You must be logged in to post a comment.

Pin It on Pinterest

Share This

Share this post with your peers!