A strong security culture is the foundation of an effective security program. But building a security culture across the organization and engaging multitudes of stakeholders beyond the security team is neither a simple task nor one that can easily be completed in the short term. Building a security culture across an organization is a long game, one that security and risk (S&R) professionals can’t play alone.

That’s why we’re revisiting essential research that explores how to build a security champions network, examining how security champion networks can help scale influence, embed security into everyday decisions, and foster trust across the business.

The premise remains simple but powerful: Security culture — the set of attitudes, cognition, norms, and responsibilities around cybersecurity — won’t grow from mandates and training. Rather, security culture change is a nebulous process that requires vision, strategy, and people. It also requires S&R pros to venture outside the confines of the security team and engage the wider organization.

What’s Changed?

Build A Security Champions Network was one of my first research projects at Forrester. We published the original research in 2020. I haven’t updated it since then because it’s stood the test of time. Forrester clients still regularly ask me about building a champions network and building a security culture, although many are now naming it differently, such as a security ambassador program.

But the time has come to update this research. As organizations move away from security awareness and training to human risk management (HRM), security teams now have a far deeper view of the risks caused by and to the workforce, driven by the workforce’s behaviors.

HRM’s data-driven approach brings the power to understand not only people’s behaviors but also how security tools and processes come together to protect the workforce. But with great power comes great responsibility. S&R leaders must continuously and collaboratively work with the workforce to offer the right interventions, tools, and processes to the right people and teams at the right time.

Moreover, security teams are pushed to (and often beyond) their limits by the continuous onslaught of threats, thin budgets, and toxicity infecting organizations. Extending the security team with champions helps your security team build trust, engender awareness, gain visibility, and empathize with stakeholders who may not speak the language of security but still shape its outcomes. These networks aren’t just a tactical fix — they’re a strategic necessity.

What To Expect From This Research

This research will guide S&R leaders through the process of building — or rebuilding — a network of security champions that reflects today’s realities. We’ll revisit our existing research, exploring what facets still hold true, which have changed over time, and what new practices have emerged over the past few years. This will involve engaging leaders in interviews and exploring the global best practices of how these networks are designed and built.

If anyone wants to speak to us about what’s hot — and what’s not — in this field, let my senior research associate Chiara Bragato know (cbragato@forrester.com), and she will schedule a research interview.