A lack of a security-aware culture and talent shortages are two issues that you regularly hear brought up by security professionals. Employees don’t know about security, they often don’t care even if you try to educate them, and you don’t have enough people to do anything about it.
Many companies hope to address at least some of those issues by enlisting security champions--people who help promote the importance and value of security across the business.
Specialist information business, Ascential, previously known as EMAP, is using its security champions scheme to help spread security culture across the company and to supplement the security team with extra hands in times of need. It’s also a training and recruitment tool.
From newspapers to a modern, cyber-aware business
Originally born out of the consolidation of local newspapers in the UK, EMAP published a wide variety of newspapers and magazines across different verticals. Since rebranding as Ascential in 2015 and going public in 2016, the company has undergone a major transformation and now provides information services to help companies grow in today's digital economy.
Hamish Haughey, information security director at Ascential, started as a systems administrator before its rebrand. “Despite having a good couple of thousand employees around the world, there was no security team,” he says. “There was a security policy that existed somewhere on the intranet. No one really knew where it was. It was like a tick box exercise that everyone had forgotten about.”
Haughey decided to do something about it and found a cybersecurity masters course. He suggested to management that he should attend and then go about changing the security posture of the company. “I pitched that to my manager and to the CIO and they sponsored me to do the masters and create the information security function lead to step into.”
From service desks to security champions
Currently, Haughey has two people working alongside him in the security function with plans to hire another in the future. But like many in similar situations, there is always more work to do with limited resources. “One of our challenges is you’re always operating under constraints with a small team, and there's just too much work there for us,” he says.
To help overcome some of those resource limitations, Ascential runs a security champions scheme to help supplement Haughey's team. Awarded a Security Serious Unsung Hero Award in 2019, the initiative takes nominated service desk engineers and elevates them with both security-related tasks as well as promotion of the company's security awareness and education projects.
To recruit these champions, Haughey and his security team talk to service desk managers to identify anyone who has shown an interest in information security, and then asks them directly to be a security champion. Currently, there are three people designated as service desk security champions, with two more in more technical roles. “A very general kind of agreement is that we would expect from about a day a week of their time to be spent on information security work.” So far, Haughey says no one has refused to take on the role.
Once new champions are on board, the security team teaches them security basics they will need. “We run our own certification process,” says Haughey. “We have security champion level one, level two, level three, taking them through how to deal with different types of security incidents and how to do certain activities in an antivirus management console or single sign-on platform, identity management and other security duties.”
Haughey says he hasn’t had any pushback from the champions or their managers about overloading them with security work, but he has had to accept that in times of pressure certain champions may not be able to donate as much time to the company’s security efforts. “We're flexible. We're grateful for the help we can get,” he says.
Without the resources to stand up his own security operations center (SOC), Haughey sees the security champions project partly as an alternative to outsourcing security operations. “We have service desk engineers who work out of the States and our APAC offices, and that gives us pretty much 24/7 coverage. We could have gone down the road of outsourcing and having a 24-hour SOC from a third-party company, but I think the value of doing it internally is you're helping to spread the culture of security within the organisation.”
“[The security champions are] well-liked individuals who already have face-to-face interaction with people in the business and it give you a more personal approach rather than just outsourcing something to a SOC who are at best on the end of the phone.”
The long-tail benefit of having a security champions program that involves actual security work as opposed to just promotional duties is that it can be a talent pipeline. Haughey has had two previous security champions move over from the service desk into the security team full time.
Creating and delivering security content
The champions scheme is part of Ascential’s wider security education and awareness efforts, which include content created internally and delivered via an eLearning platform as well as in-person sessions delivered in part by the local champions. “We do a global tour of all our offices with security awareness content that goes into more detail in it what we see the biggest risks to be,” says Haughey. “Instead of my whole team going, we're sending one person to go to the States or Hong Kong, and work with the local security champion there to deliver the content.”
As well as the official champions, Haughey has what he calls the unnamed security champions: a broad network of those in the business care about security and are willing to give up some of their time to help collaborate on awareness campaigns. Ascential’s video team, for example, is usually willing to help the security team create professional-quality security awareness videos, while the learning and development team help with the education material.
“They help us to work with the eLearning platform and make sure that what we're creating is going to be effective,” says Haughey. “They have input on the content, review the content before we put it live, and help us out by being a test audience.”
As well as engagement with the material, one measure of success is the resulting change in behaviors. Haughey says the company has seen a “huge improvement” around its phishing simulation results, and seen more employees reporting phishing attempts to the security team.
Driving security culture across brands
As part of its transformation, Ascential has shed many parts of the company and acquired six companies since 2016, including three in 2018 alone. “The company was made up of around 250 brands,” explains Haughey. “Over the years we've divested the vast majority of all those brands to the point where we're down to 12 brands, including recent acquisitions, that are much more aligned with a common goal and a common vision.”
While the security team is involved early in the due diligence process, the human side of M&A security can require just as much work to resolve. “It's a big challenge. You have different brands, and they all have their own histories. Depending on who you're acquiring, that's going to have an impact on your average for culture across the business.”
After Ascential makes an acquisition, Haughey and his team try to engage the new part of the business as early as possible by visiting those offices and getting the new employees to engage with the security awareness and education content. This also provides the security team with more feedback on what content is or isn’t working.
“They've never seen the content before, they've never seen us before, and we get that feedback from people [who] are seeing it for the first time.”
Haughey says the Security Champions model is an effective approach that an organisation can take to handling information security in an efficient and intelligent way. “Our experience of the model has been resoundingly positive,” he says. “We have achieved a lot over the last few years with the support of both nominated and unnamed champions across the group. Of course, there’s always more to do! The approach has obvious and observable wins for security culture and can change the perception of information security in the eyes of people, who we would argue are our greatest defence.”