Making Employees Champions for Cybersecurity Culture
As CISO, I view our employees as our strongest link and our best advocates for cultivating a strong security culture at MongoDB. Security teams can often be perceived negatively internally and with the shift to remote and hybrid working over the last year-plus, we’ve made a very conscious effort to engage and educate our employees. While you can have all the tools in the world, at the end of the day, people are the key to a robust and ever expanding cybersecurity program. This is not a new message, but it takes on a very different form now that, in some cases, every employee is working from a different kitchen table or home office, with varying set ups and network accessibility. The perimeter no longer exists and there is no such thing as a one-way path for network traffic. All your entry points can also just as easily become attack vectors. So everyone needs to be involved and accountable. However, this is not about IT expertise, rather it is about tact and empathy. Employees tend to be viewed as a risk when it comes to cybersecurity. This message, however, can lead to a culture of mistrust, which often results in employees worrying about the consequences of reporting anything. They feel embarrassed about clicking on that link in the email from the sender they didn’t recognize, so instead of reporting the incident, they just ignore it, leading to much bigger issues. Instead of a risk, at MongoDB, we make employees our security champions. The MongoDB Security Champions Program is a team of over 90 employees who have volunteered to help in our cybersecurity efforts. They are from departments all over the company, such as HR, communications, and product development, and they become ambassadors within their team for cybersecurity, adding to the strength of our security team. A comprehensive security plan cannot be limited to rules defined by IT, but must include commitment, ideas and understanding from all over the organization. This helps to avoid "information silos" and enables us to tailor information towards day-to-day scenarios that apply to specific functions. The security champions also feed back to the IT team, contributing knowledge and experience to the overall security strategy that only they can provide. A data protection officer understands GDPR compliance, a technician knows all about encryption or identity management, but only the customer consultant knows what issues can arise when external customer representatives need to access data on company servers. This has successfully addressed the issue of trust. Teams now have a security contact who is a trusted member of their team. Someone who clicked the "bad link" is much more likely to confide in a colleague and in this way the champions act as a link between their own team and the team that defines IT security governance in the company. The champions themselves also report beneficial effects. We have often heard companies complain about a lack of talent in cybersecurity. Training people in your existing workforce is a potential solution to this. Security champion members identify with their own specialist department as much as they do with their security work. They can play a crucial role in shaping the future, develop new skills, have more self-confidence and increase their commitment. Six months after MongoDB implemented the Security Champions Program we saw an increase in reported security events, making it easier to detect and respond to incidents. The topic of cybersecurity, which had previously been a nuisance for many, now even contributes to team building – a welcome side effect of a positive and inclusive security culture.