Changing Hearts and Minds: The Role of Cybersecurity Champion Programs in Cybersecurity Culture

Humans have often been written off as the weakest link in the cybersecurity industry. This paper looks at the human factor from a different perspective, seeking ways to leverage the human element to improve cybersecurity. The human element and its importance in cybersecurity defense and security incidents have been widely studied. The relationship between organizational cybersecurity culture and cybersecurity posture has also been examined in the literature. What is lacking is the examination of how an organization could improve its cybersecurity culture. Accordingly, we explore the possibility of cybersecurity champions to impact organizational cybersecurity culture, thereby improving the organization's cybersecurity posture. The option of leveraging cybersecurity champions to impact culture is proposed, and existing theoretical bases of Champion Theory and Promotor Theory in innovation management are explored to support the implementation of cybersecurity champions. These theories are then applied to existing cybersecurity culture research. Innovation champions exhibit transformational leadership characteristics to inspire innovation; four types of promotors (expert promotors, power promotors, process promotors and relationship promotors) use their various sources of power to remove barriers to innovation. Eight hypotheses are developed about the possible effect of the presence of cybersecurity innovation champions and cybersecurity promotors on four factors which have been found to have significant impact on information security culture in previous research (Tejay & Mohammed, 2022): group cohesiveness or alignment, professional codes (codes of ethics or conduct), informal work practices, and cybersecurity awareness.