7 lessons for building cyber security allies: a chat with SSAB’s Eric Andresen

We spoke to Eric Andresen, Senior Manager of Information Security at SSAB, about how he built an internal network of engaged business leaders who serve as "force multipliers" for cybersecurity

7 lessons for building cyber security allies: a chat with SSAB’s Eric Andresen

TryHackMe has always focused on building cybersecurity career growth, helping professionals develop skills and organizations manage capability at scale. As cybersecurity moves increasingly into the spotlight, teams outside security departments are getting more interested in supporting these efforts.

Champions programs are effective ways to create shared ownership over security, helping the wider business prevent, identify, and respond to threats. But they require the foundational knowledge business teams often lack.

We spoke to Eric Andresen, Director of Information Security at SSAB, about how he built their Allies program—an internal network of engaged business leaders who serve as "force multipliers" for cybersecurity. He shares what it means to build a shared language between security and the wider business, why it requires more than traditional awareness training, and what advice he'd give fellow leaders looking to get their colleagues more involved.

The results speak for themselves.

Turning awareness into allyship

Traditional security awareness programs focus on compliance: getting employees to complete annual training, recognize phishing emails, and follow basic security protocols. Eric's approach goes further.

"The SSAB Information and Cybersecurity Champions Program is a voluntary cross-functional network of engaged business leaders who serve as trusted liaisons between their team and the information security team," Eric explains. "Champions help translate security risks into business relevant context, promote secure behaviors, and provide early visibility into emerging issues."

The key word here is voluntary. By design, no one can be "voluntold" to join this program.

"We only allow individuals who have volunteered by design. They cannot be voluntold," Eric emphasizes. "Champions are not appointed, they're never compelled to join. They participate out of curiosity or interest. I always say that they have to be at least cyber curious."

This approach ensures that every member of the program is genuinely interested in cybersecurity, with motivation that no mandatory training program can replicate.

Bridging a communication gap

One of the most persistent challenges in cybersecurity is the communication gap between security teams and the rest of the business. Security professionals often struggle to translate technical risks into terms that resonate with business leaders, while business teams don’t always have the context on why certain security measures matter.

Eric's Allies program tackles this head-on.

"It's really difficult at times to communicate to individuals in the business if they haven't had any training in cybersecurity and they don't know, for example, about the CIA triad or the DAD triad. How would you use that to determine when an information security event turns into an information security incident?" Eric notes. "I've had to spend a lot of time in the company on education so that people can see the dots to even connect them."

The program creates a two-way channel for information flow. Security teams share vulnerability management updates, awareness training KPIs, and deeper education on cybersecurity topics. In return, Allies provide something invaluable: early warning signals.

"What they do provide to us is threat intelligence," Eric explains. "When something is happening in the company that we wouldn't normally have the ability to understand is happening, a lot of times people pick up the phone and just make sure that we're aware of it. Hey, have you heard about this? Do you know about this?"

Security as a business concern

The Allies program came out of Eric’s insistence that cybersecurity must extend beyond IT departments.

"I immediately thought it needed to be much broader than that. I don't think that just keeping it to an IT role or a technical role is good enough. I think that we need to have more representation on the business side because it's the impact to the business that people are really going to care about."

This philosophy extends to critical activities like business continuity and disaster recovery planning.

"In a lot of ways, business continuity planning should not end with IT, it’s important that the business also plays a role. It's more about just being resilient to an issue and surviving in the face of a threat that's active and then being able to continue to ship product in the face of it all. And that shouldn't come only from IT, we have to partner with the business."

By involving business leaders in cybersecurity discussions, for example including inviting them to ISAC (Information Sharing and Analysis Center) meetings, Eric is creating a culture where security considerations are woven into business decisions from the start.

What makes an ally?

So who joins these programs? According to Eric, it's not about technical background or specific roles.

"I don't think that anybody needs to understand anything. I think they have to have an inner curiosity about it. Can you tell me more about it? Is there any additional training that you could have for me? Those are the kinds of things that generally will lead to a discussion around the program."

The program currently includes about 12 people across SSAB's business units, often middle management but sometimes senior leadership. They receive monthly updates covering vulnerability management activities, awareness training KPIs, and deeper education on cybersecurity concept. Everything from risk frameworks to threat intelligence.

And importantly, they're tested on the material, ensuring engagement and retention.

The cyber literacy problem

Throughout our conversation, Eric returns repeatedly to a central theme: cybersecurity literacy is essential for effective collaboration.

"When I'm speaking to others within my department, I'll use certain language that would be beneficial to me if I could use it with people in the company. But you're also always playing that against the need to water it down or just explain it over and over again."

That’s why systematic education is so important. It builds a common vocabulary.

"If you can have the meetings to educate your individuals and lift them up so that they're more literate about what's happening in cybersecurity and how threats are changing, how risks are changing... just sort of having those conversations I think are very healthy for a company because it allows you to plan."

This investment in cybersecurity literacy pays off. When more people across the organization understand fundamental security concepts, every conversation becomes easier, every decision becomes more informed, and every risk assessment becomes more accurate.

Measuring success

Eric is candid about the challenges of measuring the program's effectiveness. Traditional metrics don't quite capture the value of improved communication, early threat detection, or cultural shifts toward security mindfulness.

But he sees the opportunity with greater insights into performance on courses, training, and certifications. And the qualitative feedback has been overwhelmingly positive:

"Nobody I've ever discussed the program with has ever had anything to say other than positive things, which is really good. It's been very well received and not only by them, but by the champions themselves. And that's what really matters."

Everyone plays a role

At its heart, Eric's Allies program embodies a simple but powerful philosophy that he's successfully instilled across SSAB:

"Everybody in the company plays a role in cyber and information security. And it almost surprises me how often others will bring that up. The message is getting out."

"It's about engagement—bringing engaging business users across the company so that they start to really think about how this is going to affect them and the people around them so that we can all be resilient together."

Key takeaways for security leaders

If you're considering building a similar program in your organization, here are the essential elements:

  1. Make it voluntary - Motivation beats compliance every time
  2. Go beyond IT - Include business leaders who can translate security into business impact
  3. Invest in education - Build a common vocabulary through regular, relevant training
  4. Create two-way channels - Share information with Allies and receive early warnings from them
  5. Frame everything in business terms - Put security in the context of revenue and business continuity so everyone understands the impact
  6. Start small and grow organically - Start with the most passionate people who can motivate others to join
  7. Seek the cyber curious - Look for people who ask questions and want to learn more

Want to support cyber security allies within your organization? We built the SEC0, our presecurity certification to cover core tech foundations from absolute scratch. It can help the wider business “speak cyber security” so champions can be a true force multiplier.