"The Rise of the Security Champion: Beta-testing Newsroom Security Cultures." Tow Center for Digital Journalism, 2020.

A number of factors contribute to the development of information security cultures in the newsroom, including investment in information security specialists who liaise with journalists about their specific needs and provide both informal and formal security training. Or news organizations may hire individuals in traditional roles, such as part of the IT department, but who also have information security knowledge. Journalists also bring information security knowledge into the newsroom out of curiosity, and the belief that information security practices are important for them to get stories and do their jobs. These security champions—who become trainers by accident—work to support colleagues and convince them of the need to adopt more secure practices, through informal conversations, brown-bag lunches, and training sessions at the individual, desk, and newsroom level.

Despite these developments, information security cultures in many newsrooms are nascent for reasons including ongoing financial crises and labor precarity in journalism, both of which can limit the allocation of resources for information security. Moreover, journalists dislike taking security steps that might slow down their reporting in jobs that are already precarious, and awareness of the myriad security risks to journalists and news organizations is limited. All of these problems may be compounded by a lack of institutional buy-in and provision of resources to deal with these risks; often, silos between different parts of a news organization impede information sharing about security internally and externally to the newsroom; and institutional memory related to security may suffer when a trainer leaves. Newsrooms are organizations which, depending on size, financial state, ethos, and management structure, may suffer from both bureaucratic inertia and traditional power structures that limit change. But smaller organizations with less bureaucracy tend to have fewer resources to implement security related practices and policies. There appears to be more awareness of security practices in locations where news organizations are highly concentrated, such as the Acela corridor, rather than in more geographically distant locations elsewhere across the country.