EXECUTIVE SUMMARY:
A security aware culture is essential when it comes to ensuring both stronger cyber security and better business outcomes. As security awareness increases, the probability of a breach (and corresponding business fallout) declines.
But security aware cultures don’t create themselves – they don’t happen organically. Cyber security leaders need to invent the culture through strategic and measured initiatives.
Advance your cyber security. Keep your organization as secure as possible. Leverage the following insights to establish (or refine) your security aware culture.
Cultivating a security aware culture
1. Know your company. Aim to anchor a cyber security culture within the existing company culture. Ensure that corporate values serve as cornerstones of your security culture. Create tailored programs that engage employees and that lead the C-suite to perceive you as attuned to your unique workplace.
2. Start with a cultural assessment. In building a security aware culture, start by examining the congruence (or lack thereof) between the corporate culture and everyday actions around cyber security. In the vast majority of cases, there’s a disconnect between the two.
A cultural assessment will clarify the gaps between corporate cultural norms and security best practices. An assessment should include one-on-one interviews with people across all levels and functions of the organization, research regarding existing security practices, and group discussions.
3. Communicate effectively. Once you’ve determined where gaps exist between the corporate culture and the (ideal) security culture, develop means of gradually promoting employee habit change. From a video series, to phishing exercises, to workshops, cyber security leaders have numerous avenues available through which to communicate new messages and to (re)shape workplace practices.
4. Consider regulations. In building a security aware culture and designing new programming, consider which regulatory requirements the company must adhere to. Best practices that are communicated to employees should broadly align with and support regulatory requirements.
5. Strengthen rapport with stakeholders. Ensure that you introduce yourself to all appropriate individuals – either via email or in-person. Ask questions about existing projects and priorities, ensuring that you’re genuinely listening to their concerns. For new cyber security initiatives, get buy-in, as this helps show a united front across the company and can benefit campaigns.
6. Team up with the communications or marketing team. To build a security culture while remaining mindful of employees’ time and attention, collaborate with your internal communications or marketing team on messaging.
They will have a sense of how to create a regular messaging cadence without overwhelming employees. They can also potentially assist with launching surveys, analyzing metrics for you and ensuring messaging alignment with the organization’s brand.
7. Avoid imposing on employees. The security team should be seen as a helpful and supportive bunch. The security team should avoid coming across as a group that pesters, micromanages or intensely imposes on others in regards to security practices. (No one wants to be ambushed by a cyber security analyst about the fact that they’ve used the same password 3X.) Rather, in building a security aware culture, draw people in using welcoming and approachable tactics.
8. Leverage new hire orientations. See if your team can get some face time (the opportunity to run a 20 minute workshop) during new hire training. This allows you to make a positive impression on new employees at the very beginning of their tenure. Importantly, make sure that your Power Point presentation isn’t a snooze.
Explain how the cyber security team serves the organization. Talk about why employees are really the front-line of cyber defense. Provide a preview of what employees should expect in the way of cyber security-related communication and further education.
9. Empower through recognition. Acknowledge and reward employees who take cyber security seriously – those who report phishing incidents, exhibit excellent password hygiene…etc. Promoting positive behaviors among employees generally contributes to improved outcomes, strengthening cyber security measures overall.
10. Measure effectiveness. When you set up security aware culture initiatives, ensure that there is a way to measure the impact of your efforts. Be able to demonstrate a return on investment.
Further thoughts
In addition to elevating your security, a security aware culture can be presented as a competitive advantage. Touting a strong security strategy that includes a culture of security awareness can help position an organization as an industry leader.
It can also result in a ripple effect across other organizations, prompting them to establish security awareness programs. This ultimately strengthens your entire industry’s ecosystem.
For more high-impact articles like this, please see CyberTalk.org’s past coverage. Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.