3 Steps for Creating a Strong Security Culture in the Workplace
Three steps to a stronger security culture.
Culture is at the heart of why so many security breaches occur. Cybercriminals opt for the easy way in – via phishing and social engineering. Perry Carpenter, noted book author and security officer for KnowBe4, explains the entwinement between organizational culture and cybersecurity and ways to improve both.
CIOs are prioritizing investments in cyber and information security above everything else. But the interesting part is that despite the surging investments in cybersecurity and the increasing maturity of security technologies, data breaches are still a daily occurrence. Cybercriminals are opting for an easier way in — compromising people instead of compromising systems. A lot of research supports this argument: for example, 75% of security professionals in a 2022 survey said phishing and social engineering are the top threats facing organizations, while another report stated that 95% of cybersecurity issues can be traced back to human-related causes.
Whether one accepts it or not, culture is an inescapable part of everyday life — it’s that sharing of experiences and information that happens when we work together. There’s also a responsibility attached to culture. Just because employees are aware, does not mean they care. It’s like that speed limit sign we choose to ignore even though we notice it.
See More: 7 Tips to Better Combat Cyber Threats in 2023
How Organizations Can Build a Positive Security Culture
Security plays a part in every organization’s culture. But whether they are mindful about it and make intentional efforts to establish and nurture a desired culture is something they must ask themselves. If your organization is looking to build a strong culture of cybersecurity, here are three important steps to consider:
1. Evaluate your culture as it currently stands
If you don’t know where you are, then it’s difficult to know where you’re going. It is not advisable to influence your security culture without a thorough understanding of what it currently is (and what the social dynamics are). There are a number of things you can do to understand the current state of the security culture in your organization. These include:
-
- Cultural surveys: Computer-based surveys that help analyze attitudes, beliefs and values regarding the current state of cybersecurity programs in the organization. Even though these don’t account for the tone or body language of employees, the benefits far outweigh the drawbacks.
- Culture maturity indicators (CMIs): CMIs can include things like results from past security awareness trainings (frequency, average attendance, engagement metrics), outcomes from phishing simulation exercises (average phish success/failure rates, open/click/download rates), security behavior of employees (how employees behave or report suspicious emails) and historical data of organizational activities (frequency with which policies are being communicated, frequency of security contests, rewards, etc.). CMIs can also be gleaned by analyzing data from security, IT, and other organizational systems and processes.
- Data from security systems: Gathering behavior data from security systems that you may already have access to, such as security information and event management (SIEM), data leak prevention (DLP), endpoint protection platforms (EPP), web proxies, user and entity behavior analytics (UEBA), etc. — these can provide quantitative data that can serve as a baseline to study improvements in culture over time.
- Focus groups and face-to-face interviews: Face-to-face interviews allow for more qualitative input and provide an opportunity to drill deeper into employee sentiment. For meetings to be most effective, they must ideally be led by third parties or facilitators who arrive without many preconceived biases.
2. Create a network of culture carriers
Culture is owned by the entire organization but should ideally be endorsed, defined, and nurtured by the leadership team. While leaders play a significant role in influencing culture, program managers should never underestimate the value that “culture carriers” — passionate advocates who endorse and spread desired messages – can bring to the table. In social media parlance, these people are a force multiplier and can help your messages go viral.
Finding such culture carriers isn’t very hard. Use your experience to identify them or allow them to self-identify. For example, offer opportunities for people to apply to the program, ask managers and leaders to recommend or nominate individuals, ask employees and colleagues to nominate or alternatively, use surveys to identify “influencers” in the business. Look for people that are already in key positions, are respected by colleagues or are part of a certain “circle of influence.” In addition to spreading security messages, culture carriers also play an important role in reading the pulse of the organization and bringing forth stories, ideas, concerns, or issues that may surface but are invisible to the leadership team.
3. Develop engagement while keeping human nature and social factors in mind
To ensure that the desired culture resonates and is celebrated by employees, it’s important that organizations build engagement, rewards and rituals that help positively influence employee behavior. Internal factors such as anxiety and defensiveness can creep up in cultural change programs, so it’s important that organizations create a safe haven where failing is okay. Moreover, it’s always a good idea to have an engagement as well as a well-thought-out communication strategy. For example, creating workshops where employees can share and interact, celebrating security awareness months, rewarding and recognizing responsible behavior — such activities help increase engagement and actively contribute to culture change.
The remote working era has brought about a positive shift in the security attitudes of employees. If organizations make a concerted effort to acknowledge the state of their security culture, build culture carriers that help improve attitudes and behaviors in employees and develop engagement programs keeping human nature and social factors in mind, they will ultimately instill a strong security culture that can possibly be even more powerful than some of the best-in-class technological defenses out there.
How are you strengthening your security culture at the workplace? Tell us on Facebook, Twitter, and LinkedIn.
MORE ON SECURITY CULTURE
