How To Get Security Culture To Take Off In Your Organization
Updated: Jan 17
CYBR - How to get security culture to take off in your organization
What does security culture look like within an organization?
To truly understand how to develop a security culture within your organization, we must first agree that security belongs to everyone. This means that every employee, department leader, and board member is responsible (not just Roby, the IT manager, or Joe, the CISO). Even the least "tech-savvy" members of your team will need to be engaged for this culture shift to hold firm.
Here are some examples of what this can security culture can look like (even without an official security office or department):
Company #1: The CEO begins each employee, and board meeting with current security tips.
Company #2: The HR and the marketing department collaborate to create email campaigns to change employee behaviour through increased security awareness.
Company #3: Employees take initiative to construct monthly competitions to test their security knowledge and skills.
Company #4: The IT department recommends that everyone begin using a password manager (and company policies get updated 👀)
What is security culture?
What do security culture and workplace culture have in common? In the ideal world, they are a part of the same whole and fuel one another.
Workplace culture consists of; a shared set of attitudes, values, and behaviours that make up the environment within an organization.
Security culture can be thought of as; the set of security philosophies, values, and secure behaviours upheld by everyone within the workplace environment.
Easy tips for establishing a security culture within your organization
To successfully improve your security culture, you’ll need support from the top-level executives, and may have to explore creative ways to keep all of your employees engaged. In order to develop a strong security culture throughout your company, security must be woven into the fabric of your entire organization. This ensures that security is valued highly, never viewed as an afterthought, and is not just used to check off compliance regulations. (like GDPR and HIPA) A durable security culture is continuous and supported at all levels of the organization.
Security culture is cultivated within your workplace when; each person in your organization is equipped with a healthy mix of the necessary knowledge and takes ownership for following through with the most secure actions.
1. Assign your security culture "captains"
These roles can be assigned to anyone within your company and will be your security team members. The responsibility for security awareness is best when shared, so try to find leaders in departments beyond your technical teams. You may be delightfully surprised to discover that more of your employees will buy into security when the message comes from other departments within your company.
2. New ideas for making your security awareness training program fun and engaging
There are no rules to indicate that security awareness training has to be delivered once a year via a dull PowerPoint presentation. In fact, most employees appreciate when their training gets assigned throughout the year in the form of bite-sized lessons.
You can improve security awareness in your organization by trying some of the following suggestions:
Opt for quick and interesting video content instead of long, complex texts. (most of your employees won't be inspired to read these)
Gamify your quizzes and assessments (think about what rewards or consequences will inspire your employees to stay engaged)
Leaderboards (physical or virtual) can inspire your employees to engage in conversations naturally focused on security awareness. There are many ways to segment your leaderboard. You may decide to track individuals or consider having the different departments compete against each other. (for a more diverse option, you can group employees at random)
Host a quarterly event (like a trivia night) where employees can show off their security awareness and threat detection skills.
3. Try using phishing simulations to improve security culture
Phishing attack simulations provide a safe environment for everyone within an organization to test and improve their abilities in threat detection. By monitoring your campaign's progress, you can discover whether or not your employees understand security issues (and if they are putting their training into action). Once employees understand how easy it can be to fall for phishing attacks, follow up with positive security support. Some ideas to improve phishing awareness among employees include:
Use rewards based on individual employee or group/department results. (Also, consider any possible consequences after too many failed simulations)
Have your culture captains host competitions. For example, your employees could compete with each other to create "the best phishing email template". Use your favourite in the next phishing campaign. You could make the competition even more interesting by using all of the template submissions in a "phishing or not" quiz.
Include phishing awareness progress reports in your company meetings.
How to start developing a security culture at your workplace
Do you remember what we'd agreed on at the beginning? Security belongs to everyone. While improving your organization's security culture is not impossible -- building a culture of any kind takes time, effort, consistency and support. It is vital to acknowledge that there is no solution to take you from 0 to 100 in security culture overnight, and you cannot do it alone. (at least not yet, but feel free to check back in a few years)
Here are the first things you'll need to do;
1. Assess your company's current security culture situation
Be honest with yourself. Think about your security awareness program, and the status of security culture within your organization. One step towards improvement is to first acknowledge your present situation. Once you understand where you currently are, you can begin creating an actionable plan towards achieving your security goals.
2. Strong security culture starts at the top with executive support
Developing sustainable security culture requires the support of business leaders. C-suite executives, board members, and department leaders should set the standards to be upheld by all employees. Strong values must be present throughout their decisions, procedures, systems, and actions at work. These values should also be in line with your company’s specific security policies.
3. Start educating your employees with security awareness training
Security awareness training is essential for building a security culture. Over 82% of data breaches and security incidents occur due to human error. The most common threats involve using social engineering and phishing emails to gain access to sensitive data. Your employees should all have access to regular security awareness training and your company’s specific security guidelines. Let's face it, your employees cannot be expected to contribute towards improving the security culture in your organization without the necessary cybersecurity knowledge and training.
4. Employee accountability improves security culture
Uphold the belief that information security is everyone's responsibility. Employee behaviour, cyber hygiene, and security culture improve day to day when employees are held accountable for their actions. What steps will you need to take if employees habitually underperform? Also, be sure to award or recognise the employees within your organization who excel in awareness and phishing campaigns.
Security is everyone's responsibility -- culture takes the whole team.
Remember that building a security culture takes time and consistent effort. Keep in mind that for security culture to transform you’ll need people to change and adopt positive security beliefs, attitudes, and actions. This can be a big task, so make sure that responsibility for security is shared. Make use of your “culture captains” to keep communication lines open and clear. This way you’ll be aware and able to address any pain points that come up. Ensure that your employees all have access to your company’s specific security guidelines, and regular security awareness training. A strong security culture only becomes possible if everyone has the necessary knowledge to understand the benefits, possible consequences, and importance of their secure actions while using the web.
Get in touch with CYBR for help with security awareness training, and improving the security culture at your company.
As always, stay secure!
Continue reading to explore the signs of a strong security culture or discover the new face of scam calls (callback phishing)