How to Improve Cyber Security Culture: 5 Tips
An important yet often overlooked aspect of any organization’s cyber security strategy is culture — building and nurturing a working environment that promotes and encourages secure behaviors and empowers people to better protect themselves and others through knowledge, awareness, and positive behavior change.
In organizations with weak cyber security cultures, the security team will often be viewed in a negative light, with training and other interventions generally regarded as “a waste of time”.
Genuine learning that leads to positive behavior change is extremely difficult in this environment, and changing deep-seated attitudes and behaviors is no easy task.
It is therefore imperative for organizations to be vigilant about creating and maintaining a positive cyber security culture, and to be dynamic enough to adjust their approach as the cyber risk landscape continues to evolve.
With this in mind, here are five tips for improving cyber security culture:
- Conduct an honest culture assessment.
- Reframe the conversation.
- Make cyber security a top-down priority.
- Incentivize good behavior.
- Keep open lines of communication.
1. Conduct an honest culture assessment
Famed British physicist and mathematician Lord Kelvin was the first to coin the phrase ‘if you can’t measure it, you can’t improve it’ and that is as true with cyber security culture as with anything else.
It’s important to perform an honest, objective assessment of your culture across several clearly-defined vectors that can be measured with regularity. These can include the results of awareness training or attack simulations, verified and/or reported security incidents, employee feedback and communications, and other relevant areas.
A proper assessment will provide insight into:
- Employee satisfaction.
- Organizational knowledge.
- Knowledge retention rates.
- Organizational vulnerabilities.
- Cultural strengths and weaknesses.
In order to improve cyber security culture, we must know its current state.
2. Reframe the conversation
Too often, cybersecurity training is viewed as a burden, and the security team as an annoyance that must be dealt with only when something bad has happened.
This sort of attitude is detrimental to organizational culture and stems from a fundamental misunderstanding of the importance and personal nature of the subject at hand.
Cybersecurity is critical in professional settings, but it’s also a profoundly personal thing, and people should be made to understand, in practical terms, how expanding their knowledge and improving their behaviors can have direct, positive effects on their personal lives. Insecure behaviors resulting from a lack of knowledge can lead to some nightmarish situations.
We must seek to frame cybersecurity conscientiousness as something that is vital to one’s personal wellbeing, as opposed to a tick-box training exercise or a work-related priority.
3. Make cyber security a top-down priority
Security professionals have long grumbled about the lack of support and buy-in from company executives, and though things are changing in today’s increasingly cyber-conscious world, it remains true that for many organizations the messaging around cyber security is not coming from the C-suite.
Being that those in leadership are generally the tone-setters, it stands to reason that an indifferent attitude or a “do as I say, not as I do” posture from management has detrimental effects on organizational culture.
It’s critical that proper messaging, encouragement, and support as it relates to cyber security starts at the top, and that observing security protocols is viewed as a company-wide priority.
4. Incentivize good behavior
Security training should not be feared.
Fear of reprisal should not drive one’s desire to avoid clicking on a phishing email. And yet, that’s exactly what many organizations offer their employees— all stick, no carrot.
It’s time to recognize that this is a dead-end path that is both ineffective and culturally unhealthy, and if we are to reframe the conversation around cybersecurity training and behavior, we must make security and security training something that people want to actively engage with.
One of the most effective ways of doing this is by rewarding good security behaviors, like reporting a phishing attempt, completing training on-time, or doing voluntary activities.
What you can offer as a reward will likely vary depending on your organization and circumstances, but reframing security participation and achievement as something to be celebrated rather than feared or avoided is a goal worth pursuing.
5. Keep open lines of communication
It’s simply impossible to have a healthy cybersecurity culture without open lines of communication and an organizational structure that values employee feedback.
People should feel free to voice their comments or concerns, anonymously if they so choose, and the organization must give them an avenue to do so.
The lines of communication aren’t just one-way, however, and too often the only time an employee will hear from the security team is when he or she has made a mistake. To create an open, collaborative culture, it’s important for the security team to proactively engage with colleagues and seek their input.
Cybersecurity is the ultimate team sport, and it’s imperative that everyone feels part of the team.