4 ways to build a thoughtful security culture

Sept. 16, 2021
Managing the human element of risk is critical to mitigating security incidents

A company’s security culture reflects the ideas, customs and social behaviors that influence its data security. Awareness of the critical importance of data security has been heightened during the pandemic with high-profile security breaches frequently in the news.

The costs of those breaches have also surged during the pandemic according to analysis from IBM Security and Ponemon Institute; indicating that healthcare, retail, hospitality, and the supply chain sectors were all hit hard over the past year. When such massive and seemingly tech-savvy companies like LinkedIn also falling prey to data breaches, it’s hard to believe that any organization can be safe.

Particularly now as many companies operate in a hybrid environment, threats to employee security are more likely and business data and systems more at risk.

What organizations can do, though, is focus on developing and maintaining a strong security culture to help manage human risk. Here are four ways to foster such a culture. 

1. Define it

An important aspect of defining a security culture is putting numbers to it. By measuring relevant indicators related to security awareness, behaviors and culture, organizations can adapt their policies and training programs appropriately—and adjust as needed. Today’s organizations operate in an environment that is increasingly fluid and volatile. Security awareness and education needs to be equally fluid.

By understanding their current state, organizations can take steps to make improvements and close gaps where most needed. The elements of a security culture include:

  • Attitudes – employees’ feelings and beliefs about security protocol and issues.
  • Behaviors – employee behaviors and actions that directly or indirectly impact organizational security.
  • Cognition – employees’ understanding, knowledge and awareness of security issues and activities.
  • Communication – the quality of communication channels used to discuss security-related topics, made even more important in a hybrid work environment.
  • Compliance – employees’ level of knowledge of security policies and their adherence to those policies.
  • Norms – employees’ knowledge of and adherence to the “unwritten rules” of security conduct in the workplace and now, increasingly, in work-from home environments.
  • Responsibilities – employees’ perceptions of their role in aiding or damaging the security of the organization.

Understanding areas of weakness and potential strength in your organization is an important first step in developing a strategy to support a strong culture. Importantly, these weaknesses and strengths are likely to vary by department, position and even work location. The more granular you can be in pinpointing areas of opportunity for improvement, the more protection you can provide for important IT systems.

2. Make it a process, not an event

Training shouldn’t be considered an event—it’s a process: an ongoing process designed to maintain a consistent, ceaseless drumbeat so that employee understanding and values become engrained and the behaviors become normalized and, where possible, automatic.

Organizations are often surprised to learn that many employees—despite ongoing efforts by IT leaders and others—feel that they are not adequately trained or informed of how their actions, or inactions, impact security.

This lack of information may relate to not understanding when to report incidents, how to adhere to security standards, or what physical actions to take to protect data and systems.

A proactive security awareness program and a continuous effort to improve culture over time, and on an ongoing basis, can help build awareness, understanding, and compliance. 

3. Make it mean something

“Change your password.” It’s an exhortation most employees are all too familiar with, but do they fully understand what it means? How, when, and why to change passwords remains an elusive concept for most. Much of this confusion has been driven by changing guidance and ‘best practices’ over time from IT departments. We are really good at telling them ‘what’ to do… but not near as good as giving them an adequate ‘why.’

As with any element of data security policy communication, what is often missing is a clear and understandable focus on the ‘why’ behind the exhortation. What is the risk? What is that meaning of risk for the employee? The organization? It’s partners and customers?

The misperceptions that many workers have around security issues are often the result of failure to provide proper training—training that focuses on the ‘whys’ in meaningful ways. 

4. Celebrate successes, share fails

What if IT leaders were more visible from a security standpoint? What if they were more proactive in celebrating successes, yet also sharing information about failures? A thoughtful security culture can benefit immensely from sharing both positive and negative news because both sides illustrate what works—and what doesn’t—when it comes to protecting critical business data and systems.

Starting with a clear definition of what a strong security culture would look like in your organization and including standard metrics and benchmarks to measure success is an important starting point for building a thoughtful culture. Sustaining it, though, requires additional steps: making security awareness a routine process makes it meaningful, as does celebrating successes and fails.

About the Author:                                             

Perry Carpenter is the author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley, 2019) and the host of the 8th Layer Insights podcast on The CyberWire network. He is Chief Evangelist and Security Officer for KnowBe4, the world's largest security awareness training and simulated phishing platform. He holds a MS in Information Assurance (MSIA) from Norwich University and is a Certified Chief Information Security Officer (C|CISO).