3 Steps to Create a Strong Security Culture

CIOs are prioritizing investments in cyber and information security above everything else. But the interesting part is that despite the surging investments in cybersecurity and the increasing maturity of security technologies, data breaches are still a daily occurrence. Cybercriminals are opting for an easier way in — compromising people instead of compromising systems. A lot of research supports this argument: for Avast’s Q1/2024 Threat Report found that 90% of threats blocked included social engineeringOpens a new window , while the Verizon’s 2024 Data Breach Investigations Report found that 68% of all breaches involved a non-malicious human elementOpens a new window .  

Whether one accepts it or not, culture is an inescapable part of everyday life — it’s that sharing of experiences and information that happens when we work together. There’s also a responsibility attached to culture. Just because employees are aware, does not mean they care. It’s like that speed limit sign we choose to ignore even though we notice it.

How Organizations Can Build a Positive Security Culture

Security plays a part in every organization’s culture. But whether they are mindful about it and make intentional efforts to establish and nurture a desired culture is something they must ask themselves. If your organization is looking to build a strong culture of cybersecurity, here are three important steps to consider:

1. Evaluate your security culture as it currently stands

If you don’t know where you are, then it’s difficult to know where you’re going. It is not advisable to influence your security culture without a thorough understanding of what it currently is (and what the social dynamics are). There are a number of things you can do to understand the current state of the culture in your organization. These include:

• Cultural surveys: Computer-based surveys that help analyze attitudes, beliefs and values regarding the current state of cybersecurity programs in the organization. Even though these don’t account for the tone or body language of employees, the benefits far outweigh the drawbacks.
• Culture maturity indicators (CMIs): CMIs can include things like results from past security awareness trainings (frequency, average attendance, engagement metrics), outcomes from phishing simulation exercises (average phish success/failure rates, open/click/download rates), security behavior of employees (how employees behave or report suspicious emails) and historical data of organizational activities (frequency with which policies are being communicated, frequency of security contests, rewards, etc.). CMIs can also be gleaned by analyzing data from security, IT, and other organizational systems and processes.
• Data from security systems: Gathering behavior data from security systems that you may already have access to, such as security information and event management (SIEM), data leak prevention (DLP), endpoint protection platforms (EPP), web proxies, user and entity behavior analytics (UEBA), etc. — these can provide quantitative data that can serve as a baseline to study improvements in culture over time.
• Focus groups and face-to-face interviews: Face-to-face interviews allow for more qualitative input and provide an opportunity to drill deeper into employee sentiment. To make meetings more effective, third parties or facilitators should lead them. This prevents any preconceived biases.

2. Create a network of culture carriers

Culture is owned by the entire organization but should ideally be endorsed, defined, and nurtured by the leadership team. While leaders play a significant role in building a security culture, program managers should never underestimate the value that “culture carriers” — passionate advocates who endorse and spread desired messages – can bring to the table. In social media parlance, these people are a force multiplier and can help your messages go viral. 

Finding such culture carriers isn’t very hard. Use your experience to identify them or allow them to self-identify. For example, offer opportunities for people to apply to the program, ask employees to recommend or nominate individuals, or use surveys to identify “influencers”. Look for people that are already in key positions, are respected by colleagues or are part of a certain “circle of influence.” In addition to spreading security messages, culture carriers also play an important role in reading the pulse of the organization and bringing forth stories, ideas, concerns, or issues that may surface but are invisible to the leadership team.

3. Keep human nature and social factors in mind

It’s important that organizations build engagement, rewards and rituals that help positively influence employee behavior to build a security culture. Internal factors such as anxiety and defensiveness can creep up during times of change, so it’s important that organizations create a safe haven where failing is okay. Moreover, it’s always a good idea to have an engagement as well as a well-thought-out communication strategy. For example, creating workshops where employees can share and interact, celebrating security awareness months, rewarding and recognizing responsible behavior — such activities help increase engagement and actively contribute to culture change. 

The remote working era has brought about a positive shift in the security attitudes of employeesOpens a new window . If organizations make a concerted effort to acknowledge the state of their security culture, build culture carriers that help improve attitudes and behaviors in employees and develop engagement programs keeping human nature and social factors in mind, they will ultimately instill a strong security culture that can possibly be even more powerful than some of the best-in-class technological defenses out there. 

MORE ON CREATING A SECURITY CULTURE

• Mitigating Security Risks as a Hybrid Organization
• How Cyber Threat Intelligence Provides Security and Value to Business
• 6 Social Engineering Techniques Popular with Scammers