Fostering a “Security Culture”: Taking It Beyond Training Alone

By Leslie Jones, CHRO and Mark Lucas, Chief Information Security Officer

Coalfire

People are every organization’s greatest asset. But it is also true that an endless stream of cyber security statistics and cyber incidents consistently show that humans nature remains one of the weakest links in the organizational security chain.

Despite the heavy investments made in security solutions and policies, human behavior is fairly predictable and prone to mistakes; those with malicious intent may leverage these very attributes to gain access to sensitive company assets. It’s easier for someone to reuse the same password, for example, and ignore the security risks in doing so than to remember a variety of passwords or change passwords regularly. It’s these behavior patterns that make human assets seem more like an Achilles heel when it comes to security. And because employees are valued contributors that drive organizations to success, it is up to employers to help solve this dilemma. The solution then is to embed security awareness into the employee base from the top down, so that it becomes a living part of organizational culture.

“Security culture” can’t be achieved through annual web-based security training alone; it involves a much more pervasive, motivational, leadership-driven and peer-supported program. Such a well-rounded program can help employees feel they have “skin in the game,” rather than just being sideline observers. Statistics differ on the success rates of information security awareness programs, but we believe it isn’t about whether such programs are conducted, but rather, how they are conducted.

So how do you build a successful security culture? Most companies on the cyber-security-maturity model continuum have a defined set of security policies for employees to follow—this is a fundamental component of any program. Here are some additional steps toward creating a robust internal security program, one that ensures employees understand and own their role as active and willing participants in protecting the organization:

Awareness. Training is essential, and how you conduct that training can determine its effectiveness. Make employees aware of the ‘whys’ behind each policy, discuss the impacts to the organization when policies aren’t followed (using specific cyber incident examples), and emphasize how they can make a real difference for the organization. Most employees don’t respond well to scare tactics for failure to comply, but they do respond to positive incentives and motivational messages. Make the training fun, use humor, and demonstrate that leaders can be victims, too; this all plays a role in engaging employees.

Incentives and recognition. Some companies have effectively used quarterly recognition programs and financial incentives for employees who report suspicious emails, adhere to policy and champion security awareness. Make security awareness an ongoing celebration. Security should be loud and clear, so employees can hear about it on a regular basis. This keeps the subject top-of-mind so employees can see their stake in the game.

Continuous awareness. Some companies, such as Coalfire, create ongoing security awareness communication campaigns to keep security front and center. These can include materials such as security handbooks, wallet cards, creative posters for office facilities, and creative email campaigns with tips.

Making use of emerging cyber incidents. Cyber incidents can be debilitating, but when they occur and put the organization on the front page, they create great opportunities to have the CISO educate managers and employees on why they occurred; what, if anything, they need to do to protect themselves and the organization; and how everyone can play a role in better using security best practices.

Run tests, report on results.  Run tests to see how well employees are understanding the fundamentals of cybersecurity such as phishing tests, which indicate if employees have indeed learned not to open suspicious emails. Results can be published by a designated department or group. These sorts of tests typically provide great insights, which can be fed back to the organization for longer term results.

In the business of human resources, we know and understand that culture is an organic phenomenon. It arises out of the combined dynamics of the group. And yet, we can and do work to influence culture, leveraging it to create a more effective and positive place to realize our organizational goals. In a world where cyber incidents dominate headlines and create financial, legal, brand and individual damage, investing the time and effort to infuse security culture into your organization is now a growing imperative for organizations of every size, in every industry.