Gartner predicts that by the end of 2023, organizations will spend roughly $188 billion on security tools and services. If these numbers are true, why aren’t cyberattacks and breaches slowing down? The fact is, security incidents happen not due to the lack of advanced controls, but due to foundational gaps in the security culture of organizations.
What is Security Culture?
A famous anthropologist once described culture as “the acquired knowledge people use to interpret experience and generate behavior.” Academics describe culture as “cultivated behavior” that is accumulated from experience and social learning. In the context of cybersecurity, security culture can be defined as the attitudes, norms, beliefs, ideas, customs, and social behaviors in employees that influence the security posture of an organization.
The simplest way to think about culture is this: an employee sees some litter on the floor. There’s no one around (no cameras or colleagues) to thank them for picking it up but they still do it because they believe it’s the right thing to do. Similarly, a positive security culture is where employees follow security best practices (not clicking on strange or odd hyperlinks; reporting unusual emails to security teams) — not simply because they have the knowledge or awareness of what’s right or wrong, but because they value security and feel it is their duty to do the right thing.
Knowledge Does Not Equal Action
Most organizations assume that security knowledge gives way to secure behavior. Just because organizations impart mandatory compliance and security awareness training to their employees does not mean employees will act securely. This is because of something called the knowledge-behavior gap. Having knowledge does not mean that people behave in a certain way. For them to transition from behavior to knowledge, they also need “acceptance” and “intent.” Think of it like the speed limit sign we consciously choose to ignore. We know the sign’s there, we know it’s against the law to exceed it, we know that speeding kills, and yet we choose to turn a blind eye.
Every Organization Has A Security Culture – They Just Don’t Know It Yet
Since most organizations do not actively manage and cultivate their security culture, they assume that it does not exist in their organization. The reality is that every organization, regardless of size, has a culture. The way in which organizations and leadership teams treat, value, and manage security, influences and builds its security culture. Unfortunately, most organizations do not track the security-related aspects of their culture in its early stages and eventually, it ends up spiraling out of control and manifesting into something the organization may have difficulty reversing.
How Can Organizations Architect A Culture Of Security?
Below are some recommended steps on how organizations can better architect and strengthen security culture:
- Understand Where Your Culture is Now: Tracking your baseline always helps as this measures progress and determines what actions to take moving forward. To assess cultural baseline, organizations can run culture surveys that measure attitudes, values, and beliefs among employees; track frequency of security incidents; measure click-through rates in phishing simulations and conduct face-to-face interviews.
- Formulate a Plan: Once you have an idea of where you are and where you’d like to go, draw a formal plan with high level goals and tactics. Include things like changes in communication style and frequency; changes to the security policy; changes in how you’re conducting security training; changes to the frequency of security training. Avoid a casual approach — treat your plan with the same level of seriousness as you would a business plan.
- Secure Leadership Buy-In: Leaders don’t just approve budgets — they’re also in a position of power and influence. Therefore, it is important that they endorse your plan and actively promote it within their own teams. Studies show that executive support is not only critical in boosting security culture, but also achieving cybersecurity resilience.
- Regularly Communicate And Train Your Workforce: Repetition is necessary to ensure new behaviors become a way of life. With regular training, reminders of desired behaviors and updates on policies and procedures, organizations can reinforce the importance of staying secure and vigilant. Running regular phishing simulation exercises helps employees develop muscle memory to identify and report suspicious items.
- Review Results and Fine-tune Methods: Once the plan has been executed, run a follow-up survey and analyze success, failure, and shortcomings of your culture change program. If the plan goes well, you should see an improvement in attitudes as well as security practices and an overall reduction of security risk. Share results with leadership and the broader organization so that everyone can appreciate the fruits of their efforts.
Architecting or sculpting culture of any kind is never easy. It takes time, it takes effort, it takes dedication, passion and persistence; it requires cooperation from employees across the board. If you’re planning to improve your security resilience and reduce the risk of human error, culture is your best bet.
Perry Carpenter is co-author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] His second Wiley book publication on the subject. He is chief evangelist and security officer for KnowBe4, provider of security awareness training and simulated phishing platforms used by more than 65,000 organizations around the globe.