Management guru Peter Drucker is attributed with the well-known saying, "Culture eats strategy for breakfast." And while there are hundreds of books and thousands of articles on building great work cultures, not nearly as much is written about creating a positive enterprise culture emphasizing cybersecurity best practices in the workplace.
So how can we lead a digital transformation that is also people-focused and security-focused at the same time? There has been plenty of interest and several helpful recent articles on the topic of improving your security culture.
- Tech Beacon offers 6 ways to develop a security culture, starting with making sure that everyone knows their specific role(s) and believes that security is everyone's responsibility.
- CSO Magazine offers 4 more ideas on improving your security culture, and encourages the messaging to be positive to not blame employees for mistakes.
These examples and many others emphasize the importance of actively engaging employees to build a positive security culture by making security fun, providing security awareness training that is engaging and interactive, and continually teaching staff about security in brief, frequent and focused ways.
What Are Specific Steps You Can Take to Build an Effective Security Culture?
1. Ensure executive priority and support
Regardless of industry, staff will generally do what their leadership does and not just what they tell others to do. Sure, policies and procedures are important, but management must lead by example and staff are certainly watching. This means that management should be taking security awareness training, following best practices with securing data and openly encouraging others to do the same.
One example of leading by example comes from a governor in a large Midwestern state. Before a cabinet meeting with all of his department directors, he asked for a show of hands of those who had taken (the new) security awareness training. But no hands went up. He responded by saying that he took the training, and he liked it and learned a lot. He told his team that he expected each of them and their direct reports to take the training – and he would follow-up next month.
Although that announcement took only 30-seconds, the results were astounding and set the tone for the large state government enterprise that security was important and expectations were high.
2. Conduct an honest risk assessment to measure your security culture
“If you can’t measure it, you can’t improve it.” These famous words by Peter Drucker can be aptly applied to security culture -- in order to strengthen security culture, we must know the current state.
One challenge is knowing what items to measure, and what items are just symptomatic of deeper problems. Here are nine areas that you should consider assessing/measuring related to your security culture:
- How many security incidents related to employees occurred in the past year and in what areas they did the occur? Understand where your vulnerabilities are.
- What percentage of employees have taken security awareness training? What security awareness training topics were covered?
- What feedback do end users have regarding cybersecurity – on a range of topics including security awareness? Value and incorporate employee feedback as a way to improve your security culture.
- How many employees fall for simulated phishing attacks – open messages, click on links, open attachments or fill out details with sensitive information? Look at how the pattern changes over time, you want to see improvement.
- What is the organizational attitude toward employees who report security incidents? Are employees encouraged and rewarded for openness? A positive security culture will empower employees to participate and not fear retribution.
- Are security incidents being reported via appropriate channels (such as emails, phone calls or texts)?
- Are the necessary policies and procedures in place for employees to follow? If not, organize the missing policies and procedures and develop them in order of priority. Ensure that employees receive and understand the new procedures.
- Are policies and procedures being followed in day-to-day projects? Measure compliance with your policies.
- What questions are being addressed at brown bag lunches or other awareness events? Look for where there might be gaps in your communications and training.
3. Create a Cyber Plan on Where You Want to Be
Knowing where you are is important, but equally important is to know where you want to be. Does your organization have a technology and/or cybersecurity plan? Has that been articulated to the enterprise-wide staff? Are the priorities clear? Is the role each employee plays clearly conveyed? Here are a few tips to benchmark progress:
- Visit best in class organizations in your industry or other industries. How do their numbers compare with yours?
- Use a reputable service to benchmark a wide range of security metrics.
- View other cyber plans from partners, advocates and competitors. This is easier to do in the public sector than in the private sector.
- Work with consultants and private sector partners or others to determine if your business processes and procedures meet all relevant laws and industry best practices.
- Join industry groups and security organizations where you can exchange ideas and utilize existing templates and documentation.
4. Provide Clear Cyber Communication on Policies and Expectations
What’s your organizations greatest weakness? The answer to this question in most global private- and public-sector organizations is communication – how your security message is conveyed and how it is received. This is a broad-ranging topic that covers many different aspects, but poor communications can be external to clients and partners, or internal to staff, or include both areas.
Questions range often from what’s allowed to what’s encouraged? Staff have different skill sets and often different priorities and business goals within different offices and regions. So how can management and staff improve messaging around online security and overall cyber expectations?
Security communication delivery channels can range from newsletters to emails to tabletop exercises to emergency call lists for incidents. For large organizations, a smart approach is to invite partners to cybersummits and scheduled one-on-one lunches to talk.
Security roadshows are another effective way to deliver your security message. Here are three tips about using security roadshows to improve communication between the security office staff and business areas:
- Do Your Homework. Decide who should be involved, what topics and materials will be covered, when to put these meetings on busy calendars, where you will meet, and how you will run the meetings. You can also let the business areas select their executive participants, and some groups like small discussions while others invite dozens of business leaders. Also, if scheduling the time isn’t working, you likely have a larger business priority issue regarding cybersecurity.
- Adapt to the Audience. While a consistent, updated enterprise presentation offered every year in a roadshow can help build trust, it can be helpful to adjust messages to each audience. Flexibility is especially needed when meeting with new business leaders who need to learn organizational security concepts.
- Leverage Existing Governance Mechanisms. One chief information security officer in the public sector uses technology and security advisory boards to help provide briefings to key business executive staff, while also keeping the governor’s office and cabinet officials informed. He also uses the same briefings for cabinet meetings, legislative committees and updating other government entities that have an ongoing role. For low-hanging fruit: Start small with key business areas.
5. Deliver Effective End User Security Awareness Training to All Employees
Ensure your security awareness training plan includes security staff, managers, system administrators and other specific roles.
One of the biggest criticisms that non-technical staff offer to security leaders is that the technology and security staff do not practice what they preach. If security professionals are perceived to be hypocritical, or worse exempt from the rules that everyone else must follow, this will severely hamper your security culture.
The answer is to strongly encourage technology and security staff to provide good examples as “model employees” for others to emulate. This means that end user security awareness training is taken by everyone. Also, the training needs to be fun and engaging to be effective.
In conclusion, building a healthy security culture is not a one-time project or one-year focus. Like building a great college football program at schools like Alabama or Clemson, this is an ongoing challenge that must be repeated as the organization changes.
A well-thought-out plan on improving security culture will reap organizational rewards, lower risk while improving business productivity, and result in positive change in employee behavior with higher participation and positive engagement.