Build and Maintain a Security Culture, Up, Across, and Down the Organization

Posted by Living Security Team
January 28, 2021

Share Article

Groans can be heard office-wide every time IT rolls out its annual cybersecurity awareness training initiative. And it’s not just employees who dread it— often, executives and business leaders alike just want to check their compliance box and get it over with.

Of course most companies loath traditional cybersecurity training. No one likes taking tiresome security courses and being scolded for failing a phishing simulation.

Fortunately, there is a way to get your team excited about your security (it’s just not mandatory training and awareness modules!). 

This fresh approach involves an important cultural shift, enterprise-wide— from executives and tech leaders to end users and stakeholders— to create long-term behavioral changes. That’s right… behavioral changes. That’s because disinterest in your cybersecurity program is often not something a shiny new training module or managerial guilt-trip can fix.

Get full investment in your security by making a few impactful changes to your security culture:

Push Deep Understanding, Not Fear

Many organizations take a singular approach to their security initiatives. Their tactic of choice? Scaring leadership and employees into participating in cybersecurity training and vigilance. 

Security awareness project owners kick off training programs by inundating the team with frightening statistics about breaches. They share stories about the insane financial and reputational damage other enterprises have faced. They blame foolish managers and staff for downloading malware and not being smarter. 

Amidst all these fear-based scare tactics, it’s easy to lose sight of what really matters— providing their team with awareness and deep understanding to recognize and avoid emerging threats and making them truly care about it. 

“Awareness without understanding can create a culture of risk aversion and panic,” Forrester’s How To Manage The Human Risk In Cybersecurity report explains. This fear can incite anxiety and frustration. They’re either ultra-focused on avoiding reprimand or bitter or apathetic about what they perceive as an over exaggeration of the threat landscape, The Wall Street Journal reported.

While your team may be taking your security awareness courses out of sheer obligation, they might not truly understand what their risks are or actually care to— motivated instead by “get this over with” metrics like completing a course to get IT or management off their back!

Instead of punishing or shaming your team for failing phishing simulations or similarly exercises within your training module, use analytics to see where they’re falling short and uncover why. Then, provide the tools and resources they need to improve while rewarding them for their progress in learning. Remember to celebrate the small achievements and advocate your team as your strongest asset, not your biggest weakness.

Focus on Individuals’ Concerns (& Your Businesses Priorities Will Follow)

Many businesses push their own agenda for rolling out a new security initiative. The C-suite squawks about compliance requirements and penalties they could face for violating them. Security project owners focus on cross off a line item in rolling out a training module. Somewhere along the way, the top of the ladder forgets that others in the organization don’t have the same pain points or concerns as they do.

If you really want to inspire your individual team members to care about security, remember that they are individuals— most importantly, that they’re human. In one instance from Forrester’s report, a security leader stood on a power lift in his workspace and asked employees what security issues they cared about. Unsurprisingly, these employees weren’t focused on security awareness for the company, but rather, on personal topics such as their kids’ online behavior. 

Frankly, it’s harder to get your team to care about your brand’s security concerns and much easier to get them interested in their own security well-being. The good news is, you can do this in a way that’s still in your enterprise’s best interest, all while helping them to increase their personal security too.

Provide your team with tips that are both relevant to their home life as well as office life, and remember to “rebrand security as a business enabler instead of a business nuisance,” Forrester reminds us, “so that employees are more receptive to security policies and can protect their business, themselves, and their families.”

Engage Both their Hearts and their Minds

While there’s no doubt that security training tactics like PowerPoint presentations, security awareness training courses and phishing simulation exercises have their place, it’s important to think outside of the box.

In order to interest your team, you’ll need to stretch beyond the conventional curriculum and get them truly excited about learning. One method for doing so has been growing in popularity: experiential learning. It’s all about creating an experience of learning by doing, or “showing (and participating) rather than telling. During these actionable activities, your trainees are creating connections! “Without creating a connection, no amount of training will change their behavior for the long term,” Forrester concludes.

With today’s heavy security fatigue and your team’s limited attention spans and busy workdays, it’s more important than ever to activate creativity and stimulate them behind that computer chair and beyond.

Know Your Success Metrics

After you get your team to see the importance of digital security, it’s all about choosing the right training program and tactics to empower them. You need a program provider who not only makes the content itself interesting and easy to understand, but also a software that helps put numbers to your investment. 

Too many enterprises conduct cybersecurity awareness training out of obligation, caring little about the actual results (other than if the teams pass their training, of course). But by measuring your teams’ individual progress, you can appropriately reward your employees for their effort and make improvements to your security program. 

Whether it’s celebrating each department's training “passing” with a little office party or paying out a small bonus for an enterprise social engineering testing campaign that hits a X% reduction in fake phishing fails, clearly identify and push meaningful metrics to measure your initiative's success. Without them, how will you know if your training is working? The truth is— you won’t. 

Start with Human Risk Management

It’s clear that enterprises with strong security cultures educate, enable and excite their team in a way unlike your everyday boring training program. 

It’s no secret how. They do this by pushing both personal and business cybersafety and advocate their team as digital heroes— never villainizing their greatest assets. Curious to learn more about managing human risk in cybersecurity? Download Forrester’s 2021 report.

Subscribe To Learn How To Prevent Cybersecurity Breaches

Additional Reading