Chief information security officers everywhere work to instill a culture of security awareness in order to improve their organization’s security posture. Being able to define and measure the impact of their initiatives is vital to determining the success of that cultural change.
But sometimes standard metrics don’t tell the full story. Sure, you can produce charts showing clicks on phishing emails, but how do you measure the unquantifiable, such as your employees’ perception of and care for your company’s security?
With the right determination and plan, subjective metrics like cultural change become easier to both measure and improve.
Here are four steps to do just that and drive true culture change around cybersecurity:
1. Conduct research to create a baseline.
Before you can start improving the behavior of your employees, you need a clear understanding of what your team is and isn’t doing well surrounding your security posture. How can you establish this baseline?
Meet with company leadership and department managers to note any security risks they’ve noticed. Ask for their current perception of your cybersecurity posture and any particular areas they want to see improvement in. Non-technical or security-focused members of your leadership team may need some prompting to identify what these threats may be—from physical security issues to unintentional insider threats to exposure to outside attacks. Lead them through this conversation.
Research the most common issues your IT department resolves. The types and frequency of support issues can help determine the focus of your organization’s short-term security goals. For example, if many of your help desk tickets are associated with account lockouts or forgotten passwords, implementing a password management tool may be a short-term solution that helps employees and potentially closes security gaps.
Send surveys encouraging employees to share anonymous, honest feedback about where they feel your company’s security infrastructure is lacking or where their knowledge of particular security topics could be improved. Give users an open invitation to ask their most burning security questions and get straight answers once and for all.
This upfront research will identify your organization's cybersecurity strengths while also highlighting areas that need improvement. Your findings should guide goal setting for short- and long-term improvement strategies.
2. Create a program plan.
Once you have a clear picture of your current security baseline, you can develop a specific, timely action plan for creating a more cybersecurity-conscious culture.
For example, you’ve discovered account credentials that can be easily compromised, so you’ve set a goal to roll out multifactor authentication (MFA). It's unlikely that you can flip a switch and turn on a new process overnight. In fact, you must decide the logistics of how you may introduce the new security policy. That might mean:
Choosing a team or department for an initial implementation.
Explaining to that team why the change is necessary, what the requirements placed on them will be, what the benefits to them will be, and what the challenges they may run into are.
Establishing goals and metrics for measuring success, such as having a certain percentage of the team fully activated with MFA by a certain time period.
Debriefing on this implementation before rolling it out to the rest of the organization.
Successful change management can look different at every organization, but consider these practices as you get started:
Deliver the right message to the right audience
When introducing a new initiative, how you communicate with each department to get them on board for security improvement is crucial. Empower department leaders to craft the “what’s in it for me?” message for their teams. Make sure to ask for feedback from department leaders on the wins accomplished through these changes; this communication is just as important as the change itself.
Be very clear on the exact behavior(s) that need to be changed. Let’s think back to the multifactor authentication example: if you want a department to be using MFA by the end of the month, a short document or video that explains the current authentication practices, the new expectation, and the steps team members will need to take to set up their account and verify their identity moving forward will be critical. This type of “how-to” content paired with the department leader’s strong message of why it matters to their team can go a long way.
Make it fun!
Part of the reason it's so hard to make lasting behavioral changes to improve security is the traditional “dumb employee” trope surrounding cyberescurity efforts. Historically, employees are made to feel powerless and stupid for not recognizing cyber threats; they are driven to change their actions using fear tactics. This heightened stress may work short-term, but this approach rarely encourages employees to make sustainable changes. Instead, it can lead to resentment toward and disinterest in your security program at large!
3. Establish and track progress toward new key performance indicators.
Just as important as receiving company buy-in for your program is being able to show the results of everyone’s hard work. It’s vital to be able to track the organization’s progress—not only to demonstrate improvement but to make data-driven decisions regarding any potential changes or additions to the program.
It's crucial that you establish a scorecard or dashboard to be able to track your program’s impact. Successful cybersecurity awareness training requires clear, trackable metrics for measurable reporting; make sure to include the number and types of rewards given for team members who practice and encourage secure behaviors. Develop ways to assign values to soft metrics like “perceived safety,” which will help the leadership team understand how individual behaviors tie into the big picture.
As security incidents occur, use these as examples for on-the-spot learning opportunities. Remember that your team is human. 100% compliance with zero mistakes is unlikely to occur. The most important thing is to create a culture where employees feel comfortable reporting security incidents. This is far easier to achieve by never pushing fear of repercussions and, instead, empowering them to take action when they see a problem and thanking them for doing their part to better protect your organization.
Review the scorecard results regularly and communicate the results to your organization in periodic reviews to get others involved in championing security along your side. In order to create a positive culture around cybersecurity, you must be candid about what your team is excelling at and what they need to grow in. This transparency helps to instill personal responsibility.
4. Review results regularly and make continuous improvements.
As you continue to track security behaviors and change your internal culture around cybersecurity, you'll start to see an increasing number of opportunities to educate and empower your team.
This is your opportunity to use the data you've been collecting and apply it to boost your program’s success. Build in routine security awareness training sessions, cultural perspective workshops, and other team-building exercises designed to transform your security posture. With consistency, time, and dedication, you will start to see the results speak for themselves.
It All Starts With Human Risk Management
The only way to effectively inspire long-lasting behavioral changes about cybersecurity within your company’s culture is to remind your employees they are your greatest strength, not your greatest weakness.
That starts with managing your security risk at a human level and empowering employees to recognize their impact on your security.