Across all sectors, nearly every organization today depends on secure information technology systems and computer networks for essential operations. As such, cyber threats like ransomware, hacking, and social engineering deserve as much attention as more traditional business risks.
But despite what many organizations still believe, even the most skilled team of cybersecurity professionals can’t effectively protect the rest of the workforce unless all employees—from top to bottom—embrace a culture that values cybersecurity and proactively defend business-critical information and systems against opportunistic cybercriminals.
What Is a Culture of Security?
A culture of security is part of the broader organizational culture, encompassing values and behaviors that contribute to the attitudes of employees toward security programs and policies.
An organization that has established a sound security program consisting of proven policies, effective operation controls, work rules, procedures, and tools that support them won’t be able to fully benefit from it unless employees have a positive attitude toward the program and consciously make decisions in alignment with it.
In other words, establishing a culture of security is essential for bringing cyber threats to the awareness of the entire workforce—not just a handful of security experts.
Start from the Top
All members of an organization have an effect on its culture, but top management influence subordinates with their authority, making their involvement essential for successfully developing a culture of security. When employees see their bosses take security seriously, they naturally follow they lead because their own success depends upon their approval.
While most executives understand the importance of security, with cybersecurity ranking as their main concern in a survey by The Conference Board, some don’t want the rules to apply to them, typically because they don’t understand their value or because they don’t want to be inconvenienced by them.
To achieve top management buy-in and support, C-level executives should regularly meet with the organization’s cybersecurity staff and discuss cybersecurity issues and their potential impact on the day-to-day operations of the business. Executives need to understand that cybersecurity issues are business issues that impact the whole organization—not just some siloed department within it.
They also need to understand that C-level executives are now twelve times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than in the past, as stated by the Verizon Data Breach Investigations Report 2019. Considering these facts, there’s simply no room for executives to not practice what they preach anymore because the consequences could be devastating.
Once top management is on board, it’s up to middle managers to lead by example and show employees how to behave in a way that aligns with the organization’s culture of security. Employees should never see their direct supervisors violating basic security policies and putting the organization’s sensitive data and systems at risk. When all management is fully committed, it becomes much easier to turn staff into security deputies.
Training Staff to Be Security Deputies
Cyber security training is a labor-intensive process, but it can effectively foster a culture of security within an organization. The Netwrix 2017 IT Risks Report revealed that 37% of IT leaders believe that insufficient staff training is a major obstacle in implementing a more efficient IT risk strategy.
There are many different ways to train staff to become security deputies, from PowerPoint presentations to life fire training exercises to role-playing games that simulate real cyber threats, and they should be used with the needs of a specific audience in mind.
For maximum effectiveness, various training activities should be organized into a comprehensive security awareness training program involving everything from IT best practices to the company’s security policy and even regulatory compliance.
Employees should be taught to spot common malware attacks and report possible security threats as soon as they encounter them. As part of the training program, mock cyber attack simulations can be used to reinforce good behavior and test which employees have already reached the desired level of security awareness and which still have some way to go.
Those who do a good job should be rewarded, but enforcing a culture of security through a system of punishments is usually not a good idea because it can create a hostile atmosphere. Instead of focusing on the mistakes of individuals, it’s better to improve the training program so that it encompasses different learning styles and leaves no employee behind.
There’s no denying that it takes a lot of hard work to develop and maintain a culture of security, but the effort is well worth it since the alternative essentially amounts to inviting potentially devastating cyber attacks. To spawn a resilient security culture across the entire organization, the commitment to cybersecurity culture should start from the top and continue down to the bottom of the organizational food chain.
If you are looking to implement a new strategy, we recommend you read our blog, featuring technology strategy examples from Napster and Netflix!