How to Build a Security Culture

Nick Santora | July 24, 2020

We hear about security culture a lot, and we know it’s important, but why is building a culture of security so essential for your organization?

In order to understand what security culture is, we need to grasp what the term culture actually means. Culture is the beliefs, rituals, stories, arts, interactions among a group or society — basically how people interact with each other and what they expect in a group setting. You cannot have a culture without a group of at least two (2) people.

But what does culture really mean when it comes to security awareness training, and why is it a must-have for your organization?

In this post, we’ll go over some of the basics on how to create a security culture, and some of the mistakes other security leaders make when it comes to establishing a culture of security.

What is a security culture?

In my old job, I wore a suit & tie combo almost every day. It was very formal and the surroundings were very corporate. Now leading the team at Curricula, we are part of the Atlanta Tech Village which is a community built around the thriving startup ecosystem in our city. People in the Atlanta Tech Village wear shorts, t-shirts, ride around on scooters, play games, and work their butts off creating amazing products that are solving problems for the world. It was an amazing culture shock for me to be able to walk into the office with flip flops, grab a beer, and get rolling on solving security education challenges with the team.

So a security culture is similar to culture, but it’s focused on protecting a group from external threats. Those dangers and threats are known as hackers, cyber criminals, and all the bad actors out there trying to hack our businesses and employees. We want our employees to feel protected, and we want the community to establish a culture to enforce that concept. So far so good?

What are the common mistakes made when establishing a security culture?

Now that we know what a culture is, and the goal behind creating a security culture, let’s take a moment to think about how your organization is establishing its own culture of security. For example, a security awareness program is designed to help influence your security culture. If you don’t have a security awareness program, how are you going to create a culture of security?

If compliance is the only reason your organization is implementing a security awareness program, you need to start over.

I have seen so many compliance programs forcing security awareness as a ‘check the box’ activity, and that doesn’t work to truly protect your organization.

First, you need executive buy-in and a team to support the program. If the executive leadership doesn’t support establishing a security culture, then they’re not supporting security. Their role as leaders is to identify risks and develop strategies that could protect the business. From there, they can design action plans to act on those strategies.

Lack of effort in security awareness training

We all know people are the biggest asset to an organization, but they are also one of the largest risks for causing data breaches. This doesn’t have to be the case. In order to establish a culture of security, we have to encourage employees to take ownership of the role they play in defending against cyber attacks.

Employees aren’t going to change their behavior towards phishing if your CEO or IT department sends an email to all employees saying “please don’t get phished.” And frankly, it’s a waste of everyone’s time to receive that email which we all know will be ignored or deleted.

Content is one of the biggest mistakes made in security awareness training. If your content is weak, boring, unrelatable, or filled with legal language, no one will pay attention. Although your intentions are great, you have to understand that dry paragraphs of plain text about hackers will not influence a behavior change.

As we learned before, to create a culture you have to drive influence. And to drive influence, you need support. Just sending out an email once a month or once a quarter, or hanging a poster up that says ‘don’t get phished’ will do nothing to make an impact.

In order to create a security culture shift, you need to understand what drives change. Change is not easy, and when it comes to employees changing their behavior, you have many barriers ahead. Change requires taking an established habit, associating that habit with negative behavior, and then influencing a new habit with a desired, positive outcome. Essentially know why something they are doing is wrong and learning how to change the negative habit they’ve been demonstrating.

So now that we learned all of the challenges in creating a culture of security, how do we actually create one ourselves?

Here’s how you can establish a culture of security

The best way to start establishing a culture of security is to launch a security awareness program designed to build a common understanding of security threats and how to defend against them.

To build a successful security awareness program, you need to establish these four (4) pillars.

1. Support

Security awareness programs need support and they are not easy to get started. It requires effort, but when you start driving small changes, you will start to see the culture of security change within your organization. The whole idea with support is to get everyone to buy-in from every employee, from your executive team to frontline personnel.

The goal is to get every single employee to understand their role in security for protecting their organization.

Recognizing the need for a security culture, work with all your department heads so they can also communicate why security training is so important. A simple discussion with each department head is a great place to start. Because without that recognition, you’ll never have that support needed to scale the program to reach its full potential. Remember to do this in pieces, because building culture doesn’t happen right away.

2. Content

When creating a security awareness training program, you need to understand that content is king. If your employees are not engaged, the message will never resonate with them. Is the training content relatable? Would you enjoy receiving an email with this information? If not, how do you think your employees feel? Would they feel like their time is being wasted?

Take the time to create quality content that is fun, engaging, and most importantly effective.

Having great content works to gain that buy-in. Think about pulling back on all the legal language, death by PowerPoint presentations, and mundane emails about cyber attacks. Put in the effort to be forward-thinking about how your employees will feel, and get them excited to participate on an ongoing basis.

Security awareness training content includes various elements such as videos, quizzes, analytics, baselines, phishing training, phishing tests, phishing reporting, webinars, meetings, posters, incentives, and gathering constant feedback which all help develop a cyber security culture within your organization.

3. Motivation

Now that you have buy-in from your team, and content to support your security awareness program, how do you get people to participate? Although our first reaction might be to give out gift cards and money, that’s not always the best way.

Why? Because you’ll never be able to keep up with financially incentivizing employees for good security behaviors.

Think about other ways to incentivize employees for doing the right thing. This could be anything from paid time off, donations to a charity of their choice, swag items, and most importantly, public recognition for demonstrating best cyber security practices.

4. Measure

Measuring a security awareness program isn’t about completion rates. Most of the time, this is the only measurement taken to see if a program is successful. Although completion rates help for compliance, this doesn’t tell the story of your security culture.

With all of this, you need to be constantly learning from your employees, discussing threats facing the company, and iterating on the program for ways to improve it. This doesn’t mean just having management force training on employees. Reach out to your team to get their feedback on what can be improved, and make changes based on their insights.

Finally, understand that it takes time to build a culture of security. It can’t happen overnight. But, once you get the program off the ground, you can start influencing change right away.

Think about how long it took as a society to build safety into everything we do. Fifty years ago, people didn’t wear seatbelts, chain-smoked, and did a lot of things that were really unsafe by today’s standards. Once people personally understand the concept of safety, they realize what’s at stake.

If you are looking to create a security culture within your organization and need some help, Curricula developed a turn-key security awareness platform with everything needed to get your program off the ground quickly. Learn more and check out a free demo to help drive a change in your security culture.

Watch a Free Episode

Author: Nick Santora
  • Nick Santora

CISSP, CISA, Chief Executive Officer of Curricula.