8 Tips for Building a Security Culture
My colleagues at MediaPRO and I have historically had loads to say about the importance of security culture, and there’s always more to say on that subject.
But I’ve begun to note a shift in how the concept is discussed.
More and more I’m hearing talk of “culture change” and of “creating a security culture”—conversations that go well beyond mere awareness. Building a culture of security at an organization, the thinking goes, is the best way to change risky behavior.
But what does creating such a culture look like? How do you get there?
You’ll hear many different answers to those questions, but here I’d like to discuss some practical things that I’ve seen work for customers and colleagues.
What follows are eight pieces of advice for planning, creating, and deploying an ambitious security awareness program. Whether or not full-blown security culture change is your goal, you’ll likely find something to take home here.
Emphasize the Value in the Awareness Spend
Before you can even begin planning an awareness and culture change initiative, you’ll need some budget. The good news is that, compared to the other initiatives you’re engaged in to ensure security, awareness is cheap!
How cheap? I’m sure you’re asking. There’s no simple answer to this question, but I’ll try to give you some idea.
If you’re going out and licensing a solution from a vendor, you’re generally going to start out between $13 and $25 per user for a mix of training, reinforcement, and phishing. That number is going to rapidly scale down on a cost-per-head basis as your user count goes up.
Once you’re over a few thousand employees, you’re well down into the single figures—that’s $3-5-per head. I don’t care who you are, that’s cheap.
And most vendors—MediaPRO included—will be able to show you a strong ROI and a payback time of six months or less.
Of course, vendor costs aren’t your only cost. You’ve got to employ someone to run your program and that can range from a quarter-FTE for small companies up to maybe an eight- to ten-person team at a big global giant. You’ve also got other costs, like running a learning management system, hiring speakers, perhaps printing posters.
All that said though, your overall awareness spend will pale in comparison to the big bucks you’re spending on the gamut of technical solutions. The argument could even be made that investing in your employees through awareness training improves the ROI of your technical solutions, as educated employees will be equipped to use these tools more effectively and efficiently. You can even use our training ROI calculator to get an estimate.
Still on the fence between buying or building awareness training? Check out our white paper for more on this topic.
One of the first things you should do the moment you take charge of your awareness program is to build alliances across and throughout your organization, no matter how big or small it is.
This means identifying executives who are willing to lend their name and voice to promoting your efforts. If you’ve got execs willing to speak to the importance of cybersecurity, this will speak volumes to the “rank-and-file” employees who you may ask to sit through training. (Mentioning that your c-suite is not exempt from the training can’t hurt, either.)
Find colleagues in departments that touch and communicate with all employees—whether it’s HR, Communications, Learning & Development, etc. You’ll need their support to distribute companywide communications, and they can help you recognize the pitfalls of communicating during certain times and overall just navigate what can often be a log-jammed mess.
If you’re including “required training” as part of the mix, make friends with whomever runs your company’s learning management system (or LMS).
Then, start the work to build some form of support network within your organization. You can call it security champions, or ambassadors, or ninjas—call it whatever you want. The important thing is that you’ve got allies in different business units and different levels who can help you distribute information and answer questions.
Align Awareness with Business Goals
As you put the work into alliance building, you’ll likely notice some shared needs and priorities crop up across your company’s departments. This should serve as a reminder that you’re all playing for the same team, with the same overarching business goal or goals in mind.
Our next tip: Build your awareness initiative in a way that gels with these goals by address topics pertinent to your company and your overall mission. Otherwise, you won’t be doing a bit of good.
Making phishing prevention a centerpiece of your program may make perfect sense if your organization is full of people who use email in their day to day work, but it won’t make any sense at all if you employ landscape workers or dishwashers or welders.
If keeping customer trust is critical to your business mission, though, you should be able to draw a straight line between that mission and the daily activities of everyone who touches data in your organization.
Making direct connections between the business goals of your company and the goals of your awareness program just makes practical sense:
- It will help you make the business case to your bosses that awareness is a direct support to the business
- It will help you convince employees that your awareness program truly is relevant and connected to the larger business goals
When you align awareness with business goals, by making it clear that your efforts support and do not impede the business, you improve your chances of success both up and down the organization.
Target and Prioritize
Chances are that you’ve started out with big dreams about what you can accomplish with your awareness program. But, your work with building alliances may already be making you more realistic about what you can accomplish.
This is where your work in aligning your program goals with your business goals will come in real handy, because you’re going to need to ruthlessly prioritize the most important objectives and be sure that these get the most focus.
Then you’re going to want to decide where you need to target your efforts. Whether you’ve gathered quantitative data about the risk levels of different employees, or you just have hunches about the pockets of risk that exist within different business units, you’ll want to target areas of education where it’s needed most. Here are some examples:
- Privacy by Design for software developers to ensure data handling best practices are baked into all the code they write;
- Phishing awareness for sales and finance—in our experience those most likely to expect emails with attachments and who need to be extra skeptical of such communications
- Data handling and privacy policies for marketing and call centers to ensure all-important customer information is managed in accordance with company policies and legal regulations
Understanding what your biggest risks are, and where those risks are most pressing, can be your biggest guide to this stage of your work.
Putting the Plan into Action
With alliances made, goals set, and training mapped out, it’s time to execute.
The next sections focus on the training strategy itself. Here are some guidelines to keep in mind.
Increase Relevance to Avoid Alienating Employees
We’ve all heard stories of workplaces where people hate the training and the communications they get from IT —and guess why? Very often it’s because the training is built by people from both ends of the spectrum. They either believe the end users need everything spelled out to them or want to use such a level of detail about “’threat vectors” and “vulnerabilities” that only an InfoSec nerd could appreciate it.
The truth is most people are open to learning more about protecting data if you communicate about it in ways that are relevant to them.
Relevance cuts a number of ways. You can make it relevant to their work life by using examples and scenarios that reflect their jobs—so that people in marketing get a different approach to respecting people’s data preferences than those in software development.
But relevance extends beyond the workplace. So many of the best practices in cybersecurity—things like carefully checking email sources, managing passwords effectively, and being wise about sharing information—overlap in work and home life.
When you communicate about these best practices in ways that show relevance to personal life, people are much more likely to find the material engaging—and to embrace the behavior you’re after.
Focus on Meaningful Behavior Change
When you run an awareness program, your goal isn’t that people memorize your security policies or call out the specifics of ISO 27001 or GDPR compliance. You’re not trying to make people security or privacy experts.
What you are trying to do is get all employees to make some small but meaningful changes in their day-to-day behavior. Here’s what we’re talking about:
- Reflexively check your data classification standards if they’re not sure where to store data
- Opening their password manager to generate a new password
- Validating the sender of a suspicious email
- Reporting a suspicious incident
These are the behavior changes you’re after, and most can be measured and—importantly—praised when done right.
To the extent that you can focus on the actual behaviors you want to foster and not just the policies you want to enforce, you’ll have a much better chance of reaching your employees where they are.
Use Variety and Repetition
When it comes to how you’re going to reach your targets for behavior change, you’ve got to find as many interesting ways to communicate your desired message as possible. This means looking for ways that are interesting to different people—to bring real diversity into the style and substance of your message.
Does this mean finding a training vendor that incorporates gamification or microlearning into their training materials? Does it mean a mix of serious and funny tones?
That’s ultimately up to you based on your company culture. But you can be sure that the same boring training repeated over and over again will eventually fall on deaf ears.
But that’s not to say repetition is not important. It is the mother of learning, a phrase that has been repeated enough to likely be present already in the minds of anyone reading this.
How many of us (in the U.S. specifically, but I’m guessing around the world as well) know the mantra “If you see something, say something,” thanks to the ubiquity of these signs in airports and train stations and other public places? It’s the sheer repetition of this simple message, shown in a variety of settings, that helps it stick with us.
Everybody has their cybersecurity tipping point—the point at which they’re no longer learning about something, they’ve actually incorporated it into their daily practice. It’s your job to help them get there.
Execute, Nurture, and Maintain
Ultimately, it’s all going to come down to your ability to build out a plan—for a year and beyond—and then to execute on that plan week in and week out.
Your success will not come overnight—that’s just not the way that culture change works. But just like growing a garden or raising children, your program will benefit from regular care and maintenance.
If you supply a steady stream of risk-focused, relevant communications, and if you maintain a positive and helpful attitude as you repeat the key behaviors you want to see people embrace, you will start to see the signs of an emerging culture of security.
This article is a spin-off of a webinar featuring Tom Pendergast and guest Forrester analyst Jinan Budge titled Harden the Human Firewall by Building Awareness, Behavior, and Culture. (The components here are Tom’s work.)
For more insight and tactics into creating a security-aware culture, view the on-demand webinar for free here!