When I attended new employee orientation at a global technology company several decades ago, I remember very brief cybersecurity training. The gist was to contact someone in IT if we noticed any potential issues. While I was with the company, I only thought about cybersecurity when I passed the server room, and I could only peek into that locked, dark room full of machines when one of the tech guys opened the door. Back then, I always felt that it was someone else’s job to keep our data safe. Time and experience have changed the way I look at things.

Over the past year, I’ve spent a lot of time thinking about how to improve cybersecurity at businesses and agencies of all sizes. And research backs up my current assumption that companies are taking it seriously and passing on that message to employees.

Almost every suggestion and solution comes back to one key concept — use cybersecurity training to create a culture where everyone feels cyber safety is part of their job and has the knowledge to protect the company’s data, infrastructure and apps.

5 Components of a Cybersecurity Culture

Creating the right culture seems somewhat nebulous. Where can you find a concrete road map to help build a mindset of digital safety?

This Infosec report is a good place to start. It also lets you see where other companies stack up in terms of how mature they are in their digital defenses and culture.

These are the five domains outlined in the report — and what they mean:

  • Trust – Relationship between your workforce and your security practices and personnel
  • Responsibility – Employees’ perception of their roles in organizational security
  • Confidence – Likelihood that employees translate learned information and skills into secure behaviors
  • Engagement – Willingness of employees to get involved and apply resources and support
  • Outcome – Perceived consequences measure the impact employees believe an incident will have on the organization and their lives.

Cybersecurity training that covers all of these domains will create an overall culture that encourages safety. By starting with building trust between IT and the employees, the culture moves from employees viewing cybersecurity as ‘big brother’ to a partnership.

Employees are then more likely to fully hear and take to heart the idea that they really hold the power to prevent or cause an attack that can have damaging outcomes. Once this trust is in place, cybersecurity training provides employees with confidence. This then translates into engagement, so employees can improve their behaviors.

3 Keys to Cybersecurity Training

That list provides a good foundation, but we still need tangible tasks to help companies build these five domains. Creating a new culture isn’t easy or an overnight fix. It’s a long process that comes from proactive and strategic changes.

Here are three actions companies can take to change their culture:

Make Cybersecurity Training Fun

Provide convenient and fun training. Employees should care about digital safety, understand how to prevent it and what to do if they come across anything they find strange. You can’t do that in a once-a-year, boring lecture during the company meeting.

Instead, make a concerted effort to have an ongoing dialogue about these issues with every employee. By having human resources partner with IT, you may see improved training results.

When thinking about the right approach, look at your overall company culture and your employees’ needs. Consider using microlearning to keep the topic at the top of their minds in short bits.

Offer Goal Posts

One way to make cybersecurity culture engaging is to offer goalposts in the form of certifications. A key to repairing the skills gap is helping employees to land new collar careers by earning cybersecurity certifications.

By helping current employees to do this, you can help reduce skills gaps and also promote your own employees. Companies can also partner with K-12 schools to encourage cybersecurity education and even high schoolers earning certifications.

Use AI Tools

Artificial intelligence (AI) tools can analyze the most up-to-date data and more quickly spot potential attacks. In addition, you can prioritize alerts so you know which ones aren’t relevant and which are critical.

Now that attackers are using AI tools to design and launch attacks, groups not using these tools are giving them a running head start. It’s challenging, if not impossible, to defend against these tools without using equal or better ones.

Making Cybersecurity Everyone’s Job

The greatest challenge is that you can only control your actions. Your employees need to really feel they each can make a difference.

There are many things that can encourage those feelings, such as publicly giving employees rewards for reporting issues, creating messaging to keep employees up to date on current threats and starting a secret shopping-style program to see which employees need more training on phishing schemes.

You can also share with employees how current breaches are affecting other companies, such as layoffs and revenue losses. By seeing the impact that clicking on a single unknown link can have on so many people, employees often see how seemingly small actions play a big role.

In the end, you have to keep sharing the message and creating the right culture until your employees feel digital safety is part of their job. This doesn’t happen overnight. Or even in a year. You have to keep sharing the message and, most importantly, walking the walk.

By staying persistent and truly believing in your message, business and IT leaders can help employees have their own lightbulb moment when they see that they can make a difference. It’s then — and only then — that a company begins down the path of a cybersecurity culture.

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today