November 20, 2020 By Mike Elgan 3 min read

Building a security-first culture is as important for cybersecurity as investing in the right tech or creating and enforcing the right policies. 

Defense systems cannot provide 100% of the security organizations need as long as individual employees are making decisions about what to click on, who to trust and, at the leadership levels, where and how much to invest in security. This is especially true with the rise in remote work

How to Make Security Important to Everyone

What is security culture?

It’s a set of ideas, habits and social behaviors that lead people to make choices in their everyday work that enhances, rather than threatens, the company’s cybersecurity. While “culture” sounds vague and soft, it’s really the best trainable guide for action. It’s a framework for making security important to everyone in the group.

The importance of security consciousness cannot be overstated. The benefits of a solid security culture mean employees will report, rather than click on, suspicious links sent via email or text. They’ll embrace, rather than circumvent, secure systems and safety protocols. They’ll engage freely with IT staff when unsure, confused or needing help, rather than stay silent.

Senior leaders will bring security teams in on projects early out of a spirit of mutual benefit, rather than at the last minute out of a spirit of suspicion or distrust. And, business leaders will make decisions based on clearheaded intent to protect the organization’s assets, rather than mistaken notions that cutting security will improve the organization’s finances. 

Unfortunately, nine out of 10 organizations do not have the security culture they want in their organizations, according to an ISACA/CMMI Institute Cybersecurity Culture Report conducted two years ago. 

What is a Cybersecurity Mindset? 

Security is part of every employee’s job description in fact or in spirit. But, how do you make sure every person keeps that in mind?

The answer, in a nutshell, is smart messaging, training and leadership. Here are the 10 elements of a new and effective culture of security in your organization. 

Security Culture Framework: Goals

Forget about awareness training. The first step is to set specific goals. Goals are qualitative and high level (as opposed to objectives, which are quantitative and measurable). These goals should be publicized, and will serve not only as guides for creating objectives, but also as inspiration and talking points for the conversion to come.

Objectives

The business adage ‘if you can’t measure it, you can’t improve it’ holds in the creation of a security-first culture as much as any other aspect of business. Objectives should be measured in both quantity and in time. They need a deadline, or a point, each year when an assessment can be made.

These objectives may include compliance with specific rules, a reduction in financial losses, specific metrics around employees passing tests, reduction in data loss incidents and others. In addition, they take into account any and all practical objectives with deadlines that support the group’s goals.

Frequency

Cybersecurity awareness training is often either put off until a tomorrow that never comes or is scheduled too infrequently, like annually. Make it more frequent, with different sessions focusing on different dimensions of awareness to create a lasting mindset.

Simulation

Attack simulations in particular and gamification in general are great ways to really drive home the realities of cybersecurity. It’s the next best thing to really suffering a major attack for raising awareness. You can also create healthy competition between different teams to engage people.

Communication

Formal training sessions are just the “big events” of security awareness. Messages from leadership and management should also carry updates and reminders about the need for all-day, everyday vigilance. Keep it simple, basic and devoid of technical jargon.

Vocabulary

A security-first culture demands open communication. And conveying concepts well requires the right words. Security awareness training should emphasize the language of security, especially the language of phishing attack types. By learning the words, employees become aware of the techniques.

Onboarding

Security awareness should also be a core part of new-employee onboarding. New employees should understand from the start that part of their job will be to work in an active culture of cybersecurity. 

Empowerment

A sense of empowerment for every employee is part of a culture of security awareness, too. The knowledge that every employee can help make or break the organization’s security posture should be foremost in everyone’s mind. On the flip side, a lack of it makes people complacent. Empower employees to take action. 

Error Avoidance

Some problems are created by errors by everyday employees that may seem like they have no connection to digital risk. So, it’s important that a culture of security recognizes this and develops training for avoiding or catching errors in general

Leaders Model Putting Security First

A culture of security means C-level executives understand that digital safety is a business challenge and a business opportunity, not a technical problem for the nerds to solve. 

Leaders can signal the importance of everyday cybersecurity as a strategic goal. All aspects of leadership come into play in creating a security-first culture. Expressing concepts clearly, leading by example, rewarding and promoting the right behaviors are what leadership is all about. Leaders can drive culture change in cybersecurity just like in other aspects of business. 

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today