Inherent to any conversation about cyber awareness training is the reality that organizations need to change their cultures, which can’t happen without strong leadership. As we’ve seen with mobile security strategies, though, business efficiency and productivity too often trump security.

The very idea that companies need to change their corporate cultures to truly make security awareness part of their profit and loss statements might be too Pollyanna for some. The goal might be lofty, but it doesn’t have to be, and the change doesn’t need to happen overnight. After all, it’s better to take smaller steps toward slow change than to do nothing and fall victim to cyberthreats.

Promoting Cyber Awareness From the Top Down

When security awareness and training mandates don’t come from the top, there is very little potential for change. Creating a cyber-aware culture also demands a shift in the way organizations treat security. The role of the chief information security officer (CISO) is evolving, and while some are making headway toward becoming influencers at the top level, many CISOs don’t feel respected within their organization. Cybersecurity is still largely seen as part of IT rather than a profession in itself.

All the while, phishing remains a popular method of gaining initial access among cybercriminals, and 49 percent of companies that have already suffered a significant attack are targeted again within a year. Enterprises can no longer kick the can down the road and accept “good enough” as a viable solution to mitigating the risks of human error.

Many organizations understand the risks associated with the human factor but lack the time, staff or other resources to fully understand what a cyber-aware workforce means to the organization. But when it comes to creating a culture of security awareness, there are no stupid questions.

Here’s one to ponder: Why do 65 percent of CISOs spend sleepless nights worrying about phishing scams, and why do 61 percent fear disruption to processes caused by malware? It’s likely because they know that human beings represent the weakest link in their security chains.

Another question to consider: Would CISOs worry less if they felt confident that their organizations were cyber aware? Building a culture of security is not a Pollyanna dream — especially if it is supported from the top down.

Let’s face it: Any human being within any organization could fall victim to a scam. If you think you are exempt from that because you are the CEO, I’d advise you to leave your ego at the door. Phishing scams don’t discriminate, and the security of your organization is not about you or how clever you are — it’s about risk.

That’s why building a cyber-aware culture begins with risk management. According to Reg Harnish, CEO of GrayCastle Security, “A successful cybersecurity culture cannot exist without first identifying your organization’s risk tolerance.” Once you understand which systems need protection, you can make informed decisions about how to secure enterprise data and set expectations about employee behavior.

Do’s and Don’ts for Changing Corporate Culture

Changing a corporate culture is not the same as security awareness training. Awareness training is a critical part of creating a cyber-aware culture, but it is only one piece of the fiber that defines an organization. Culture is more broadly defined by its social norms. Security leaders should keep the following do’s and don’ts in mind when endeavoring to change employee behavior.

Do Expect Mistakes

Because employees are a critical line of defense when it comes to protecting against cyberattacks, it’s important to value them as much as you do any other security tool. Recognizing that no defense is foolproof, security leaders should also prepare for the inevitability of human error, regardless of how well employees are trained.

Don’t Punish Errors

When users are blamed for, reprimanded or even fired for their mistakes, they are far less likely to report incidents when they occur. Why on earth would you approach the security team to confess that you accidentally clicked a malicious link when you could be fired? You wouldn’t.

Do Build Morale

A more effective approach is to make employees feel like partners so that they know where threats are coming from and can work collaboratively to help each other avoid security incidents.

Do Not Rely on Annual Training

The standards of teaching and learning that apply in the classroom don’t change when adults become part of the workforce. If the goal is to educate, the training needs to be multifaceted, ongoing and consistent. Use alternative assessments to determine the effectiveness of the training programs you are using. If you don’t see progress, try something new.

Do Set Achievable, Companywide Security Goals

The key is to start small. A measurable goal might be to reduce the number of employees who click on a malicious link during a simulated phishing attack. When setting goals, ensure that they can be tied back to the employees. Connect the security of the organization to their own personal privacy. To convince employees to change their behaviors, security leaders must first help them understand how their actions impact the security of the organization.

A Culture of Cyber Awareness Is Attainable

When security leaders set reasonable, incremental goals and demonstrate a willingness to try new training methods when traditional approaches fail to yield results, creating a culture of cyber awareness doesn’t have to be a pipe dream. In fact, it’s an absolute necessity given the volatility and increasing sophistication of the threat landscape. Cybercriminals are masters of manipulating human nature to convince employees to do their nefarious bidding. It’s time for security leaders to better understand the human element of cybersecurity and use these insights to protect their employees and enterprise data.

Read more about Creating a Culture of Security

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…