Inherent to any conversation about cyber awareness training is the reality that organizations need to change their cultures, which can’t happen without strong leadership. As we’ve seen with mobile security strategies, though, business efficiency and productivity too often trump security.

The very idea that companies need to change their corporate cultures to truly make security awareness part of their profit and loss statements might be too Pollyanna for some. The goal might be lofty, but it doesn’t have to be, and the change doesn’t need to happen overnight. After all, it’s better to take smaller steps toward slow change than to do nothing and fall victim to cyberthreats.

Promoting Cyber Awareness From the Top Down

When security awareness and training mandates don’t come from the top, there is very little potential for change. Creating a cyber-aware culture also demands a shift in the way organizations treat security. The role of the chief information security officer (CISO) is evolving, and while some are making headway toward becoming influencers at the top level, many CISOs don’t feel respected within their organization. Cybersecurity is still largely seen as part of IT rather than a profession in itself.

All the while, phishing remains a popular method of gaining initial access among cybercriminals, and 49 percent of companies that have already suffered a significant attack are targeted again within a year. Enterprises can no longer kick the can down the road and accept “good enough” as a viable solution to mitigating the risks of human error.

Many organizations understand the risks associated with the human factor but lack the time, staff or other resources to fully understand what a cyber-aware workforce means to the organization. But when it comes to creating a culture of security awareness, there are no stupid questions.

Here’s one to ponder: Why do 65 percent of CISOs spend sleepless nights worrying about phishing scams, and why do 61 percent fear disruption to processes caused by malware? It’s likely because they know that human beings represent the weakest link in their security chains.

Another question to consider: Would CISOs worry less if they felt confident that their organizations were cyber aware? Building a culture of security is not a Pollyanna dream — especially if it is supported from the top down.

Let’s face it: Any human being within any organization could fall victim to a scam. If you think you are exempt from that because you are the CEO, I’d advise you to leave your ego at the door. Phishing scams don’t discriminate, and the security of your organization is not about you or how clever you are — it’s about risk.

That’s why building a cyber-aware culture begins with risk management. According to Reg Harnish, CEO of GrayCastle Security, “A successful cybersecurity culture cannot exist without first identifying your organization’s risk tolerance.” Once you understand which systems need protection, you can make informed decisions about how to secure enterprise data and set expectations about employee behavior.

Do’s and Don’ts for Changing Corporate Culture

Changing a corporate culture is not the same as security awareness training. Awareness training is a critical part of creating a cyber-aware culture, but it is only one piece of the fiber that defines an organization. Culture is more broadly defined by its social norms. Security leaders should keep the following do’s and don’ts in mind when endeavoring to change employee behavior.

Do Expect Mistakes

Because employees are a critical line of defense when it comes to protecting against cyberattacks, it’s important to value them as much as you do any other security tool. Recognizing that no defense is foolproof, security leaders should also prepare for the inevitability of human error, regardless of how well employees are trained.

Don’t Punish Errors

When users are blamed for, reprimanded or even fired for their mistakes, they are far less likely to report incidents when they occur. Why on earth would you approach the security team to confess that you accidentally clicked a malicious link when you could be fired? You wouldn’t.

Do Build Morale

A more effective approach is to make employees feel like partners so that they know where threats are coming from and can work collaboratively to help each other avoid security incidents.

Do Not Rely on Annual Training

The standards of teaching and learning that apply in the classroom don’t change when adults become part of the workforce. If the goal is to educate, the training needs to be multifaceted, ongoing and consistent. Use alternative assessments to determine the effectiveness of the training programs you are using. If you don’t see progress, try something new.

Do Set Achievable, Companywide Security Goals

The key is to start small. A measurable goal might be to reduce the number of employees who click on a malicious link during a simulated phishing attack. When setting goals, ensure that they can be tied back to the employees. Connect the security of the organization to their own personal privacy. To convince employees to change their behaviors, security leaders must first help them understand how their actions impact the security of the organization.

A Culture of Cyber Awareness Is Attainable

When security leaders set reasonable, incremental goals and demonstrate a willingness to try new training methods when traditional approaches fail to yield results, creating a culture of cyber awareness doesn’t have to be a pipe dream. In fact, it’s an absolute necessity given the volatility and increasing sophistication of the threat landscape. Cybercriminals are masters of manipulating human nature to convince employees to do their nefarious bidding. It’s time for security leaders to better understand the human element of cybersecurity and use these insights to protect their employees and enterprise data.

Read more about Creating a Culture of Security

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today