Inherent to any conversation about cyber awareness training is the reality that organizations need to change their cultures, which can’t happen without strong leadership. As we’ve seen with mobile security strategies, though, business efficiency and productivity too often trump security.

The very idea that companies need to change their corporate cultures to truly make security awareness part of their profit and loss statements might be too Pollyanna for some. The goal might be lofty, but it doesn’t have to be, and the change doesn’t need to happen overnight. After all, it’s better to take smaller steps toward slow change than to do nothing and fall victim to cyberthreats.

Promoting Cyber Awareness From the Top Down

When security awareness and training mandates don’t come from the top, there is very little potential for change. Creating a cyber-aware culture also demands a shift in the way organizations treat security. The role of the chief information security officer (CISO) is evolving, and while some are making headway toward becoming influencers at the top level, many CISOs don’t feel respected within their organization. Cybersecurity is still largely seen as part of IT rather than a profession in itself.

All the while, phishing remains a popular method of gaining initial access among cybercriminals, and 49 percent of companies that have already suffered a significant attack are targeted again within a year. Enterprises can no longer kick the can down the road and accept “good enough” as a viable solution to mitigating the risks of human error.

Many organizations understand the risks associated with the human factor but lack the time, staff or other resources to fully understand what a cyber-aware workforce means to the organization. But when it comes to creating a culture of security awareness, there are no stupid questions.

Here’s one to ponder: Why do 65 percent of CISOs spend sleepless nights worrying about phishing scams, and why do 61 percent fear disruption to processes caused by malware? It’s likely because they know that human beings represent the weakest link in their security chains.

Another question to consider: Would CISOs worry less if they felt confident that their organizations were cyber aware? Building a culture of security is not a Pollyanna dream — especially if it is supported from the top down.

Let’s face it: Any human being within any organization could fall victim to a scam. If you think you are exempt from that because you are the CEO, I’d advise you to leave your ego at the door. Phishing scams don’t discriminate, and the security of your organization is not about you or how clever you are — it’s about risk.

That’s why building a cyber-aware culture begins with risk management. According to Reg Harnish, CEO of GrayCastle Security, “A successful cybersecurity culture cannot exist without first identifying your organization’s risk tolerance.” Once you understand which systems need protection, you can make informed decisions about how to secure enterprise data and set expectations about employee behavior.

Do’s and Don’ts for Changing Corporate Culture

Changing a corporate culture is not the same as security awareness training. Awareness training is a critical part of creating a cyber-aware culture, but it is only one piece of the fiber that defines an organization. Culture is more broadly defined by its social norms. Security leaders should keep the following do’s and don’ts in mind when endeavoring to change employee behavior.

Do Expect Mistakes

Because employees are a critical line of defense when it comes to protecting against cyberattacks, it’s important to value them as much as you do any other security tool. Recognizing that no defense is foolproof, security leaders should also prepare for the inevitability of human error, regardless of how well employees are trained.

Don’t Punish Errors

When users are blamed for, reprimanded or even fired for their mistakes, they are far less likely to report incidents when they occur. Why on earth would you approach the security team to confess that you accidentally clicked a malicious link when you could be fired? You wouldn’t.

Do Build Morale

A more effective approach is to make employees feel like partners so that they know where threats are coming from and can work collaboratively to help each other avoid security incidents.

Do Not Rely on Annual Training

The standards of teaching and learning that apply in the classroom don’t change when adults become part of the workforce. If the goal is to educate, the training needs to be multifaceted, ongoing and consistent. Use alternative assessments to determine the effectiveness of the training programs you are using. If you don’t see progress, try something new.

Do Set Achievable, Companywide Security Goals

The key is to start small. A measurable goal might be to reduce the number of employees who click on a malicious link during a simulated phishing attack. When setting goals, ensure that they can be tied back to the employees. Connect the security of the organization to their own personal privacy. To convince employees to change their behaviors, security leaders must first help them understand how their actions impact the security of the organization.

A Culture of Cyber Awareness Is Attainable

When security leaders set reasonable, incremental goals and demonstrate a willingness to try new training methods when traditional approaches fail to yield results, creating a culture of cyber awareness doesn’t have to be a pipe dream. In fact, it’s an absolute necessity given the volatility and increasing sophistication of the threat landscape. Cybercriminals are masters of manipulating human nature to convince employees to do their nefarious bidding. It’s time for security leaders to better understand the human element of cybersecurity and use these insights to protect their employees and enterprise data.

Read more about Creating a Culture of Security

More from CISO

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read