Building a cyber-resilient organization requires more than implementing the best cybersecurity practices. Cybersecurity must be woven into the culture of the organization from the top down. Because 95% of data breaches result from human error, creating a cybersecurity culture can significantly cut down on security breaches by emphasizing the importance of cybersecurity.
Cybersecurity is only as strong as its weakest link. With cybercriminals leveraging more sophisticated hacking tools, organizations can use culture change to fix existing vulnerabilities, reduce their attack surface, and protect themselves from evolving cyber threats to strengthen their information security practices.
Creating a Cybersecurity Culture vs. Cybersecurity Training
The main difference between creating a cybersecurity culture and training for cybersecurity is that a culture implements values, attitudes, and beliefs centered around cybersecurity. Cybersecurity training can be an effective first step to strengthen an organization’s first line of defense, but it is just one part of a larger organization-wide goal to ensure strong information security practices are continually enforced.
While cybersecurity training can provide essential knowledge of good practices or the latest cyber threats, it doesn’t necessarily create daily engagement with critical cybersecurity practices. To develop a security culture, an organization must implement measures to shift focus toward building security awareness and developing healthy attitudes toward cybersecurity.
How Nurturing a Cybersecurity Culture Mitigates Cyber Threats
Furthermore, workplace trends pose increasing risks to cybersecurity, including remote working, where team members connect to company networks using unvetted devices, and, similarly, Bring Your Own Device (BYOD) policies, allowing employees to use their own devices in the workplace, increasing attack surfaces. Given the increased risks, forward-thinking leaders are developing security awareness cultures to help security teams protect their organizations.
Cybersecurity professionals are also critical to protecting organizations, but C-suite executives must understand that cyber threats are rapidly evolving and attacks are growing in frequency. To ensure strong data protection, businesses need more than basic security measures, such as firewalls and anti-malware software.
Everyone in the organization must be on board to minimize the growing security risks from increasingly complex cyber threats, including advanced phishing emails and ransomware attacks from individuals and nation-states.
Key Steps to Create a Cybersecurity Culture
Some of the most important steps to developing a culture of cybersecurity include:
Assess the Current State of Cybersecurity
Cybersecurity is all about protecting critical systems and assets from cyber threats. Assessing the company's current state of cybersecurity creates a culture that identifies the risk and gaps in existing processes so they can be addressed quickly and effectively. A human risk analysis (HRA) can help prioritize the risks to address by time to implement, cost of change, and predicted value.
A proper cybersecurity culture assessment is required so that change happens efficiently and in a structured way. During this process, the organization should:
- Identify stakeholders that can help with the cybersecurity awareness program
- Identify stakeholders who would benefit most from a cybersecurity awareness program
- Define training objectives for each target group
- Identify the best way to deliver training to each group, such as via seminars, e-learning, and regular simulations
- Create the training and awareness plan, determining who will perform the training and how it will be monitored
- Define KPIs or metrics with which to evaluate learning for each target group. Firms will want to consider how many people have engaged with learning or awareness materials, how much training or exercises each staff member completes, and the change in attitudes, beliefs, and behaviors regarding cybersecurity. The latter could be measured by the number of strong passwords used, for example, or by increased reporting of phishing emails.
Ensure Leadership-Level Cybersecurity
The cybersecurity culture needs to trickle down from the top and get full engagement and participation from board members, chief information officers (CIOs), chief information security officers (CISOs), and other C-suite executives. Cultures can only be created following leadership and the example they set.
Leadership needs to take what was learned in the cybersecurity assessment to develop strategic objectives for the cybersecurity program. Leaders need to fully understand the value of cybersecurity to the organization, impart cybersecurity culture change to stakeholders, understand the cyber threat landscape, and reinforce the importance of their firm’s security posture in relation to industry peers and standards.
It’s important that cybersecurity culture goals be specific, time-defined targets, as this facilitates creating metrics and helps leaders and employees stay on track.
While it’s typical for a CISO to take the lead on cybersecurity initiatives, it’s imperative that non-cyber executives visibly engage with cybersecurity strategy. Protecting staff, clients, and business partners by prioritizing cybersecurity needs to be a core business value. Executives can lead by example, setting the tone for genuine, company-wide alignment with cybersecurity strategies and policies.
In meetings and communications with staff, leaders need to talk regularly about key cybersecurity issues. They affect everyone in the organization, and everyone in the organization can help improve information security.
Provide Robust Cybersecurity Training
Company-wide cybersecurity awareness programs are critical to ensure all stakeholders understand the latest cyber threats, the attack vectors that those threats can exploit, and the requirement for clear strategies regarding cybersecurity. They need tailored training to help them promote defensive strategies against vulnerabilities in their business sector.
Social engineering, such as phishing attacks, are among the most common attack vectors, relying on human error and negligence — often an employee not paying attention, getting tricked, failing to follow security protocols, or simply being unaware of the threat facing them. Broadly speaking, culture change is an effective way to strengthen these weaknesses in the long term.
In a practical sense, preventing employees from falling victim to phishing attempts can’t be achieved the way software developers patch software vulnerabilities. Plugging these gaps requires extensive training and awareness programs. Moreover, training needs to be ongoing because cyber threats become more complex every day.
Human resources (HR) or the IT department would be the most likely departments to organize cybersecurity training for staff and make sure new staff complete thorough training during onboarding. In collaboration with CISOs, HR could create a robust cybersecurity program that monitors people’s participation, understanding, and implementation of key themes.
A cybersecurity and awareness training program is best when it’s not one-size-fits-all. It is an excellent idea to offer learning beyond basic training to different groups according to their roles and exposure to attack vectors within the company.
Maintain Cybersecurity Campaigns
Employee engagement is crucial to any organization building a cybersecurity culture. This means making learning accessible, hands-on, and relevant. An organization can use initiatives like incentivizing cybersecurity participation with goals and rewards. It could also invest its marketing prowess in internal communications to encourage cybersecurity readiness and responsibility.
It can be helpful to make one person the lead when developing a company’s cybersecurity culture. This doesn’t have to be a cybersecurity professional but could be a non-technical executive. The role can be described as Head of Organizational Culture Change or Chief Information Security Awareness Officer, for example. The role would include creating or coordinating fun, interesting, and relevant campaigns that get people thinking about, discussing, and valuing cybersecurity in the workplace.
Campaigns should be tailored to the workplace. Various groups may require different campaigns to foster the most engagement, using language and references that resonate, are relatable, and are readily understood.
The cybersecurity message can be delivered via a corporate intranet, emails, videos, blogs, digital displays, and presentations. The individual responsible for culture change should maximize multiple methods to attract attention and instigate change.
Conduct Cybersecurity Drills
Just as firms have fire drills and practice first aid, data breach or other cyber attack drills (incident response plans) can help employees fill knowledge gaps and feel more confident about their ability to respond to cyber threats. Whether used to determine what training people require or to assess the success of learning that has taken place, drills are an essential part of a cybersecurity culture.
What happens on paper and in the real world are rarely the same, so drills help businesses understand how to respond to real-world cyber attacks. A firm with a developed cybersecurity culture will likely be more able to adapt to emerging cyber events because its more profound understanding of organizational security will help it prioritize tasks and make quick decisions regarding information security.
For example, a firm should simulate phishing attacks since these are the most prevalent. Through such simulations, organizations can evaluate the effectiveness of their cybersecurity policies, procedures, messages, and training.
Scenario-based surveys can also help staff engage more deeply with cybersecurity and help leaders assess the effectiveness of cybersecurity training and campaigns. While they do not simulate real behavior, written surveys can help organizations understand participants’ understanding and intentions through self-reporting.
Additionally, it could be helpful to include cybersecurity questions in unrelated surveys to generate more authentic responses. Prioritizing scenarios that are the highest risk factors for the organization is likely to deliver the most valuable results.
Drills and planned events to reinforce cybersecurity awareness and readiness can include password-cracking exercises to identify weak passwords, data loss and backup exercises, and distributed denial of service (DDoS) attacks.
Perform Regular Cybersecurity Evaluations
Any change needs to be reviewed to measure its effectiveness. Organizations must evaluate their cybersecurity activities regularly to assess their cybersecurity maturity. These evaluations must focus on cybersecurity culture change for the whole organization and individual staff members.
Individual evaluations can be formalized to impress the importance of cybersecurity on staff, with the results of tests and other cybersecurity actions or non-actions reported and reflected in performance reviews. This can help employees understand the organization’s minimum acceptable levels of cybersecurity understanding.
While rewards help incentivize people toward culture change — such as bonuses for helping colleagues understand cybersecurity better — balancing rewards with penalties for non-compliance or poor performance may also help drive change or ensure consistent levels of cybersecurity engagement.
Poor performance in this regard may include failing one or more phishing drills, for instance, and the penalties may include a recommendation to redo training or completing additional cyber courses.
To evaluate the performance of organizational culture change and individual staff members, the organization can draw on the following sources of information:
- Interviews, including individual employees, focus groups, C-suite executives, and HR
- Results of phishing simulations and other scenario-based exercises
- Role descriptions
- Awareness and training material
- Stakeholder analysis
- E-learning completion rates
- Page views of campaign messages
- Statistics and data from cybersecurity tools
- metrics defined in the first stage of creating a cybersecurity culture
Those responsible for cybersecurity culture change should also evaluate the culture change strategy and its objectives to ensure it remains in line with the cyber threat landscape. An annual report can provide stakeholders with goals to prioritize and areas to improve.
A mature cybersecurity culture will help a firm adapt to the changing cyber threat landscape. While the tools and techniques may change, a good attitude toward cyber risk will support practical, prompt decision-making.
Furthermore, best practices tend to remain best practices. For example, while multi-factor authentication provides more protection than passwords alone, creating and managing strong passwords further improves a business’s security posture.
Every member of an organization must embrace behaviors and beliefs that align with recommended cybersecurity practices. Each employee needs to help those around them and take the initiative to remediate or mitigate information security risks.
The clearer the strategy for cybersecurity culture development, the easier it should be to design the program and the more successful it should be. With effective cybersecurity risk management, executives can lead an organization through culture change to reduce its exposure to cyber risks.