Building a security culture

When it comes to cybersecurity, people, not technology, are business’s biggest vulnerability.

While investments in cybersecurity technology are reaching new highs – set to exceed $200 billion a year by 2024, according to Bloomberg Intelligence – cyber-attacks and data breaches show no signs of slowing. The reason is simple: most organizations place their faith and hope in technology-based defences, virtually ignoring the human side of the equation.

Yet people, via social engineering or other human-based errors, are the primary attack vector and root cause of most cyber-attacks and breaches: as much as 82%, according to Verizon’s 2022 Data Breach Investigations Report. Attackers can exploit human behaviour and weaknesses, including judgment errors, biases, trust, carelessness and distractions, to bypass even the most sophisticated security controls and defence mechanisms. Hacking humans is a lot simpler than hacking systems – while hacking systems requires specialized technical skills, hacking people needs little more than common sense and a good understanding of human social issues.

Only culture holds the power to change company-wide behaviours, beliefs and customs – and that is why the concept of security culture is increasingly relevant today. Security culture can be defined as the ideas, customs and social behaviours of a group that influence its security. It encompasses aspects of knowledge (what employees know about cybersecurity), attitudes (how they perceive security), values (what they consider valuable from a cybersecurity perspective), beliefs (the feelings they have towards cybersecurity, shaped by their experiences) and behaviours (their actions when they encounter a threat). All are visible in the daily actions of employees.

A strong security culture is a business benefit

There are many ways in which security culture can benefit the business. Culture has the power to mitigate the financial, legal and reputational risks associated with cyber-attacks and breaches. Today, the average cyber incident costs organizations $4.2 million, according to IBM. By boosting security culture and improving cybersecurity awareness, it has been estimated that organizations can reduce the probability of a cyber incident by up to 70%.

By boosting security culture, organizations can reduce the probability of a cyber incident by up to 70%.

Another important benefit of a strong security culture is that it naturally results in greater compliance with relevant laws and regulations: an important consideration when businesses that run afoul of regulations can attract heavy fines and penalties, criminal charges and civil lawsuits. A strong security culture can also influence consumer and employee trust. Research shows when employees and consumers trust businesses, it has a direct impact on brand loyalty, revenue growth, employee retention and more. On the flip side, a negative trust-related event can erode an enterprise’s market cap by 20-56%.

Building a strong security culture

Culture isn’t built overnight. It’s a long-term process that requires sustained investments and consistent commitment. Here are some key considerations:

1 Assess the current state of your security culture

To improve your organization’s security culture, the first step is to learn where it stands today. To do this, the business must identify some culture maturity indicators (CMIs) that help paint a picture of the organization’s security culture. These can include things like results from security awareness training, such as frequency of training, average attendance, and other participation and engagement metrics; results from phishing simulations, such as average phish success/failure rates, and open/click/download rates; behavioural data, such as how employees act upon receipt of suspicious emails; employee survey data, including feedback on attitudes, beliefs and values regarding cybersecurity; and analysis of organizational activities, such as how frequently policies are communicated or how frequently employees are engaged with security contests, and so forth.

2 Implement a plan to achieve desired behaviours

Once you have identified the current state of security culture in your organization, the next step is developing a plan to address any gaps and achieve the desired security behaviours. Behaviour cannot be changed instantly, so it’s important to have an eye on the target, build metrics around it, monitor success or failure, and make course corrections as needed. Culture is always infectious, so ensure your strategy includes influencers who can help accelerate change.

3 Ensure leadership commitment

Senior management must lead by example and set the direction for security culture through their words, actions and attitudes – including awareness campaigns, contests and rewards. The idea is not to coerce secure behaviour, but to improve risk awareness in employees.

4 Educate and engage employees

Education is a key element in convincing employees of what needs to change in an organization, what behaviours are acceptable, what is not acceptable, what needs to be done and how to do it. Culture change requires patience and persistence. Offer continuous feedback to employees by sharing performance metrics, and reward and recognize those who actively contribute to culture change.

5 Continue to review and fine-tune

As metrics and culture indicators trickle in, fine-tune your approaches and strategy as needed. If you find something is not working, change it. If certain approaches are working wonders, invest further. Always create goals that are achievable; if you find that some goals are unacceptable to employees or are unachievable, revise your strategy.

Indicators of a strong security culture

A strong security culture can often be discerned in employees’ attitudes and actions. It can be seen when people feel safe about reporting a cyber incident, even when they are responsible for it; when people include security as part of the job description; when employees actively participate in helping coworkers become more secure; when there is recognition that security has a key role in the organization’s success; when people feel comfortable asking questions of the security team; and when security teams are asked to conduct briefings and get involved early on in new projects.

Historically, culture is probably the most overlooked variable in cybersecurity. Yet now, Gartner predicts that by 2025, 70% of chief executives will mandate a culture of organizational resilience to survive threats from cybercrime. Just as company culture is at the heart of every high-performance business, security culture will soon become the heart of every high-performing cybersecurity team.

Perry Carpenter is chief evangelist and security officer for KnowBe4 and co-author of The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer (Wiley).