3 steps for driving a strong cybersecurity culture

News that CNA Financial was the victim of a recent cyberattack once again proves that no company, even a large insurer, is immune to these dangers. The company was the target of a very sophisticated attack that disrupted everything from its email systems to its network and website.

A positive security culture is a force multiplier for behaviors, beliefs and messages; it represents a critical social component that will either work for or against you. An important consideration here is that you already have a security culture whether you realize it or not. Just because you may not have been mindful in terms of establishing and nurturing a desired security culture doesn’t mean that one doesn’t exist.

Culture is organic

A security culture lives and breathes within every organization. The question is, how strong, intentional and sustainable is your security culture, and what do you need to do about it?

A security culture is the codification of the security-related beliefs, behaviors and values of an organization and each subgroup within it — such as divisions, departments, regions, age groups and the like.

Security culture isn’t “owned” by security leaders just as the customer service culture isn’t owned by your call center. Culture is owned by the entire organization — and should be defined and nurtured by senior leaders.

The group establishes a social norm strengthened by expectations, pressures and rewards. People within the group identify with the different artifacts that comprise the culture. A healthy security culture exists when an organization’s security-related beliefs, behaviors and values have been codified into social expectations.

Managing a security culture requires an approach that works with the realities of human nature and social dynamics. Efforts to shape culture should be adaptive and multilayered to proactively engage, influence, and manage the mindset and behaviors exhibited by the various population groups within an organization. This is done by weaving together elements of innovative training; the active use of psychological, behavioral and social triggers; and technology-based guardrails for when users step out of bounds.

When done effectively, your culture-shaping efforts become a force multiplier for the influence of your security team by helping to embed security values and behaviors throughout your organization. Here are three steps for driving a strong security culture.

Step 1: Assessing and understanding the culture as it currently exists

Don’t start to influence your security culture without thoroughly understanding what it currently is. There are several ways to gather information to help understand your current culture including:

• Cultural surveys: Computer-based surveys can be relatively easy to develop, distribute and analyze. They also allow anonymous input, but they don’t allow for gauging body language and tone. However, the benefits can far outweigh these drawbacks.
• Focus groups: Focus groups do allow for more qualitative input and provide an opportunity to drill down deeper into feelings. To be most effective, focus groups should be led by non-biased facilitators.
• Direct observation: Gathering behavior data that you already have access to such as security information and event management (SIEM), data leak prevention (DLP), endpoint protection platforms (EPP), web proxies, employee monitoring systems, etc., provide quantitative data that can serve as a baseline to assess improvements over time.
• Face-to-face interviews: Similar to focus groups, face-to-face interviews offer the opportunity to gather more detailed, qualitative information than surveys do. The effectiveness here relies on having a non-biased third-party interviewer conduct these interviews.

In most cases, using more than one of these sources will help build a richer understanding of the existing culture. This can then provide a starting point from which to identify opportunities for improvement. In gathering this information, make sure to build in opportunities to collect and segment the data based on sociographic/demographic data points to help identify cultural attributes based on factors such as age, gender, location, department and length of employment. This also provides an opportunity to identify areas where more attention may be needed.

Step 2: Establish a system of culture carriers

While senior leaders play a significant role, culture shifts won’t occur organization-wide at all levels without a system of “culture carriers” — individuals who are part of the organization and can help spread and support desired messages faster and further than you could without their influence. In social media parlance, it helps messages go viral.

Force multipliers are the other people, groups and social structures in an organization beyond the leadership team. They are a critical distribution network and the key to promoting the culture’s overall sustainability. Your security team, even with the assistance of the leadership team, cannot control culture; rather, they can play a part in influencing it, helping to set the tone, and providing resources and support.

Where do they come from? You should cast a wide net when seeking culture carriers, using a variety of means to identify them — and to allow them to self-identify. For instance:

• Offer opportunities for people to “apply”
• Ask managers to “nominate”
• Ask other employees to “nominate”
• Use surveys to help identify “influencers”

Ideally, these should be people who are already respected and influential within their departments and peer groups — they carry social influence. They’re individuals who your security and leadership team can leverage to capitalize on their social currency and position.

In addition to helping to spread security culture messages organization-wide, culture carriers can also play an important role in serving as a conduit to bring the security and organizational leadership team stories, ideas, concerns and issues that may be surfacing across the organization that these leaders might otherwise have had little visibility into.

Step 3: Design structures, pressures, rewards and rituals

To help ensure that the desired security culture will resonate, it’s important to build in structure, pressures, rewards and rituals.

• Structures refer to the people who influence employees. Just as parents want to ensure that their kids don’t associate with bad influencers, security and company leaders want to make sure they have the right people in place to serve as positive role models for others.
• Pressures refer to behavioral norms — the expectations and sanctions, or responses, that exist within an organization and that occur in response to various behaviors.
• Rewards are the positive responses employees experience when they exhibit a desired behavior.
• Rituals are the shared, common and ongoing behaviors associated with times or events — they engage people around the things that matter most to an organization and instill a sense of shared purpose and experience.

The power of culture lies in the fact that humans are social creatures. People are shaped by others around them. Their thoughts, attitudes, beliefs and behaviors are molded by their peer group. By first identifying the current state of your security culture; then finding culture carriers to help shape attitudes and behaviors; and finally designing structures, pressures, rewards and rituals, you can ultimately move toward the goal of instilling a strong security culture that is owned by the entire organization.

Perry Carpenter is the author of “Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors” (Wiley, 2019). He is the chief evangelist and security officer for KnowBe4, the world’s largest security awareness training and simulated phishing platform.

Related:

• 5 cybersecurity threats to watch in 2021
• Pandemic should prompt insurers to reexamine cybersecurity
• What has COVID-19 taught us about cybersecurity?
• 5 cybersecurity events that keep CEOs up at night