Let’s get straight to the point: your security culture is – and will always be – a subcomponent of your larger organizational culture. In other words, you have to weave security-based thinking and values into the fabric of your organization’s primary culture if you want to meet (and achieve!) your security awareness goals.
Wondering how to do it? I’ve identified four secrets to success when it comes to building a strong, intentional and sustainable security culture:
1 - Know where you’re coming from and where you are going
The old saying, “Failing to plan is planning to fail,” holds true here. The key to implementing secret number one is to leverage a framework to help ensure that you are approaching things in a structured manner, rather than simply making it up as you go (you can read my thoughts on the NIST Cybersecurity Framework, for example).
Particularly in large global organizations, it’s important to conduct a series of interviews or quick surveys to understand how different divisions and leaders view security, understand policy and best practices, and what they truly hold important. The outcomes will uncover if your key executives are in alignment and if there are some political or logistical hurdles that you need to work through as you build your plan.
Once you have these insights, you can begin to create your goals for the year. I’ve written here about the SMARTER goal setting framework proposed by several productivity gurus, and I think it works well in this instance. There are a few different versions of the SMARTER framework – one I recommend is the Michael Hyatt version. (SMARTER = Specific, Measurable, Actionable, Risky, Time-keyed, Exciting, Relevant.)
2. Use your organizational culture to view security awareness
While organizational culture and security culture are not one and the same, it’s important that they be closely knit.
We sometimes get mixed up on what organizational culture really is. It’s the sum of subconscious human behaviors that people repeat based on prior successes and collectively held beliefs. It’s not the sum of roles, processes and measurements. Similarly, security culture is not (just) related to "awareness" and "training"; it, too, is the sum of subconscious human behaviors that people repeat based on prior experiences and collectively held beliefs.
While culture is shared, learned and adaptive, it can be influenced. It takes a group working collectivity and it begins with the leaders.
Your existing culture has to be the driver to impact change and behavior around your security culture. For instance, if your organization has a marketing organization that helps with internal communications, then you have to understand how they leverage the communication methods, formats, and branding.
You have to do this so that *your* communications speak in the established voice/tone of the company; this way you aren’t seen as unconnected and (worst of all) irrelevant. You also need to get an idea of where there are divisional, departmental, and regional nuances. Work within the specific cultural frameworks of each of these segments. Also to make things easier and more efficient, know what your organization’s existing communication channels are so you can plug in to them (e.g. existing meetings, executive videos, etc)
3. Shape good security hygiene by leveraging behavior management principles
I like to say, “Just because you’re aware, doesn’t mean that you care!” What do I mean by that? Simply that security awareness and security behavior are not the same thing. Your security awareness program shouldn’t focus only on information delivery. There are plenty of things that people are aware of but may just not care about – we need to make people care.
Because of this, if your security awareness program is focused on reducing the overall risk of human-related security incidents in your organization, you need to incorporate behavior management practices. We need to create engaging experiences for users to drive specific behaviors. BJ Fogg’s on behavior model and habit creation give great examples of this principle.
Simulated phishing platforms are a good example to consider for your security culture program. These distill some of the fundamentals of behavior management into an easy to deploy platform that lets you to send simulated social engineering attacks to your users and then immediately initiate corrective and rehabilitative action if the user falls victim for the simulated attack. Do this frequently, and you will see dramatic behavior change.
4. Think realistically about the short-term and optimistically about the long term
Be a realistic optimist within your organization who knows your place and your scope of influence, while remembering that culture starts at the top. Understand the foundation of your culture and then create a customized roadmap for security culture management. To do so, you must evaluate four areas:
- "How we engage" focuses on how people collaborate internally and with external stakeholders to deliver on their goals.
- "How we make decisions" outlines the general leadership style and how this affects the outcomes of the organizational culture.
- "How we work" defines the working style of teams, how solutions are created, and problems are solved, which affects organizational outcomes.
- "How we measure" describes organizational performance metrics, and how they affect organizational achievements.
By understanding these four attributes of organizational culture, security leaders and corporate leaders can make informed choices when trying to change cultures and improve an organization’s overall defense.
Once you have all of the planning out of the way, have created SMARTER goals, understand the nuances of your organization, and are focusing on creating real, sustainable change, you’re ready to get started and stay the course. Tenacity is important because many aspects of your program will be spaced throughout the year, requiring you to be consistent with your efforts. Remember that the beginning is just that – the beginning. As you move forward, keep in mind that to be successful you have to train people how to be trained. Good luck and reach out with questions you have!