Companies understand that organizational culture is an important differentiator to set their company apart from the competition. However, joining the dots between culture and information security management has taken some companies a little longer to do.
A strong culture creates and supports the mission, vision and values of an organization. Get the culture right and it can be one of the most effective mechanisms a company has to influence employee behavior.
Previously, information security management has mostly disregarded the human dimension; focusing on technical and procedural measures. In 2018, however, we saw the beginnings of a much-needed paradigm shift within information security management, from a technical approach to a socio-cultural one. These are some of the highlights of 2018:
- Increase in policy makers like ENISA proposing security culture frameworks, and regulators like EU demand a new level of compliance with GDPR;
- More research into the importance of security culture on risk management and its effectiveness;
- Greater availability of information on how to measure and demonstrate cultural change in organizations;
- More discussion and higher focus on the relevance and meaningfulness of different metrics;
- Improved reporting tools available from security awareness training vendors and other providers;
- Training content based on employees’ skills and knowledge.
2018 marked a significant and positive shift in attention towards not only recognizing the importance of security culture but also the importance of relevant and meaningful metrics in security awareness and security culture programs. I believe the two are intrinsically linked.
A number of leading security awareness and change management providers are recognizing the need to be able to provide clear and compelling metrics for practitioners to use to justify their budgetary requirements. With better metrics, CISOs are more readily able to document how effective their security culture program is: not only at improving employee satisfaction and engagement, but also at decreasing security risks to the organization.
This year saw the first report to publish year-on-year security culture benchmark data, showing how security culture has changed over time. The 2018 Security Culture Report from CLTRe revealed that the organizations who have the most tailored programs were the most successful at improving security culture. Poorly tailored programs can actually be detrimental.
This is not something that can be left to chance: aligning the entire workforce with the organization’s cybersecurity policies requires significant work and, of course, budgetary allocation.
According to a cybersecurity culture study published by ISACA earlier this year, widespread employee involvement correlates strongly with the minority of organizations that have achieved strong satisfaction with their cybersecurity culture. Nine in ten employees at these organizations say that their C-level executives share an excellent understanding of the underlying issues, which may be why they loop-in their employees so well; 84% of employees at these organizations say they understand their role in cybersecurity.
The study also revealed that the organizations which have closed the gap between their current and their desired cybersecurity culture are spending more than twice as much of their annual cybersecurity budget on training and tools than organizations which have yet to realize their goals.
As demand for reliable metrics to demonstrate the effectiveness of security awareness increases, we see the quality of engaging, entertaining and educational content rising. Moreover, and more importantly, we also see that new security awareness companies propose efficient ways of delivering their content tailored to employees needs based on their current skills and knowledge.
Next year, I hope to see the adoption of independent security culture metrics used in parallel with training program metrics to provide organizations with independent and reliable measurements.