With cyberattacks, malware threats, and scams running rampant in the digital world, organizations everywhere are trying to drive home this message: we need a strong security culture in the workplace.
What Is a Security Culture, Really?
When you get down to it, security culture is a series of measurable, observable behaviors. Shared opinions and actions created through consensus of the participants. Business leaders, including CISOs, want to be able to develop and foster an employee culture so that all have a desire to take better action to reinforce a more secure IT infrastructure.
So how are they doing so far? Well, the results have been mixed at best.
On many levels, people can exert an inordinate amount of influence on the success or failure of any security program. The challenge is in gaining the consensus of any group of users to have everyone moving in a positive, secure direction to harness the power a group can provide. There's a lot of messaging that floats around saying "we all need to care about security" and "security should be everybody's job". Yet in the end, this doesn't translate into a clear plan of action or buy in from the broader employee base.
A Failure to Communicate
Ultimately this problem is caused by a communication issue from the top down—from CISOs and security engineers to the employees trying to do their day-to-day jobs.
The disconnect also exists because the roles and expectations between security engineers and other employees are just so different.
Remember, a security culture is about creating a series of measurable behaviors and shared mindset designed to address or stop cyber risks...so what are those risks?
Well, there are several risks, but for a security engineer, one of the easiest to measure and identify is phishing.
So with that, for many security engineers, building a security culture basically means "help prevent phishing attacks." And with that in mind, the key questions they think about are:
- How do I perform a phish test?
- How do I teach people about phishing?
- How do I convince them not to click on suspicious content?
Of course, these questions don't get to the core of what it means to foster a strong security culture in the workplace. In most cases, the end result is a quarterly phishing test or survey. Maybe toss in some educational posters to put up in the office. Worse, successfully reducing phishing during simulations can give a false sense of security.
Whether it's phishing, password management, or Multi-Factor Authentication (MFA), it's no surprise that secure practices come off far easier for security managers and CISOs. We think it should be easy because it's easy for us. It's difficult to step out of our own mindset and think about how employees see these security topics in the workplace. Plus, many companies and organizations don't do a great job of reaching people, letting them know why building a culture around cybersecurity is important to them and the business.
After repetitive training and generic email notifications, employees begin to ask themselves, "Why should cybersecurity be my job? I already have a job."
Whenever we pursue any security information, we're often taking employees away from their job. That is what happens when you place a burden on someone instead of gaining their buy in.
Make It Personal
That's why the best approach to keep people engaged and build a security culture is to personalize their experience. Cybersecurity training is often not personalized and doesn't feel relevant. An essential step in the right direction is changing how we teach.
“So much of how we train people is based on the science of education, and the science of education is based on teaching kids,” said Goerlich. “Adults learn in much different ways.”
That's why whenever an organization tries to create cybersecurity training and modules in simple terms, many employees on the receiving end feel the training is childish or that we are talking down to them.
The future of cybersecurity is people-driven. That's why it's so important that our approach to a secure culture and education meets people at a personal level. They need to be able to see their own story embedded within our culture. We make it relevant for them and remove the childishness from the education.
Tell a Human Story
“The human OS is one of story. The fundamental way that we train is by story,” says Goerlich.
“For example, I once worked with a CISO in manufacturing, and his entire training program was teaching people on how to protect their family and their bank accounts from threats. One of the things the CISO said happened, and I've never heard anything like that happen since, was there was demand from their business to hold a session for husbands and wives of the employees. Why? Because 80% was incredibly pertinent, personal, and relevant to their lives,” Goerlich says.
Building an advocacy program where security advocate keeps tabs of the success of employees within various security trainings and retell their story is a great way to embolden a strong security culture. It personalizes the experience, empowers people with the knowledge they gained, and it shares the value of the training for the business as a whole.
Another important aspect is accountability. A big part of creating a security culture ties back to human behavior. If there's a vulnerability within an infrastructure that can be linked to human behavior, it's up to CISOs, security managers, and leadership up top to either correct the behavior or improve the tools that people have to work with.
Most importantly, building a culture works two ways. Just as leadership should work toward engaging employees, empowering them, and personalizing the experience to strengthen security practices. "Build an advocacy program where our champions advocate on behalf of the employees to the security team,” Goerlich suggests. “We as leaders must also be ready to listen.”