The importance of a strong security culture

Security Culture16 May 2024

Perry Carpenter at KnowBe4 explains why organisations need to understand that cyber-security is rooted in cultivating a robust positive and sustainable security culture

From what we see in the cyber-security industry, the most adept companies know and understand that enhancing or improving security isn’t a one-time task. It’s an ongoing journey which is deeply rooted in cultivating a robust positive and sustainable security culture.

Yet, both understanding and implementing a good security culture present their own distinct challenges.

Changing or shifting the security culture habits within an organisation can be daunting and difficult, particularly when it comes to embracing cyber-security best practices.

But the outcomes, should they be successful, are truly valuable, as they result in a workforce that is inherently motivated to protect the organisation’s data and security, as well as their own credentials and information.

With the right awareness, security culture can be nurtured, enabling users to develop sharper skills in detecting and thwarting cyber-attacks and social engineering threats to radically reduce the risk presented to the organisation.

How security culture is defined

Security culture and security awareness training are two concepts that often get muddled together, creating discourse. True, the two are related, but they are two distinct approaches. Many equate security culture with being aware of threats and knowing how to respond; but there is much more to it than that.

Of course, awareness plays an important role for fostering a robust security culture, but it’s just one component. Being aware doesn’t automatically ensure a genuine concern or action will be taken. Therefore, ‘knowledge without application’ is merely theoretical.

If you were to walk in the shoes of non-security professionals, you have to understand their perspective on why they should prioritise security on top of all their other job responsibilities.

It’s here where security culture becomes vital and fuels the conversation that security must move beyond mere awareness. I would define culture as the bedrock of an organisation, the foundation on which values, behaviours and collective knowledge are built.

As such, a strong security culture will entail shared responsibility that will foster a sense of community and care.

Where to start with security culture

Knowing where to start to create a security culture can be overwhelming, so don’t attempt to do everything at once, as that will create more problems down the line.

Remember, Rome wasn’t built in a day; therefore, start by identifying one or two security behaviours to modify, for example, creating strong passwords or passphrases and implementing MFA where possible. Pinpoint areas with the highest potential impact using the Risk = Likelihood x Impact formula. Do this for three to six months before moving on to other priorities.

From here, develop comprehensive measures to influence organisational behaviours. This is crucial to shaping the desired security culture and to achieve this, apply project management principles to help facilitate this process.

Furthermore, to generate support, identify influential individuals within the company who share mutual goals for change to give added weight to this process. These can be security advocates, champions or torch-bearers who can help spread positive change.

Create a plan with defined goals and an understanding of the starting point. So that you have a baseline to work from, conduct a security culture survey to help establish and monitor progress. It is worthwhile to include advocates when executing the process because they can also assist when challenges arise.

Take the next step by gaining the endorsement of leadership. Yes, security champions across the workforce play a vital role, having leadership buy-in is essential to achieving the widespread change needed.

Give the executive team a brief overview of the desired outcomes and the rationale behind the proposed efforts. Encourage them to follow the behaviours set out and showcase them as relevant examples to illustrate to the wider company that everyone is following this security initiative and communicate the benefits this will bring.

It is important to note here that clear and consistent communication is necessary. To enact change, effective communication is required to cultivate a sustainable security culture. When providing examples, know what type of language to use and make it relatable to their specific job role so that all employees understand, and the message resonates.

As the business progresses on the security culture journey, it’s important to measure progress. Document the outcomes of initiatives so that they can be shared with both the leadership team and the wider workforce. Be sure to highlight the successes as well as areas for improvement to maintain a balanced perspective.

Lastly, ensure the strategy adopted is adaptable to change as the business moves forward. Bear in mind, creating a resilient security culture is an ongoing journey. The goals, strategies and tactics set out need to be fluid and interchangeable based on feedback and evaluation of the programme.

With that said, always celebrate any achievements, as this will help build momentum.

The Security Culture Playbook can help

Building a security culture is like nurturing a garden, requiring ongoing care and attention. There are tried-and-tested methods that many will follow to get the best outcomes for their garden.

Security culture is exactly the same and there is a playbook that has proven this model by examining and helping organisations look at seven core dimensions: attitudes, behaviours, cognition, communication, compliance, norms, and responsibilities.

Ultimately, these security key practices should empower employees as allies in security, establishing clear frameworks for communication and accountability and moving beyond mere awareness to foster behaviour change.

The aim is to close the gaps between how organisations have traditionally approached human risk and to provide business executives with the necessary information and tools needed to understand, measure, and improve facets of security culture across the organisation.

Perry Carpenter is Chief Evangelist and Strategy Officer at KnowBe4 and author of The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer

Main image courtesy of iStockPhoto.com