Building a Strong, Intentional and Sustainable Security Culture
Here is the big idea: your security culture is – and will always be – a subcomponent of your larger organizational culture. In other words, your organizational culture will “win out” over your security awareness goals every time unless you are able to weave security-based thinking and values into the fabric of your overarching organizational culture. But how do you achieve this to ultimately build a strong, intentional and sustainable security culture? There are four secrets to success.
1.Take stock of where you are and where you are going
Without a plan and a path, you are sure to get lost! The key to implementing secret #1 is to leverage a framework to help ensure that you are approaching things in a structured manner, rather than simply making it up as you go. Especially in large global organizations, I recommend conducting a series of interviews or quick surveys to understand how different divisions and divisional leaders view security, understand policy and best practices, and what they truly hold important. It also helps you understand if your key executives are in alignment and if there are some political or logistical hurdles that you need to work through as you build your plan.
With this background knowledge, you can begin to create your goals for the year. I like the SMARTER goal setting framework proposed by several productivity gurus. There are a few different versions of the SMARTER framework – one I recommend is the Michael Hyatt version– a bit more on the topic can also be found here. (SMARTER = Specific, Measurable, Actionable, Risky, Time-keyed, Exciting, Relevant.)
2. View security awareness through the lens of organizational culture
Organizational culture and security culture are not one in the same. However, they need to be closely knit.
Organizational culture is not the sum of roles, processes and measurements; it is the sum of subconscious human behaviors that people repeat based on prior successes and collectively held beliefs. Similarly, security culture is not (just) related to “awareness” and “training”; it, too, is the sum of subconscious human behaviors that people repeat based on prior experiences and collectively held beliefs.
Culture is shared, learned and adaptive, but it can be influenced. It takes a group working collectivity and it begins with the leaders.
To impact change and behavior, you must be aware of, and work from within, the existing culture. Does your organization have a marketing organization that helps with internal communications? If so, understand how they leverage the communication methods, formats, and branding. It’s so important that *your* communications speak with the established voice/tone of the company so that you aren’t seen as un-connected and (worst of all) irrelevant. You also need to get an idea of where there divisional, departmental, and regional nuances. Work within the specific cultural frameworks within each of these segments. And, always be on the lookout for existing communication channels that you can plug-into (e.g. existing meetings, executive videos, etc.) so that you message is interwoven with the other company-centric messages.
3. Leverage behavior management principles to help shape good security hygiene
Let’s start by recognizing that just because you’re aware, doesn’t mean that you care!
Security awareness and security behavior are not the same thing. Your security awareness program shouldn’t focus only on information delivery. There are plenty of things that people are aware of but may just not care about – we need to make people care.
Because of this, if the underlying motivation for your program is to reduce the overall risk of human-related security incidents in your organization, you need to incorporate behavior management practices.
An example of this would be simulated phishing platforms. These distill some of the fundamentals of behavior management into an easy to deploy platform that allows you to send simulated social engineering attacks to your users and then immediately initiate corrective and rehabilitative action if the user falls victim for the simulated attack. Do this frequently, and you will see dramatic behavior change.
4. Be realistic about what is achievable in the short-term and optimistic about the long-term payoff
Be a realistic optimist within your organization. What can you impact today? Know your place and your scope of influence and remember that culture starts at the top.
Understand the foundation of your culture and then create a customized roadmap for security culture management. To do so, you must evaluate four areas:
- “How we make decisions” outlines the general leadership style and how this affects the outcomes of the organizational culture.
- “How we engage” focuses on how people collaborate internally and with external stakeholders to deliver on their goals.
- “How we measure” describes organizational performance metrics, and how they affect organizational achievements.
- “How we work” defines the working style of teams, how solutions are created, and problems are solved, which affects organizational outcomes.
By understanding these four attributes of organizational culture, security leaders and corporate leaders can make informed choices when trying to change cultures and improve an organization’s overall defense.
Here is where the rubber meets the road. You’ve got all of the planning out of the way, created SMARTER goals, understand the nuances of your organization, and are focusing on creating real, sustainable change. Now it’s time to get started and to commit to perseverance. Many aspects of your program will be spaced throughout the year, and so it is important to commit to being consistent with your efforts. The beginning is just that – the beginning. You are focusing on training an entire organization; and that sometimes means training people how to be trained.
About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform.