Security culture is much more than just IT policies and processes; it requires buy-in and participation from every user. Learn 6 ways to tell if you’re on the right path to building a security culture.
ISACA defines culture as “a pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things.” There’s a ton of insight in this brief definition; it spells out what’s necessary within your organization.
So, let’s break down this definition, applying it specifically to a security culture, to better understand what it should look like and whether you have one in place. We’ve reordered ISACA’s definition to better align chronologically with signs that a security culture has developed.
- Belief – Organizations successful in creating a security culture have educated their users to the point users understand and believe that their participation in security is necessary and paramount to the success of the organization. Without belief, there is no adoption. And without user adoption, the culture is dead.
- Attitude – It’s one thing to believe; it’s entirely another to act upon it. Somewhere in the middle is the employee’s attitude towards their participation in the security culture. Users should have a positive attitude, wanting to assist with doing their part to secure the organization, rather than seeing it as a distraction from their job and a nuisance.
- Assumption – You can tell the user is security-minded when they do the same that you do every day when opening emails, visiting web pages, etc.; there’s an assumption of scrutiny necessary to be certain what you’re interacting with is legitimate.
- Behavior – Users who have bought into the security culture begin to change the way they act; less impulsive clicking, more checking domain names and email addresses, and more verification of who’s asking or offering.
- Ways of doing things – Users are less likely to work around IT and seek to ensure data and access remain protected. Purposeful steps are taken, going out of their way, to uphold culture principles, and maintain the needed state of security.
- A Pattern – this is critical: all of the above indicators are not a one-time or temporary thing; they are a continual way of doing business within your organization.
Establishing a security culture involves quite a bit of retraining user thinking – from why it’s important to how to do their job with security in mind. Security Awareness Training helps reinforce both security culture principles and best practices that can be applied daily. As part of a comprehensive security culture plan, Security Awareness Training can help retrain user thinking, making them a part of the culture.
We recommend reading KnowBe4's Chief Evangelist Strategy Officer Perry Carpenter's new book: "Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors". You can find it here: