Cybersecurity Culture is a hot topic amongst many organisations and security professionals. But what are organisations doing to build a strong security culture?
To help shed some light on the topic, we asked attendees at Infosecurity Europe 2022 for their views.
Where are efforts focussed?
Participants were asked where they were focusing efforts to build security culture, with most directing efforts into security awareness training (84.5%) and communicating values and expectations from employees regarding security (84.5%).
Over a quarter (27.2%) do not put much effort into measuring employees’ understanding of security. Which begs the question: are most organisations still caught up in the compliance mindset of delivering training and not being interested in measuring whether employees fully understood the implications of their actions?
On the other hand, an alternate, slightly more optimistic view could be taken in which as long as an employee exhibits the correct security behaviour, is it even important for them to understand the underlying reason?
Take the example of recycling. If people are separating their waste properly, then does it really matter if they fully understand the impact their actions are having on saving the planet? However, given the fact that the majority of organisations are focusing on security awareness training and not around secure behaviours, it would indicate that this is an overly optimistic view to hold.
Areas of Improvement
We asked participants which areas of security culture they would like to see improved in their organisation and the majority (44.1%) stated security awareness training – which is insightful since this is also one of the core areas where their efforts were being focused in the first place.
Interestingly the second most popular area of improvement wanted was measuring employees’ understanding of security at 38%. This could be an area where some security awareness training initiatives are letting organisations and their employees down.
However, it presents a natural alignment as one would want to have some way of measuring how effective a security awareness and training program is. Without being able to measure the effectiveness or impact on behaviour, organisations may as well be shouting into a void.
Communicating values and expectations to employees regarding security scored the lowest at 19.6%. This either means that organisations felt that the values and expectations were already being communicated effectively or, perhaps on a worrying note, it was not seen as a priority. If organisations neglect communicating the expectations around security, then everything else can become an uphill battle. So, it is worth ensuring employees are on board with the purpose of building a strong security culture.
Take Me to Your Leader
When asked who was responsible for leading security culture within the organisation, just under half (43.6%) stated the security team or CISO lead security culture. Just over a quarter (27.9%) said IT department.
While security teams or the CISO may take the lead for creating the security culture in most organisations, it is not without its challenges.
Over a quarter (28.5%) blame a lack of budget as the main obstacle to having good security culture. Indifference from employees (24%) is the second highest issue respondents face.
While budget will remain a challenge for many security departments on an ongoing basis, indifference from employees is an area that can be addressed without large budgets. Much of this goes back to the earlier question around communicating values and expectations to employees regarding security. If security departments take the time to build good relations with their colleagues and spread the understanding of security and why it is important, then much of the indifference can be overcome.
When it comes to building a strong security culture, we wanted to understand what influenced organisations to improve its security culture.
Threat of cyberwarfare (30.2%) and experiencing a data breach or cyberattack (30.2%) are the biggest influences for wanting to improve security culture. Cyberwarfare has undoubtedly been influenced in recent months by the ongoing war in Ukraine and the associated cyber attacks that have taken place.
Witnessing other organisations in the same industry suffer a cyber attack was also a major driver (29.1%).
While getting a push to improve security culture from external events or sources is always positive, all the goodwill in the world will not impact the culture unless it is through effective communication channels.
Having security awareness advocates is the most effective way of communicating security awareness messages (27.9%) with gamification ranking second (24.6%).
These are not surprising, as the adage goes, people buy from people they trust. Which is why security advocates are considered so effective and an essential part of any organisations strategy to improve its security culture.
Gamification tends to be popular because of the level of engagement it brings. Furthermore, it reinforces the message that information needs to be delivered in an engaging and consistent manner to ensure the lessons are taken on board.
A Slap on the Wrist
One of the biggest questions that arise whenever an employee engages in risky behaviour is what should be done in response to it. Do they need a gentle nudge in private, or be publicly shamed for their poor judgement?
If witnessing poor security practises, two thirds (67.6%) of respondents would inform their colleagues discretely. Just under a third (30.7%) would send them training materials.
Only 7.3% would support making an example of them. Which is encouraging – after all, anyone can make a mistake, and being overly harsh with someone due to a mistake can foster resentment.
An interesting observation is that only 17.9% would consider reporting someone to the security team. This could be because people feel that telling someone discretely is sufficient. Or it could be that they do not believe the security team will take notice, or perhaps worse, would not be as gentle with the colleague who made the mistake.
It is something that is worth considering and security teams should constantly evaluate the relationship they have with the rest of the organisation.
Is a Strong Culture Worth it?
It appears as if many organisations are keen to build a strong security culture. But is this a case of keeping up with the Jones’s or is there real benefit to be achieved through building a strong culture?
The vast majority (92.9%) said that it is very or somewhat likely that having a strong security culture can reduce the risk of security incidents.
Ultimately, reducing the risk of security incidents is the objective of cybersecurity. Whether that be through technical controls, procedures, or through educating colleagues.
While the focus for many years has been on the technology side of security, we cannot neglect the human factor. By working on building a strong security culture, organisations can ensure they are doing the best they can to minimise the risk of security incidents to their organisation.
Of the 179 participants, 41.3% were from large enterprises and 64% stated they were in a security or IT position including CISOs and Head of Security.