Security culture is the key to protecting your business from phishing and social engineering attacks. Without it, implementing successful training and having prepared employees is nearly impossible.
We talked about this all-start strategy in our latest Cyber Security Awareness Forum, with some very special guests. Meet our panel:
Kai Roer (KR)- Kai is the Co-Author of The Security Culture Playbook, CRO of KnowBe4, and Founder of Praxis Security Labs.
Tyler Sweaney (TS) – Tyler is a Cybersecurity Specialist Account Manager at Global CTI, a Management Service Provider that’s focused on servicing our customers in California.
Ryan Healey-Ogden (RH)– Ryan is Click Armor’s Director of Business Development. He is also the Chief Communications Officer at the Cybersecurity Global Alliance.
And I’m Scott Wright (SW), CEO of Click Armor, the Gamified Security Awareness Platform and Security Awareness Services Company. Let’s get into learning about security culture and how you can cultivate it
KR: Back when I created the Security Culture Framework, that was one of the first questions we needed to tackle. And we looked to social science and specifically sociology, where culture is defined as the ideas and the customs and the social behaviors of a group.
Then what we did then was just to take that definition of culture and add security. So, the “security culture” is the ideas, the customs, and social behavior of a group of people. And that means either the whole organization or part of the organization that influences the group’s security.
When I started out in the early 2000s, I was one of the very few people using the term “security culture”.
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
But, when we did a survey in 2020 to see if people knew what it was, 98% said yes. Which is awesome, because it means people have been listening and the industry has started to change.
So, more people are starting to use the term, but not a lot of people understand it. If you look at the definition here, you see nothing about security and nothing about technology. And most people in our industry care mostly about technology.
But it’s about the people, which means shifting your focus and perspective. Unless you take the time to understand what your colleagues, the rest of the organization is actually doing, you will not be able to help them become more secure.
RH: The three biggest indicators to me are how often the business is being hit by breaches, how much funding they give towards security, and if employees talk about security and know what’s happening.
TS: The biggest one for me is how many people and how often are people are reporting incidents. It’s a really good proxy for security culture being on people’s minds. If you see that your staff is regularly reporting spam and phishing then you have an ingrained security culture. If people aren’t thinking about it, they’re not reporting it.
Looking at who is reporting incidents also tells you which teams are engaged and allows you to target your efforts to try and get that security culture.
SW: When you’re in meetings and you hear an executive or leader say, we need to do a certain thing from a security point of view and you see other people in the room virtually roll their eyes. That’s when you can see a discontinuity or incongruence between what the people think and what the executives or leaders think. When that becomes visible, you need to do something.
KR: For many years I answered this kind of question with a common question: What do people talk about in your organization? Do people talk about security over a coffee machine or a coffee room?
If they do, that’s much better than if they don’t. If they don’t, then they don’t feel that it’s part of their life. But if they do talk about security, there is a follow up question: What do they say or how do they talk about security? This is culture. This is people’s perceptions which turns into customs and ideas, which then drives social behavior.
RH: Using questionnaires and interviews. We interview and talk to as many people in an organization as possible to fully understand their functions, their day to day, their beliefs, and how they think of security and build a baseline from there.
TS: I agree. And the surveys and assessments should be continual. There’s also some pros and cons to anonymizing them, people tend to be a little more comfortable being honest when it’s anonymous.
Then you can look at your top level metrics like spending and compare it to what people are saying. If you’re spending millions, and people still don’t care, then something is wrong.
KR: There are specialists who know how to measure culture and behavior. There are whole scientific areas. It’s called social science. You have psychologists, famous for experimentation. You have social anthropologists, who love observation. Sociologists, who will go into your office and ask questions or do semiotic analytics.
So, don’t get stuck with only IT. Try to broaden your horizon. Try to look out for other areas, in security culture, it’s the melting pot of the amazing technology, legal frameworks and the people side of things.
RH: There are again three things I would recommend here. Training and awareness is obviously a number one. Then cross collaboration between multiple departments so all kinds of stakeholders are involved in these discussions. Then lastly, normalizing security talk like any other topic. So, people aren’t intimidated or afraid they are going to make a bad decision.
KR: I believe that the ultimate goal when it comes to security culture for any organization should be to build resilience. Resilience means that your organization survives whatever hits it, which means that your people need to be able to trust that when they report something, they don’t get fired.
I am a believer in education that is targeted to the audience. So, figuring out what their job is, and then you can help them figure out what part of security they need to know about and then train them on that. They probably don’t need everything and especially not every single time.
Then lastly, you need the management on board. If the management is not there, it basically means they are actively sabotaging your job. So if they are not on board, that’s where you need to start. But don’t don’t burn your energy anywhere else.
TS: I agree. There has to be that comfort to report a phishing email or to talk to IT staff or security and not feel like they’re going to be judged. You have to have that be normalized from the top down. If leadership isn’t representing that and people don’t feel that internally, then they’re not comfortable.
KR: The question is how to make the overall work from home culture thrive. One thing I’ve seen companies do is to make sure that every single remote team gets to meet physically a couple times a year.
Now, imagine your CFO seeing that, “Oh my God, every single team meeting a couple times a year? Imagine the expense!” Well, you can counter that by the lack of offices. You can counter that by the cultural glue that you build, the cohesion, and that that those teams get in. A cohesive team is 18% more productive than a non-cohesive team.
RH: One thing that a company is currently doing is they have a coffee room virtually. So, if you’re in the middle of the workday, you can pop into that room to see who’s in there, just like you would in a normal office. It’s just a breakout room on Zoom, but you can catch up with colleagues, you can talk about weather or sports, and it just gives that cohesiveness without having to worry about work.
–
This panel of guests offered great insight into security culture, how to measure it, and how to achieve it. I hope this inspires you to take a better look into how your employees talk about security and how this can affect your cyber protection.
Learn more about how to measure and achieve better security culture in the full recording of CSAF #17.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.