A primary challenge with security culture is that very few within an enterprise would even consider taking ownership of it. IT points at security; security points at HR; HR points at the executive team…and round and round it goes. Security culture is not one event-based activity, it is not one training course nor is it a single individual’s/department’s responsibility. Fostering a strong security culture is an important and effective strategy to minimize risk and leverage your employees as the last line of defense, in creating a human firewall around your organization.
So, how do we get everyone’s buy-in?
Glad you asked.
Security culture considers the overall sentiments towards security in an organization, the psychological and social aspects that drive individual and social behavior. When employees are continuously fed a healthy stream of security training, messaging and simulated attacks, they improve their overall readiness to identify a potential attack. Employees will build their security muscle in a way where instinct takes over in acting as a strong, protective layer.
Employees need the opportunity to settle into a curriculum of ongoing learning that bridges their interest with actual knowledge. Couple that with the understanding that they will benefit as much personally as the organization will professionally, and now you have a reason for people to start caring. It is one thing to say the learning will benefit the organization; it is another knowing the learning will benefit their family, friends and loved ones. Getting your employees to a place where they care is an important part of the culture equation. How employees perceive their role is a critical factor in either sustaining or endangering the security of the organization. That security hygiene will flow from their personal to professional lives, converging into a singular focus…protection for all.
By knowing and continuously practicing secure behaviors, employees will become unconsciously competent and responsible. Both knowledge and practice come from well-constructed and implemented security awareness programs. The key to a good program is variety of content. Individuals have different learning styles, therefore the program you use should be armed with different versions and styles of content to meet these learning needs and keep the attention of the participant. Multiple styles of a single piece of content also allows for refresher content to be unique, not repetitive. Additionally, the content should be delivered through multiple mediums. The thinking is to bring the learning to the learner versus having the learner fit their availability to learn in a preconstructed online box.
Variety in simulated attack templates is also paramount. Leveraging a variety of styles and levels of difficulty are important in understanding where exactly you need to focus. If your audience seems to do well with simple templates, then the focus should be on more challenging ones. If your audience can spot a fake attachment or link, then the focus should be turned to another element that they are less certain about. Bottom line is to keep at it. Security culture is built on a foundation of knowledge…and the consumption of knowledge is never ending.