3 Steps for Creating a Strong Security Culture in the Workplace | – Spiceworks News and Insights

November 24, 2022

Three steps to a stronger security culture.

Culture is at the heart of why so many security breaches occur. Cybercriminals opt for the easy way in – via phishing and social engineering. Perry Carpenter, noted book author and security officer for KnowBe4, explains the entwinement between organizational culture and cybersecurity and ways to improve both.
CIOs are prioritizing investments in cyber and information security above everything else. But the interesting part is that despite the surging investments in cybersecurity and the increasing maturity of security technologies, data breaches are still a daily occurrence. Cybercriminals are opting for an easier way in — compromising people instead of compromising systems. A lot of research supports this argument: for example, 75% of security professionals in a 2022 survey said phishing and social engineering are the top threats facing organizations, while another report stated that 95% of cybersecurity issues can be traced back to human-related causes.  
Whether one accepts it or not, culture is an inescapable part of everyday life — it’s that sharing of experiences and information that happens when we work together. There’s also a responsibility attached to culture. Just because employees are aware, does not mean they care. It’s like that speed limit sign we choose to ignore even though we notice it.
See More:  7 Tips to Better Combat Cyber Threats in 2023
Security plays a part in every organization’s culture. But whether they are mindful about it and make intentional efforts to establish and nurture a desired culture is something they must ask themselves. If your organization is looking to build a strong culture of cybersecurity, here are three important steps to consider:
If you don’t know where you are, then it’s difficult to know where you’re going. It is not advisable to influence your security culture without a thorough understanding of what it currently is (and what the social dynamics are). There are a number of things you can do to understand the current state of the security culture in your organization. These include:
Culture is owned by the entire organization but should ideally be endorsed, defined, and nurtured by the leadership team. While leaders play a significant role in influencing culture, program managers should never underestimate the value that “culture carriers” — passionate advocates who endorse and spread desired messages – can bring to the table. In social media parlance, these people are a force multiplier and can help your messages go viral. 
Finding such culture carriers isn’t very hard. Use your experience to identify them or allow them to self-identify. For example, offer opportunities for people to apply to the program, ask managers and leaders to recommend or nominate individuals, ask employees and colleagues to nominate or alternatively, use surveys to identify “influencers” in the business. Look for people that are already in key positions, are respected by colleagues or are part of a certain “circle of influence.” In addition to spreading security messages, culture carriers also play an important role in reading the pulse of the organization and bringing forth stories, ideas, concerns, or issues that may surface but are invisible to the leadership team.
To ensure that the desired culture resonates and is celebrated by employees, it’s important that organizations build engagement, rewards and rituals that help positively influence employee behavior. Internal factors such as anxiety and defensiveness can creep up in cultural change programs, so it’s important that organizations create a safe haven where failing is okay. Moreover, it’s always a good idea to have an engagement as well as a well-thought-out communication strategy. For example, creating workshops where employees can share and interact, celebrating security awareness months, rewarding and recognizing responsible behavior — such activities help increase engagement and actively contribute to culture change. 
The remote working era has brought about a positive shift in the security attitudes of employees. If organizations make a concerted effort to acknowledge the state of their security culture, build culture carriers that help improve attitudes and behaviors in employees and develop engagement programs keeping human nature and social factors in mind, they will ultimately instill a strong security culture that can possibly be even more powerful than some of the best-in-class technological defenses out there. 
How are you strengthening your security culture at the workplace? Tell us on Facebook, Twitter, and LinkedIn

Chief Evangelist and Security officer , KnowBe4
On June 22, Toolbox will become Spiceworks News & Insights


Article Tags:
Article Categories:
Office · Technology

Leave a Reply

Your email address will not be published.

The maximum upload file size: 512 MB. You can upload: image, audio, video, document, spreadsheet, interactive, text, archive, code, other. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here