An organization’s culture requires care and feeding.
It is not something that grows in a certain way organically. A sustainable culture is bigger than just a single event. When a culture is sustainable, it transforms from a one-time event into a lifecycle that generates consistent measurable returns. Jack Canfield stated, “The way you do anything is the way you do everything.” If security is not a fluid piece of your culture, then most likely there are other gaps in other areas that prevents your business or organization from operating as efficiently as possible. Security awareness should been woven into the fiber of your culture and here is how.
1. Instill that Security Belongs to Everyone
Many organizations have the opinion that the security department is responsible for security. Sustainable security culture requires that everyone in the organization is all in. Everyone must feel like a security person. This is security culture for everyone. Security belongs to everyone, from the executive staff to the lobby ambassadors. Everyone owns a piece of the company’s security solution and security culture. An “all in” mentality can be achieved by incorporating security at the highest levels into your vision and mission. These things are looked to understand what should be focused on. Update your vision or organizational objective to clearly articulate that security is non-negotiable. Speak about the importance of security from the highest levels. This does not mean just the people who have security in their title, but also from other C-level execs all the way down to individual managers.
2. Focus on Awareness and Beyond
Security awareness is the process of teaching your entire team the basic lessons about security. A person’s level must be set at their ability to judge threats before asking them to understand the depth of the threats. Security awareness has gotten a bad rap because of the mechanisms used to deliver it. Posters and in-person reviews can be boring, but they do not have to be. Add some creativity into your awareness efforts. On top of general awareness is a need for application security knowledge.
Awareness is an ongoing activity, so never pass up a good crisis. Bad things are going to happen to your organization, and many times they will be tied directly to a security problem. Grow your security culture with these teachable moments. Do not try to hide them under the rug, but instead use them as an example for how the team can get better. Accountability before awareness is crazy. People want to do the right thing, so show them through an awareness program and then hold them accountable for the decisions they make after gaining the knowledge.
3. Reward and Recognize Those People that do the Right Thing for Security
Look for opportunities to celebrate success. As an example, when someone goes through the mandatory security awareness program and completes it successfully, give them something more substantial for the accomplishment. A simple cash reward of $100 is a huge motivator for people, and will cause them to remember the security lesson that provided the money. They also will be quick to tell five co-workers they received cash for learning, and those five will jump into the training quickly. If you are shuddering at the idea of giving away $100 per employee, stop being so cheap and count the cost. The return on investment on preventing just a single data breach greatly outweighs the $100 spent. The other side of reward is security advancement. Provide opportunities for team members to grow into a dedicated security role through advancement. Make security a career choice within your organization. Put your money where your mouth is. If you say security is important, prove it by providing growth potential for those with a passion for security. A final step is to provide an opportunity to earn an advanced degree in security. Many universities now offer a master’s degree in cybersecurity. If you can’t find one nearby, create your own.
4. Build a Security Community
Security community is the backbone of sustainable security culture. Community provides the connections between people across the organization. Security community assists in bringing everyone together against the common problem and eliminates an “us versus them” mentality.
Security community is achieved by understanding the different security interest levels within the organization: advocates, the security aware, and sponsors. Security advocates are those people with a down-home passion for making things secure. These are the leaders within your community. The security aware are not as passionate but realize they need to contribute to making security better. The sponsors are those from management who help to shape the security direction. Gather all of these folks together into a special interest group focused on security. Security community can manifest as one-on-one mentoring and weekly or monthly meetings to discuss the latest security issues. It can even become a yearly conference, where the best and brightest from the organization have a chance to share their knowledge and skills on a big stage.
5. Make Security Engaging
Last, but certainly not least, is making the content interesting. For far too long people have associated security with boring training or someone saying no all the time. To cement a sustainable security culture, build fun and engagement into all the process parts. If you have specific security training, ensure that it is not a boring voice over a PowerPoint presentation. If you engage your community through events, do not be afraid to laugh and goof around some. In my previous role, at each monthly security community event, we started the meeting off with a game of security trivia with a different security category each month. We did hackers in the movies one month and security news in another. This is just an example of how to bring fun and engagement into the process.