6 Criteria For Building A Security Culture

In business, it goes ‘People, Process, Technology.’ However, in cyber security it has to go in that order and perhaps most important is the People aspect of the saying. That’s because people are oftentimes the first and last line of defense within any organization … then come the processes and tools needed to help them do their jobs better.

Fortunately and unfortunately, because of the human nature and emotion of people – they will also always remain a target for hackers. But — neuroscientists, storytellers and marketers can teach us something about driving secure behaviors within an enterprise.

See Related: “Strengthen Enterprise Security By Understanding Human Emotion”

In a recent book titled, “Transformational Security Awareness,” author Perry Carpenter explains how to empower security leaders with the information and resources they need to assemble and deliver effective, world-class security awareness programs that drive secure behaviors and culture change. The first step in doing so, however, is to start by determining whether or not your organization has a successful cyber security culture in place. Here are 6 ways to tell if you are on the right path:   

1. Belief: Organizations successful in creating a security culture have educated their users to the point users understand and believe that their participation in security is necessary and paramount to the success of the organization. Without belief, there is no adoption. And without user adoption, the culture is dead.
   
   
2. Attitude: It’s one thing to believe; it’s entirely another to act upon it. Somewhere in the middle is the employee’s attitude towards their participation in the security culture. Users should have a positive attitude, wanting to assist with doing their part to secure the organization, rather than seeing it as a distraction from their job and a nuisance.
   
   
3. Assumption: You can tell the user is security-minded when they do the same that you do every day when opening emails, visiting web pages, etc.; there’s an assumption of scrutiny necessary to be certain what you’re interacting with is legitimate.
   
   
4. Behavior: Users who have bought into the security culture begin to change the way they act; less impulsive clicking, more checking domain names and email addresses, and more verification of who’s asking or offering.
   
   
5. Ways of doing things: Users are less likely to work around IT and seek to ensure data and access remain protected. Purposeful steps are taken, going out of their way, to uphold culture principles, and maintain the needed state of security.
   
   
6. A Pattern: this is critical. All of the above indicators are not a one-time or temporary thing; they are a continual way of doing business within your organization.

By establishing a true benchmark of your security culture, enterprises can then determine whether or not they need security awareness training or a culture rethink. On a recent web seminar, Carpenter provided examples of mental manipulation in every day life, in order to ethically educate users in the cyber security community.

Carpenter said, “Security awareness and secure behavior are not the same thing.” In other words, just because users are aware, doesn’t mean that actually care. And so creating a secure culture is so critical.

To learn more about the three realities of security awareness, hear real-world examples including a BEC hack, W2 fraud, an invoice phish and more — listen to the full on-demand session.