CISO guide: How to create a security awareness culture

A strong security program needs to be focused on people, processes, and technology. This is often referred to as the ‘golden triangle’.

Many CISOs consider the ‘People’ aspect to be the most challenging part of that framework. By far.

Getting buy-in from stakeholders. Getting employees to believe in your plans. Communicating cyber threats clearly and effectively. And most of all, building a culture where security is always top-of-mind instead of an afterthought.

This CISO right here knows just how important, yet complex that can be 👇

For this article, we’ll discuss how CISOs can build a security awareness culture within their organization.

But first, let’s determine what a security awareness culture actually entails.

What is a security awareness culture (and why is it important)?

A company’s culture is based on the beliefs and behaviors of the organization. When a company has a strong security awareness culture, employees are aware of relevant cyber threats, which activities they should report, and who to contact in such situations. When your organization has a solid security awareness culture, it is not seen as an afterthought, but as a priority.

In this day and age, focusing on a strong security awareness culture is key. 95% of all hacks and data breaches are caused by human error:

• Clicking on phishing links
• Not updating software
• Using weak passwords
• Working remotely without a VPN

And the list goes on.

That’s why it’s detrimental to lose ourselves in technology and processes if we haven’t paid the right amount of attention to our people yet.

In an organization where there isn’t a strong security awareness culture, security is always “somebody else’s responsibility”. But what’s needed is a shared sense of ownership throughout the entire organization. Because you’re only as strong as your weakest link.

Speaking about company culture, Dustin Moskovitz, co-founder and CEO of Asana, highlights the importance of persistence and starting early. “If you defer this work because it feels hard and distracting now, you’re just setting yourselves up for a much harder (and eventually perhaps impossible) problem to solve later. Culture reinforces itself and becomes more rigid over time, so it’s important to nudge it in the right direction as early as possible.”

Building a security awareness culture in five steps

Now that we’ve established the importance of a strong security awareness culture, let’s discuss the steps you need to take to build one for your organization.

1. Get leadership support

The first step you should take is to start at the top. Building a culture all starts with support from your leadership. If the leadership is not invested in security awareness, all your other work is futile. All company cultures are cultivated top-down at the start. Because if the CEO doesn’t consider it to be one of his priorities, why should anybody else in the company feel that way?

Just as with any other business unit, it is your job as a CISO to communicate how secure your organization currently is and which initiatives you have planned to improve this. The more regularly you report on this, the better your message will stick over time.

It helps to regularly show a dashboard that the entire leadership team can get familiar with. This could, for instance, be last month’s results of your security awareness training program. from that, you could answer the following questions:

• Which cyber threats was the team trained on?
• Which topics require more attention?
• Which departments perform best or worst?
• What do the scores say about our overall security level?

Once you’ve gotten buy-in from the leadership team, it’s time to focus on your departmental ‘champions’. These could be team leads or heads of a particular department. These are the people who will provide you with much-needed feedback when you’re rolling out security initiatives.

As a CISO in a larger organization, you’ll most likely deal with many different stakeholders at the same time who all require a different approach. It can be easy to lose track of who you need to communicate with and who needs the most attention. You can use a stakeholder management template to keep all your ducks in a row.

2. Come up with a brand statement

Now that you have leadership buy-in, include them in the process of setting up a brand statement. This should answer all the important questions surrounding your security policies, such as how employees can contact you or how you act in the face of a cyber threat.

According to CISO Jadee Hanson, the best way to then enforce this brand statement is not by communicating it. Hanson encourages CISO’s to simply celebrate the behavior you’re looking for. This creates a snowball effect within your organization of people who may try to get the same recognition. More on ways to celebrate your team later on in this article.

3. Set up regular employee training

You can’t have a strong security awareness culture without training your employees on current cyber threats and what it is you’re trying to protect. Your employees must understand how much your organization is at risk and what is at stake.

In many organizations, security awareness training is offered only once or twice per year to comply to regulations such as GDPR. That’s not the type of training we’re talking about here.

To build true awareness, repetition is key. Research shows that 90% of all learnings from a one-time course are forgotten after two weeks. When you offer regular bite-sized training, employees build up knowledge over time and real behavior change occurs. It’s simply impossible to build a security awareness culture when employees have to actively think about it once or twice a year.

When finding the right training solution, make sure it’s not just focused on phishing. Phishing is the biggest cyber threat, but it’s not the only one. You need a training program that focuses on all relevant themes, including:

• Phishing
• Smishing
• Safe remote work
• CEO fraud
• Updating software
• Ransomware

There’s no need to give this training in-person, of course. Many security specialists struggle with teaching basic security awareness training. Not because of a lack of knowledge, but because teaching is an underrated skill that not everybody possesses. Explaining complex concepts in layman’s terms is an art form.

With a solution like Guardey, your team gets a 3-minute online challenge every week to train security awareness. This security awareness game is put together with the help of security professionals and educationalists.

4. Communication, communicate, communicate

Once you have buy-in and training in place, it’s time to communicate, communicate and communicate a little more. Any CEO that is known for building a strong company culture is known for repeating core values over and over again.

As a CISO, you need to regularly grab attention and communicate your security priorities and repeat the shared responsibility the entire team carries.

Aside from communicating security policies and important updates that are often a little dry (but necessary), use a positive angle. A good way to do this is to actively recognize, reward and openly celebrate security-conscious behaviour.

Share a message in the company Slack channel about how Peter reported a cyber threat that saved the company a lot of trouble. Or share the results from your security awareness training solution and celebrate the top performers during a keynote. The options are endless.

Transparency is key here. Make sure you and your team are approachable and there are channels set up for the rest of the organization to also reach out to you.

5. Measure, assess and improve

To measure is to know. In order for you to know if your security awareness initiatives are paying off, you’ll need to establish some key performance indicators (KPIs).

If you use a security awareness training solution like Guardey, you can simply take a look at your dashboard and see how well your team is performing. On a weekly basis, you’ll get new insights that teach you about which topics your team is scoring well on and which topics need more attention. It also shows you how well the team is participating. A high participation rate is key and an important indicator that the team values training.

But an underrated way of measuring the effects of your security awareness efforts is by looking at the not-so-obvious signals:

• Is there growth in reports of cyber threats?
• Are colleagues calling each other out on unwanted behavior?
• Are you getting more questions about security overall?

These are all clear signs of a heightened sense of responsibility. The moment where people within your organization become proactive, is when you can really speak of a security awareness culture.

If you’re a CISO, you may not always catch all of these signals, especially within larger organizations. That’s why a regular survey to collect feedback can be helpful.

Once you’ve gathered all these insights, it’s important to actually use it and improve the processes you have in place.

Your people could be your strongest firewall

‘Culture’ is a fluffy word that gets thrown around easily. It’s almost just as easy to write down a couple of core values and call it a day.

But fostering a security awareness culture is hard work. Your organization, including your leadership team, may see you as an obstacle. They may view security as ‘not their problem’. And flipping that switch is difficult. But when you do, the results will be worth it.