Creating a Security Culture in Your Organization: Navigating the Challenges

By Perry Carpenter

In today’s cyber environment, there’s a good chance that your organization has already experienced data breach incidents or at least a few scares.

But staying ahead of the game is easier said than done. As Gartner and the European Union Agency for Cybersecurity both posit: Human error is one of the top cybersecurity threats. Then you have an insurgence of cybercriminals, new user-friendly AI technologies, and lost morale post-pandemic to throw into the mix.

Considering those factors, your Chief Information Security Officer (CISO) typically passes a directive to get up to speed with cybersecurity training. Yes — every staff member. Cue the, “I don’t have time for that,” and, “that’s not my job.” But you do have some control over your employees’ attitudes toward training. The solution is to intentionally work toward a security-minded culture. The formula is ABC: awareness, behavior, and culture. Each of these influence and reinforce the others. But how do you face challenges and resistance? Here are a few tips to help you navigate the journey with ease.

Challenge #1: Your employees don’t have time.

Your staff might have long workdays and stressful work duties. The best way to address time constraints is to offer flexibility, which promotes a sense of employee autonomy.

• Be flexible: Let your staff complete training at times that are convenient for them. They’ll feel more empowered if they can do it during work hours.

• Engage stakeholders: Get buy-in from leaders in multiple departments to streamline your training delivery. You can’t risk misalignment here. If one executive, say, in the sales department openly discounts the value of cybersecurity, your employees are left with conflicting messages.

• Make training ongoing and infuse it into daily tasks: Practice makes perfect. You might break up training into bite-sized, 10-minute exercises throughout the week so that it’s more about consistency than considerable time commitments.

Challenge #2: “That’s IT’s job.”

Your employees might not see value in completing any “work” beyond their regular duties. Still, it’s your job to beef up your communication skills to help them understand why it’s everyone’s responsibility.

• Communicate personal value: Position cybersecurity as a safety issue. Make sure your staff knows “what’s in it for me” and how cybersecurity skills are life skills that are also helpful across all job roles, outside of work, and in home/family contexts. Employees will put in time and effort if they know it’s important to them.

• Stress that it’s non-negotiable: Send top-down communications to ensure employees know that training is a critical part of their job. Don’t assume your staff already knows or cares.

• Be clear and use analogies: Don’t use jargon and heavy technical terms to deliver training or communicate updates. Otherwise, your staff will misinterpret your directive or feel put off by a sense of corporate superiority. If necessary, enlist support from your marketing communications/PR team to help discover ways to communicate problem/solution scenarios with relatable examples. For example, you could introduce the importance of training and compare it to taking driving lessons before you can earn a permit.

Challenge #3: Moving from one-off training to observable behaviors and security culture.

How do you ensure your staff considers security beyond viewing it as a “just-get-it-over-with” point-in-time training obligation? Here’s what goes into moving that one-time consideration to a positive security culture.

• Incentives and rewards: Security training does require more time and energy — regardless of whether it’s your employees’ responsibility. Show them that you value their efforts with a rewards system that’s aligned with your organizational values. This might look like an early Friday, approved vendor gift cards, sports tickets, or professional development opportunities.

• Make it fun and participatory: Let’s face it, lectures, classrooms, newsletters, etc., can feel stuffy or repetitive after a while. Break the monotony by infusing education into the casual nature of lunchtime or taking it outdoors.

• Alternative communication: Keep the education format interesting for your staff. You might bring in a guest speaker to discuss special issues (or relate a cybercrime incident like a ransomware attack), or a messaging chat app where employees can share their thoughts in response.

The biggest challenge of all is the fatigue that can set in from the energy it takes to create a resilient security culture. You won’t achieve it overnight — you won’t even achieve it within a month. Studies show that new behaviors take about two months to form, which means you need to channel grace and patience to your staff throughout the process.

Cybersecurity training, behaviors, and culture require dedication from all levels of the organization. With the right buy-in and support, great things are not only possible—they are achievable.

Carpenter is  co-author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] He is chief evangelist and security officer for KnowBe4, developer of security awareness training and simulated phishing platforms, with 60,000 customers and more than 45 million users.