What you need to know about
assessing your cybersecurity culture
Security culture. It’s not a new concept. The phrase has been thrown around for years and years.
But in that concept lies a few challenges. Like defining its shape, parameters, where it starts, and where it ends.
Then there’s the matter of how to measure a security culture.
And we haven’t even got to actually changing the culture yet!
But good news: In a few minutes, you’ll be on your way to untangling all of it.
Shall we start with some ingredients?
The top five elements of a strong cybersecurity culture,
according to the experts
Recently, I led a band of cybersecurity researchers, and we spent countless hours unpacking what makes a strong security culture.
First, we reviewed the last 10 years of research on all things security culture. Then, we identified what ingredients go into a five-star security culture. Next, we ranked those ingredients in terms of how many researchers considered them of importance or relevance. The more frequently they were referenced, the higher up our ranking they appear.
Here’s the top five:
Leadership: Without buy-in from the higher ups, your security culture will collapse in on itself. People need to know that senior leaders are committed to cybersecurity—and that they consider it a priority.
Policies: Well-made and enforced security policies are essential. They give people clear instructions and make actions consistent. And that reduces the chances of any kind of cyber disaster arriving unceremoniously at your door.
Awareness: People need to understand why security’s so important. They need to know how and why their actions impact the security of the organization.
Training: People need to know how to stay safe. They need to know how to recognize security risks, and how to do better.
Change management: In the cybercrime arms race between criminals and organizations, change is a constant. You’ll need to encourage people to come along on the journey, commit to continuous improvement, and manage the risk. Oh, and keep disruption to a minimum.
We know. Feels like a tall order, doesn’t it? But here’s the thing, you’re not setting this up from scratch. We’d bet our last cookie that you have some of it already.
The key is in shedding light on what’s good, and what needs your attention.
That’s why you need to assess your security culture. But, before you do anything else, we need to talk about definitions. Because this stuff is important.
How can we define security culture?
What’s the difference between culture and security culture? Is there a difference? Or is security culture simply part of organizational culture, and inseparable from it?
Good questions. Glad we asked ourselves that. Let’s look at some examples of where the line in the sand lies. Or rather, as you’ll see, where it doesn’t lie:
Shereen in Maintenance knows to question a suspicious email and to refer it to the security team for support. She also knows when a contractor turns up, they have to verify their identity and must appear in the maintenance calendar. Making sure something checks out is part of the wider culture in her organization.
Raoul in Accounts knows there’s no such thing as a stupid question, and that goes for questions he asks in his latest security module too. Judgment-free, open communication is part of his office culture.
Tim in Customer Care understands why it’s important to use positive language with customers—and they know why adopting multi-factor authentication is so important for cybersecurity. Tim’s organization has a strong communication culture which means people know why they do the things they’re asked to do.
But that doesn’t quite answer all the questions we’ve set for ourselves here. So here’s how we describe it in our whitepaper on measuring security culture:
“Security culture doesn’t exist in isolation. It’s part of a wider organizational culture. So it’s shaped by so many other parts of your organization, like the mission, strategies, practices and communications.
“Even your office floor plan can impact security culture!
“And things get worse when you account for the subcultures that can exist in your different offices, regions and countries.
“Culture changes often fail because they don’t consider the wider organizational culture and subcultures. A security culture is more likely to take hold if it aligns with the organizational culture, rather than working against it.
“But every organization is different, so there is no copy-paste solution.”
So, should we make a distinction at all?
It’s a valid question.
Few senior managers in the world would argue against the importance of creating a healthy organizational culture. But while the vital importance of cybersecurity culture is now increasingly understood, the challenge is now more around how to achieve and maintain a strong/robust security culture.
Perhaps people would more readily buy into cybersecurity if they understood it was just an organic part of the whole.
Academics point to techy language as a potential barrier. That’s because it can get in the way of people’s desire to engage with and understand cybersecurity. It makes cybersecurity “feel” more separate than it is.
But—and it’s a big but—improving security culture involves defining cybersecurity within an organization. Only then can we get on to the next step. . .
How can we measure cybersecurity culture?
We know the top five ingredients. But (please indulge us to run further with this baking analogy, we’re hungry) how do you know what comes out of the oven is any good?
Just as a good cake has a delicious taste, texture, and hopefully looks pretty too, you’ll be looking at more than one angle.
You might be looking at elements including:
Awareness
Knowledge
Behavior
Attitudes
Communication
Training
Reporting
And to size up those elements, we have a host of options, including:
Questionnaires
Tests
Interviews
Observation
Management tools
Training sessions
But there’s more to it than simply pairing a metric with a type of assessment. That’s why you need to keep in mind the nuances that make measuring security culture more challenging.
Sticking points in measuring security culture
You can’t go into measuring security culture all guns blazing and get it done in one afternoon.
Just like the timeline in Avengers: Endgame, it’s complicated. Here’s where it gets sticky:
Subjectivity vs. objectivity: Measuring cybersecurity culture can be subjective, because people can interpret things differently, and we all have biases. Data analysis and benchmarking can be more objective ways to get an insight into security culture.
Qualitative vs. quantitative: Getting a sense of people’s attitudes through a conversation or interview (qualitative data) can paint a picture of the culture. That said, quantitative data can help to give a meaningful overview of cybersecurity culture, as it has the advantage of being able to gather at scale. It would be (understandably) difficult to conduct qualitative research with every single employee—not to mention the fact that the data it generates is more difficult to summarize.
Compliance vs. behavior change: Naturally, no one’s trying to breach their industry security regulations or organizational policies. So, it follows that measuring compliance is on the wishlist. But given how important influencing security behaviors can be, there is a case for measuring behavior change.
These challenges need to be considered as part of upgrading your cybersecurity resilience.
What comes next?
We get it—establishing an effective security culture is a sizable challenge.
Nonetheless, it’s essential if you’re as serious as we are about keeping pace with cyber threats.
Defining and measuring a security culture means we’re on the path to improving it. And we can more effectively advocate for resources. Because you know as well as we do, cybersecurity risks being overlooked and under-resourced.
What’s more, a culture is about its people. And people are a factor in most cyber attacks.
That’s why our whitepaper on measuring culture accounts for human factors that play a vital role in cyber defenses. It’s an innovative, science-based exploration of people-centric security culture.
It’s absolutely going to help you meet that challenge of measuring a security culture. It’s unmissable reading for security professionals everywhere.
In the last few moments, let’s zoom out a little.
We know the science says people need to be at the center of a cybersecurity strategy.
The thing is, security culture is just one part of an effective strategy. But we’ve got something that covers it all. . .