As the pandemic rages on, several organizations are pivoting their business models to support a full-time remote workforce. For security teams, the transition has been equally jarring as they now attempt to secure a remote, confused and distracted workforce with potentially dangerous digital behavior.

Let’s face it, cybersecurity isn’t the responsibility of a single person, team or department -- it’s a shared responsibility of the entire organization, along with its extended network of technology partners, vendors and suppliers. Since humans are the biggest cybersecurity risk, the concept of a security culture is even more relevant and significant in today’s times.

Key Elements of a Security Culture

This year is being labelled ‘the year of security culture’ by the International Civil Aviation Organization (ICAO). It defines security culture as “a set of norms, beliefs, values attitudes and assumptions that are inherent in the daily operation of an organization and are reflected by the actions and behaviors of all entities and personnel within the organization.”

Recent research by KnowBe4 breaks down security culture into seven distinct dimensions:

1. Attitudes: The feelings and beliefs that employees exhibit towards security protocols and issues
2. Behaviors: The actions of employees that lead to direct or indirect impact on the security posture of the organization
3. Cognition: Employees’ awareness, knowledge and understanding of cybersecurity issues, risks and behaviors
4. Communication: The quality and frequency of communications discussing security-related topics, and the support extended for dealing with security issues and reporting security incidents
5. Compliance: The knowledge of official security policies and the extent to which employees follow them
6. Norms: Knowledge and adherence to unwritten rules of conduct in the business
7. Responsibility: The extent to which employees perceive their role as a critical factor in sustaining or endangering the security posture of the organization

3 Major Roadblocks to Building a Security Culture

The SANS Institute in their 2021 research highlighted three main roadblocks to building a security culture.

1. Time is the top challenge, not budget: Almost 75% of security awareness professionals spend less than half of their time on security awareness, indicating that awareness is usually not a full-time effort in most businesses. Organizations that attribute culture change through security awareness are making significant, long-term investments and have more than three full-time, dedicated resources focused on security awareness alone.
2. Awareness program leaders lack soft skills: Security awareness programs are often led by people with technical prowess but lack adequate communication and marketing skills which can effectively engage employees, influence a change in behavior and have a measurable impact on security culture.
3. Lack of strategic alignment: Security awareness professionals often lack leadership support or are aligned to teams that are not focused on security exclusively, such as HR, legal, accounting, etc. SANS recommends that security programs should be an extension of the security teams and must report directly to the CISO if possible.

3 Key Takeaways for Building a Mature Security Culture

Changing the security culture of an organization requires a long-term commitment and is not something that can be captured by a mere blog post. Having said that, below are some takeaways from the SANS Institute report that can help serve as good starting points to building a stronger security culture:

1. Security awareness isn’t only about technology: A cultural change requires much more than technology, it requires engagement, participation, communication; it requires winning hearts and minds. So if your security admin is also your security awareness leader, then it’s probably time to make some changes. Find a champion who has a passion for communication, is in a position to exert influence across the entire business and has a single goal towards making a change in security behavior. 
2. Lack of time shouldn’t be your excuse for poor security awareness: Think of it this way -- if you don’t have time to prepare your last line of defense, how will you find time to recover from a breach? According to IBM, it takes an average of 197 days to identify and 69 days to contain a security breach and the business impact can linger in the forms of financial and reputational damage for many years to come. Ideally, it’s better to spend time building a resilient workforce rather than spending time recovering and responding to breaches that will cost you significantly more.
3. Always highlight the business value of the program: Most business leaders consider security culture important to the success of their business. But, far too often, leaders see security awareness as a compliance effort. It’s therefore important that program leaders highlight behavior change as the main value of the program and not compliance. Focus on measuring metrics that demonstrate cultural change and present strategic metrics that leadership cares about. Results from sustained simulated social engineering tests can be a good place to start. Such tools help showcase performance metrics that business leaders will understand and appreciate.

Security culture is a critical, must-have asset in any organization’s cybersecurity toolbox. By observing employee trends, behavior and culture, organizations can evolve their security practices, policies and training to better meet the evolving threat landscape. Security awareness programs are a great first step and there’s enough evidence to suggest that a sustained security awareness program breeds a mature culture of cybersecurity.