Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Building a culture of cybersecurity: 3 key takeaways from the 2021 SANS report

By Perry Carpenter
security awareness freepik
July 8, 2021

As the pandemic rages on, several organizations are pivoting their business models to support a full-time remote workforce. For security teams, the transition has been equally jarring as they now attempt to secure a remote, confused and distracted workforce with potentially dangerous digital behavior.

Let’s face it, cybersecurity isn’t the responsibility of a single person, team or department -- it’s a shared responsibility of the entire organization, along with its extended network of technology partners, vendors and suppliers. Since humans are the biggest cybersecurity risk, the concept of a security culture is even more relevant and significant in today’s times.

 

Key Elements of a Security Culture

This year is being labelled ‘the year of security culture’ by the International Civil Aviation Organization (ICAO). It defines security culture as “a set of norms, beliefs, values attitudes and assumptions that are inherent in the daily operation of an organization and are reflected by the actions and behaviors of all entities and personnel within the organization.”

Recent research by KnowBe4 breaks down security culture into seven distinct dimensions:

  1. Attitudes: The feelings and beliefs that employees exhibit towards security protocols and issues
  2. Behaviors: The actions of employees that lead to direct or indirect impact on the security posture of the organization
  3. Cognition: Employees’ awareness, knowledge and understanding of cybersecurity issues, risks and behaviors
  4. Communication: The quality and frequency of communications discussing security-related topics, and the support extended for dealing with security issues and reporting security incidents
  5. Compliance: The knowledge of official security policies and the extent to which employees follow them
  6. Norms: Knowledge and adherence to unwritten rules of conduct in the business
  7. Responsibility: The extent to which employees perceive their role as a critical factor in sustaining or endangering the security posture of the organization

 

3 Major Roadblocks to Building a Security Culture

The SANS Institute in their 2021 research highlighted three main roadblocks to building a security culture.

  1. Time is the top challenge, not budget: Almost 75% of security awareness professionals spend less than half of their time on security awareness, indicating that awareness is usually not a full-time effort in most businesses. Organizations that attribute culture change through security awareness are making significant, long-term investments and have more than three full-time, dedicated resources focused on security awareness alone.
  2. Awareness program leaders lack soft skills: Security awareness programs are often led by people with technical prowess but lack adequate communication and marketing skills which can effectively engage employees, influence a change in behavior and have a measurable impact on security culture.
  3. Lack of strategic alignment: Security awareness professionals often lack leadership support or are aligned to teams that are not focused on security exclusively, such as HR, legal, accounting, etc. SANS recommends that security programs should be an extension of the security teams and must report directly to the CISO if possible.

 

3 Key Takeaways for Building a Mature Security Culture

Changing the security culture of an organization requires a long-term commitment and is not something that can be captured by a mere blog post. Having said that, below are some takeaways from the SANS Institute report that can help serve as good starting points to building a stronger security culture:

  1. Security awareness isn’t only about technology: A cultural change requires much more than technology, it requires engagement, participation, communication; it requires winning hearts and minds. So if your security admin is also your security awareness leader, then it’s probably time to make some changes. Find a champion who has a passion for communication, is in a position to exert influence across the entire business and has a single goal towards making a change in security behavior. 
  2. Lack of time shouldn’t be your excuse for poor security awareness: Think of it this way -- if you don’t have time to prepare your last line of defense, how will you find time to recover from a breach? According to IBM, it takes an average of 197 days to identify and 69 days to contain a security breach and the business impact can linger in the forms of financial and reputational damage for many years to come. Ideally, it’s better to spend time building a resilient workforce rather than spending time recovering and responding to breaches that will cost you significantly more.
  3. Always highlight the business value of the program: Most business leaders consider security culture important to the success of their business. But, far too often, leaders see security awareness as a compliance effort. It’s therefore important that program leaders highlight behavior change as the main value of the program and not compliance. Focus on measuring metrics that demonstrate cultural change and present strategic metrics that leadership cares about. Results from sustained simulated social engineering tests can be a good place to start. Such tools help showcase performance metrics that business leaders will understand and appreciate.

Security culture is a critical, must-have asset in any organization’s cybersecurity toolbox. By observing employee trends, behavior and culture, organizations can evolve their security practices, policies and training to better meet the evolving threat landscape. Security awareness programs are a great first step and there’s enough evidence to suggest that a sustained security awareness program breeds a mature culture of cybersecurity.

KEYWORDS: cyber security risk management SANS Institute security awareness security culture

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Perry carpenter

Perry Carpenter is author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley, 2019). Working with noted hacker Kevin Mitnick, he is Chief Evangelist/ Strategy Officer for KnowBe4, developer of security awareness training and simulated phishing platforms with over 30,000 customers and 2 million users. He holds a MS in Information Assurance (MSIA) from Norwich University and is a Certified Chief Information Security Officer (C|CISO).

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
close

1 COMPLIMENTARY ARTICLE(S) LEFT

Loader

Already Registered? Sign in now.

Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • risk management freepik

    3 steps to promote a human-centric security awareness culture

    See More
  • people-business-freepik170x658v4.jpg

    3 reasons why cybersecurity must be people-centric

    See More
  • cybersecurity-freepik1170x658.jpg

    Tips to overcome the limitations of MFA

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • Whitepaper-Social-Media-3.gif

    Optimizing Social Media from a B2B Perspective

  • 9780367221942.jpg

    From Visual Surveillance to Internet of Things: Technology and Applications

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!