Chief information security officers everywhere work to instill a culture of security awareness in order to improve their organization’s security posture. Being able to define and measure the impact of their initiatives is vital to determining the success of that cultural change.
But sometimes standard metrics don’t tell the full story. Sure, you can produce charts showing clicks on phishing emails, but how do you measure the unquantifiable, such as your employees’ perception of and care for your company’s security?
With the right determination and plan, subjective metrics like cultural change become easier to both measure and improve.
Here are four steps to do just that and drive true culture change around cybersecurity:
Before you can start improving the behavior of your employees, you need a clear understanding of what your team is and isn’t doing well surrounding your security posture. How can you establish this baseline?
This upfront research will identify your organization's cybersecurity strengths while also highlighting areas that need improvement. Your findings should guide goal setting for short- and long-term improvement strategies.
Once you have a clear picture of your current security baseline, you can develop a specific, timely action plan for creating a more cybersecurity-conscious culture.
For example, you’ve discovered account credentials that can be easily compromised, so you’ve set a goal to roll out multifactor authentication (MFA). It's unlikely that you can flip a switch and turn on a new process overnight. In fact, you must decide the logistics of how you may introduce the new security policy. That might mean:
Successful change management can look different at every organization, but consider these practices as you get started:
When introducing a new initiative, how you communicate with each department to get them on board for security improvement is crucial. Empower department leaders to craft the “what’s in it for me?” message for their teams. Make sure to ask for feedback from department leaders on the wins accomplished through these changes; this communication is just as important as the change itself.
Read more about getting company-wide buy-in for your cybersecurity initiative here.
Be very clear on the exact behavior(s) that need to be changed. Let’s think back to the multifactor authentication example: if you want a department to be using MFA by the end of the month, a short document or video that explains the current authentication practices, the new expectation, and the steps team members will need to take to set up their account and verify their identity moving forward will be critical. This type of “how-to” content paired with the department leader’s strong message of why it matters to their team can go a long way.
Part of the reason it's so hard to make lasting behavioral changes to improve security is the traditional “dumb employee” trope surrounding cyberescurity efforts. Historically, employees are made to feel powerless and stupid for not recognizing cyber threats; they are driven to change their actions using fear tactics. This heightened stress may work short-term, but this approach rarely encourages employees to make sustainable changes. Instead, it can lead to resentment toward and disinterest in your security program at large!
Instead of guilting employees for everything they're doing wrong, empower them by recognizing the things they are doing right and the progress they are making. When developing your security program, include rewards and recognition for employees to drive positive results and behaviors. Even security programs without a high budget can try these inexpensive yet highly effective incentivization tactics. You can even turn your cybersecurity awareness training into interactive, experiential games to boost engagement and foster higher retention of material.
Learn more about defining and enforcing specific behavioral changes in The 4-Step Guide to Cybersecurity Human Risk Management.
Just as important as receiving company buy-in for your program is being able to show the results of everyone’s hard work. It’s vital to be able to track the organization’s progress—not only to demonstrate improvement but to make data-driven decisions regarding any potential changes or additions to the program.
It's crucial that you establish a scorecard or dashboard to be able to track your program’s impact. Successful cybersecurity awareness training requires clear, trackable metrics for measurable reporting; make sure to include the number and types of rewards given for team members who practice and encourage secure behaviors. Develop ways to assign values to soft metrics like “perceived safety,” which will help the leadership team understand how individual behaviors tie into the big picture.
As security incidents occur, use these as examples for on-the-spot learning opportunities. Remember that your team is human. 100% compliance with zero mistakes is unlikely to occur. The most important thing is to create a culture where employees feel comfortable reporting security incidents. This is far easier to achieve by never pushing fear of repercussions and, instead, empowering them to take action when they see a problem and thanking them for doing their part to better protect your organization.
Review the scorecard results regularly and communicate the results to your organization in periodic reviews to get others involved in championing security along your side. In order to create a positive culture around cybersecurity, you must be candid about what your team is excelling at and what they need to grow in. This transparency helps to instill personal responsibility.
As you continue to track security behaviors and change your internal culture around cybersecurity, you'll start to see an increasing number of opportunities to educate and empower your team.
This is your opportunity to use the data you've been collecting and apply it to boost your program’s success. Build in routine security awareness training sessions, cultural perspective workshops, and other team-building exercises designed to transform your security posture. With consistency, time, and dedication, you will start to see the results speak for themselves.
The only way to effectively inspire long-lasting behavioral changes about cybersecurity within your company’s culture is to remind your employees they are your greatest strength, not your greatest weakness.
That starts with managing your security risk at a human level and empowering employees to recognize their impact on your security.
Download our free guide, 7 Essential Trends Of Human Risk Management for 2021, to discover more ways to turn your team into advocates of your security culture.