Security Awareness Behavior & Culture: Ask Us Anything
During the Infosec Inspire Cyber Skills Summit, we sat down for an open mic Q&A conversation with leading security awareness and culture experts Jinan Budge, Principal Analyst at Forrester, and Bruce Hallas, author of “Re-thinking the Human Factor.” We got unique insights into everything from how to measure and report on security culture change to how to scale a security awareness and training program with limited resources.
Here are highlights from the conversation.
There’s a lot of discussion about measuring security culture. What do you see as the strongest indicators of culture change?
Jinan: There are many tangible and intangible ways to start measuring cybersecurity culture. Fundamentally, it’s important to deviate away from only looking at novel measures like how many people completed training and focus more on behavioral shifts. Three key tips include:
- Leverage cultural assessment tools available on the market today that can measure the culture and behavior of the workforce.
- Pay attention to intangible indicators like taking notice of how often your CISO is invited to present to the board, how often the security team is proactively being brought into meetings and similar shifts.
- Keep an eye on any small shifts in how the rest of the organization is engaging in and talking about cybersecurity.
Bruce: It’s important to remember that effectively measuring something would mean that you already know your destination or the goal you have in mind. When it comes to measuring culture, start with your organization’s unique definition of good culture, the roadmap required to get there and ultimately how you can measure the progress in your own way.
For organizations who want to mature their cybersecurity culture by doing more than basic annual awareness training but have limited resources, where do you recommend focusing time and energy for the biggest impact?
Jinan recommends the following strategies:
- Understand: Take a pulse check on your organization. Conduct surveys to gain insight into questions like:
- Who are the stakeholders?
- What are some of the security aspirations that the CISO or team has?
- What are the challenges? For example, are there budget concerns, issues with visibility or frustrations with certain processes?
- Hearing about these topics from stakeholders across the organization will give you a better idea of who and what you are dealing with today.
- Organize: Segment your stakeholders into different threat communities. Think about who presents the greatest risk and where you want to influence behavioral changes that reduce cyber risk. Consider identifying specific groups you’d recommend focusing on first such as executive assistants, marketing or HR, and have a meaningful framework for prioritizing them.
- Create: Next, get creative and figure out how you can influence the behavioral change for these groups. Beyond annual training, think about year-round campaign ideas and new opportunities to engage users on an ongoing basis. Prioritize the ideas and determine what timeline will work for execution.
- Gain buy-in and deliver: Finally, delivery typically is not possible without stakeholder buy-in. Share your ideas and focus on gaining buy-in from key stakeholders. Doing so may also land you the additional headcount or resources you need to expand your awareness efforts. One additional tangible tip for delivery with limited resources, especially for one-person awareness teams, is to leverage ambassadors and champions when culturally appropriate to do so.
What traits or abilities should we look for when recruiting employees as security champions?
Jinan: Building a network of cybersecurity champions can go a long way in influencing behavioral change within organizations. However, it’s important to find the right person for the job. Critical traits to look for include:
- Passion for cybersecurity and for making a difference
- Ability to influence behavior within the organization
- Creativity and a fresh perspective
- Relationship building and stellar communication skills
- Interest in professional development opportunities
As programs advance, the ability to facilitate workshops, generate written content and grow advanced cybersecurity knowledge will become more relevant.
Bruce: Know that various cultures, like those who prioritize hierarchy and chains of command, may perceive champion and ambassador programs in different lights. Pay attention to these potential cultural impacts as you determine what kind of program you’d like to build.
What can we all do better as we aim to improve our organizations’ cybersecurity cultures?
Bruce: Most of what happens in training and awareness today is educating people on policies and procedures we’ve developed reactively. To shift behavior in a significant way, we must shift the focus from reactive communication and awareness to addressing the true root cause of the issue.
First, think about how humans behave and how we use technology naturally. Then integrate security by design into those processes and technologies. When done correctly, security is not an add-on but a seamless part of everyday solutions. Think about security like a new tech gadget or product on the market. When you create an experience and a product that people like, they’ll want to buy and use, again and again. The same applies to cybersecurity. Design a program that makes users want to come back by choice.
Jinan: Be empathetic. Put yourself in the shoes of the people who you want to influence. Anticipate the needs of others and be open to helping them out.
You can hear more from Jinan and Bruce by watching the full video of their conversation below: