Security awareness behavior & culture: Ask us anything
During the Infosec Inspire Cyber Skills Summit, we sat down for an open mic Q&A conversation with leading security awareness and culture experts Jinan Budge, Principal Analyst at Forrester, and Bruce Hallas, author of “Re-thinking the Human Factor.”
We got unique insights into everything from how to measure and report on security culture change to how to scale a security awareness and training program with limited resources.
Should you pay the ransom?
Here are highlights from the conversation.
There’s a lot of discussion about measuring security culture. What do you see as the strongest indicators of culture change?
Jinan: There are many tangible and intangible ways to start measuring cybersecurity culture. Fundamentally, it’s important to deviate away from only looking at novel measures like how many people completed training and focus more on behavioral shifts. Three key tips include:
- Leverage cultural assessment tools available on the market today that can measure the culture and behavior of the workforce.
- Pay attention to intangible indicators like taking notice of how often your CISO is invited to present to the board, how often the security team is proactively being brought into meetings and similar shifts.
- Keep an eye on any small shifts in how the rest of the organization is engaging in and talking about cybersecurity.
Bruce: It’s important to remember that effectively measuring something would mean that you already know your destination or the goal you have in mind. When it comes to measuring culture, start with your organization’s unique definition of good culture, the roadmap required to get there and ultimately how you can measure the progress in your own way.
For organizations who want to mature their cybersecurity culture by doing more than basic annual awareness training but have limited resources, where do you recommend focusing time and energy for the biggest impact?
Jinan recommends the following strategies:
- Understand: Take a pulse check on your organization. Conduct surveys to gain insight into questions like:
- Who are the stakeholders?
- What are some of the security aspirations that the CISO or team has?
- What are the challenges? For example, are there budget concerns, issues with visibility or frustrations with certain processes?
- Hearing about these topics from stakeholders across the organization will give you a better idea of who and what you are dealing with today.
- Organize: Segment your stakeholders into different threat communities. Think about who presents the greatest risk and where you want to influence behavioral changes that reduce cyber risk. Consider identifying specific groups you’d recommend focusing on first such as executive assistants, marketing or HR, and have a meaningful framework for prioritizing them.
- Create: Next, get creative and figure out how you can influence the behavioral change for these groups. Beyond annual training, think about year-round campaign ideas and new opportunities to engage users on an ongoing basis. Prioritize the ideas and determine what timeline will work for execution.
- Gain buy-in and deliver: Finally, delivery typically is not possible without stakeholder buy-in. Share your ideas and focus on gaining buy-in from key stakeholders. Doing so may also land you the additional headcount or resources you need to expand your awareness efforts. One additional tangible tip for delivery with limited resources, especially for one-person awareness teams, is to leverage ambassadors and champions when culturally appropriate to do so.
What traits or abilities should we look for when recruiting employees as security champions?
Jinan: Building a network of cybersecurity champions can go a long way in influencing behavioral change within organizations. However, it’s important to find the right person for the job. Critical traits to look for include:
- Passion for cybersecurity and for making a difference
- Ability to influence behavior within the organization
- Creativity and a fresh perspective
- Relationship building and stellar communication skills
- Interest in professional development opportunities
As programs advance, the ability to facilitate workshops, generate written content and grow advanced cybersecurity knowledge will become more relevant.
Bruce: Know that various cultures, like those who prioritize hierarchy and chains of command, may perceive champion and ambassador programs in different lights. Pay attention to these potential cultural impacts as you determine what kind of program you’d like to build.
ChatGPT training built for everyone
What can we all do better as we aim to improve our organizations’ cybersecurity cultures?
Bruce: Most of what happens in training and awareness today is educating people on policies and procedures we’ve developed reactively. To shift behavior in a significant way, we must shift the focus from reactive communication and awareness to addressing the true root cause of the issue.
First, think about how humans behave and how we use technology naturally. Then integrate security by design into those processes and technologies. When done correctly, security is not an add-on but a seamless part of everyday solutions. Think about security like a new tech gadget or product on the market. When you create an experience and a product that people like, they’ll want to buy and use, again and again. The same applies to cybersecurity. Design a program that makes users want to come back by choice.
Jinan: Be empathetic. Put yourself in the shoes of the people who you want to influence. Anticipate the needs of others and be open to helping them out.
You can hear more from Jinan and Bruce by watching the full video of their conversation below:
ChatGPT training
In this Series
- Security awareness behavior & culture: Ask us anything
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization