Developing the Framework for a Culture of Security Awareness
Why It's Important
Security awareness is the unsung hero of corporate cybersecurity. While technology often runs away with the credit, it would be powerless without the secret sauce that puts it into play; a strong security culture framework.
Not only is culture a security tool, but it encourages employees to think for themselves and is necessary as organizations face a “tidal wave of consumer devices”. If every company is now a tech company, then every employee needs to be tech aware; and that starts with knowing how to use it safely.
Said Adam Burns, Director of Cybersecurity at Fortra, “Humans are by far the weakest link in security, and if you can’t monitor their behavior, test their willingness to comply with best practices and, ultimately, educate and modify their behavior, you’re putting the environment at risk for ransomware attacks.”
Where to Start
You may be wondering how to transition from a mindset of data protection to a culture of cybersecurity. In the first scenario, the SOC does all the work, and the employee base remains ignorant, if not cooperative. In the other, employees themselves take up the banner of keeping the enterprise safe, one interaction at a time.
Success starts with first defining your baselines. How much do your workers know about cyber safety? And what’s the pulse on the current attitude towards learning more? Find out what employees really think about security awareness and build from there with custom-made training solutions to fill in the gaps.
Steps to Success
The five steps to carrying off an effective security awareness program are as follows:
1. Analyze
Identify your goals and what it will take to close the gap.
2. Plan
Build your team, define your roadmaps, and select your program.
3. Deploy
Launch your campaign, communicate importance, and reinforce your message.
4. Measure
Gather data, track progress, and report findings.
5. Optimize
Do it again, this time with higher goals and learnings from last time.
While all steps are important, it’s key to not overlook number two: picking the right program. When searching for the right fit, keep in mind that the four pillars of successful security awareness training include high-quality content, personalized vs. pre-built options, risk-based vs. role-based training, and phishing simulations. After that, all energies focus on gaining buy-in from the ones that can push the initiative forward — and harnessing the engagement of the employee base.
Discover why security awareness training is an essential component of success cybersecurity.
Gaining Buy-In Across the Organization & at Board Level
Understanding What a Security-First Culture Can Do for You
With cyberattacks on the rise and new malware strains being discovered by the thousands, companies no longer have the luxury of siloing security. Now, employees not only need to know how to stay safe online, but how to sidestep the regulatory landmines that come with new data privacy laws and industry regulations.
An increase in security awareness leads to an increase in business objectives met; or it can do the opposite. Says Chris Reffkin, CISO at Fortra, “Enterprises often experience a disconnect between business objectives and security guidelines. It is in this disconnect that cybercriminals find opportunity.”
The Verizon 2023 Data Breach Investigations Report notes that 74% of breaches involve the human element. Creating a security aware culture can turn each employee from a liability to an asset.
Gaining Top Level Buy-In
When it comes to garnering support, several tips for winning and keeping C-suite support for your security culture framework include:
- Start in the C-suite and make security relatable
- Make it human-centric by showing key stakeholders what their teams are risking
- Have a CISO succession plan in place
“Once the executives understand — in relatable terms — what the risk is and what the ask is, then they're able to follow through … and support you,” noted ISSA board president Candy Alexander.
As soon as top-tier support is in place, you’ll need to earn the engagement of the ones who matter the most; your employees.
Involving All Levels in a Security Aware Culture
As people, processes, and technologies come together, there can be no weak link. Security aware people improve the processes which then impact the technologies.
Implementing shift-left techniques only works when employees understand the importance of baked-in security measures and the threat of non-compliance. To shift security left means that teams are implementing security measures throughout the entire development lifecycle, not just at the end. Inter-departmental collaboration is key to sustaining the kind of cooperation and innovation necessary to keep security-first objectives not only a part of company processes, but their focus.
As employees in one area learn how their actions impact the integrity of data within another, team members will be more understanding of security controls that might otherwise seem irrelevant or inconvenient.
Increasing Engagement
Engagement relies heavily on your security awareness training being fun and rewarding. When people aren’t engaged in activities they enjoy, they don’t learn. And remember; learning isn’t training.
Focusing on a growth mindset, rather than a witch-hunt for errors, creates a no-blame culture where people can feel safe. That atmosphere fosters an attitude of curiosity and encourages employees to do whatever it takes to learn to the next level; even make mistakes.
As team members learn through gamified objectives, role-playing, and simulated bug bounty programs, they are more likely to stay on task, stay alert, and keep learning.
Another way to foster engagement is through security awareness ambassador programs. “An ambassador program is not complicated but does require some time and effort to be effective,” noted Theo Zafirakos, Chief Information Security Officer and Professional Services Lead at Fortra’s Terranova Security. “When it becomes effective, and prevents cyber-attacks, it can save organizations hundreds of thousands of dollars.”
Communicating a Cybersecurity Framework
A key way of ensuring engagement — both during trainings and in the months in between — is to clearly articulate the why behind your cybersecurity framework.
Employees want to know the goals of the business and how they are jeopardized by risky security behaviors. They want to know not only how they will benefit the bottom line, but how they themselves will be rewarded for the implementation of safer techniques. Will there be perks or bonuses for improved behavior that aligns with the cybersecurity framework?
Security is everyone’s responsibility as all employees are in the same boat. The success of the company at large represents the welfare of anyone on the payroll, and a breach, data egress, or widespread security incident impacts more than the stock price. Research by Kaspersky indicates that 31 percent of data breaches result in employees getting fired. And Gartner predicted that 75 percent of CEOs will be personally liable for cyber-physical security incidents by 2024.
The rising security awareness tide is one that will lift all ships.
Planning for Leadership Turnover
One of the problems companies face when achieving hard-fought security culture victories is the rate of turnover among those at the head. The average tenure of a CISO is two years. After so much ground gained, it can be demoralizing for companies — and cultures — to have to start over.
Companies need to have a CISO succession plan in place. When the tables turn, it can be hard to find someone to carry the flag. Jinan Budge, principal analyst at Forrester Research, noted that the top security officer of the organization must have the "right stuff". Finding a CISO that can continue the transformative process of evolving a company’s cybersecurity culture (and recognize its importance) can be a tall task.
To prepare, organizations should appoint a successor within the company that can continue to champion the cause – before the board and to the CISO — even after the previous flag-bearer is gone.
"Otherwise,” explains Jason Frudge, CISO at Rent-A-Center, “We are going to continue to start over every couple of years and never really get there.”
Leveraging Safety Net Technology
No plan is foolproof. Even the best trained, most cybersecurity savvy humans are just that — human. And humans make mistakes. That’s why it’s important to leverage safety net technologies. Fortra’s portfolio of solutions supports companies’ security culture frameworks by throwing up an additional layer of digital protection. Combine security awareness training with Fortra’s best-in-class technologies for a complete defense-in-depth approach.
Security Aware Data Handling
Email and Collaboration
SecDevOps and Security Awareness Training
How Fortra Can Help You Build a Cybersecurity Aware Culture
Employees are humans. And humans make mistakes. Learn how you can partner with Fortra to build a security-aware culture that helps protect your business.