CIOReview
CIOREVIEW >> RSA Security >>

How to Create a Successful Security Culture Program

Masha Sedova, Senior Director of Trust Engagement, Salesforce
Masha Sedova, Senior Director of Trust Engagement, Salesforce

Masha Sedova, Senior Director of Trust Engagement, Salesforce

Ask a Chief Information Security Officer (CISO) about their employees’ security habits and a typical answer follows: “I want people to make less security mistakes.” In reality, this is just as much a description of security habits as it is of culture–a set of behaviors that people regularly perform.

The keyword there is regularly. Changing the way people operate when it is something they do regularly is no easy task, but when the security of a company could be at risk, it is imperative that CISOs do everything they can to help change this culture.

Culture change can be overwhelming if a CISO does not know where to begin. To effectively start building the security culture you want, you must first identify the measurable behaviors that will make up that culture. There are three key questions to ask when selecting simple, concrete, and measurable security behaviors:

1. What behaviors am I trying to change?
2. What will people do differently after my effective program is instituted?
3. How can I measure whether the program was successful?

Choosing Key Behaviors

Every CISO usually has a list of security changes they would like to see. Before embarking on a culture change, it is important to identify the top priorities for an organization-this can be a challenge since priority is subjective to the individual and their experiences. Below are some questions to help you identify the priority behaviors for your team:

• What are the most frequent security incidents?
• What would be the most damaging to the company?
• What would have the greatest impact on the company’s security posture?
• What does the team already have metrics on?
• What do the company’s stakeholders care most about?

 ​Many times, employees are not aware that a behavior is a security threat until someone points it out to them 

By focusing on select behaviors, rather than a laundry list that may discourage employees, CISOs can give them time to digest the information and apply this learning to their work. This also gives CISOs the ability to test how well their lessons are working by sampling the group’s behavior before and after training, which is not practical when taking on numerous changes at once. This will help you understand the influence of the security behavior training on the organization.

Designing an Effective Program

Many times, employees are not aware that a behavior is a security threat until someone points it out to them. CISOs can create programs to help employees identify these behaviors and teach them how to avoid specific threat instances in the future.

It is important that CISOs make these lessons tangible for employees and not speak in generalities. By identifying the specific behavior change, employees can easily apply these lessons to their day-to-day work. For example:

• General behavior: I want my employees to be less susceptible to phishing links.
• Specific behavior: I want my employees to report all suspicious emails to the security team.

Do not forget to make it fun for employees to participate and celebrate their successes. This will encourage them to want to learn more and successfully practice other security behaviors.

Measuring Desired Behavior

It is critical to have measures in place to show progress against culture change. Since security is often described as never having a finish line, it is imperative to define milestones to market back the success of the program to yourself, the participants of your campaigns and management.

Measurement of behaviors can be both quantitatively tracked, as seen with click through rates, or quantitatively, with employee surveys. In the above phishing example, for quantitative results, you could say: at least 20 percent of emails sent in any phishing exercises against my employees were reported to my incident response team via email.

Once progress is made against one behavior, it is a great opportunity to recognize and reward the organization for becoming more secure, celebrating its success, and encouraging the next behavior change.

Read Also

Migrating SAP Applications to Cloud

Migrating SAP Applications to Cloud

Rajesh Balaji Ramachandran, SVP, Enterprise Application Services, Cognizant [NASDAQ: CTSH]
The Future and the Critical Role Mobility and Payment Systems

The Future and the Critical Role Mobility and Payment Systems

Gurhan Cam, Digital Banking SVP & Deputy CDO, DenizBank
Relationship Banking Empowered By Digitalization

Relationship Banking Empowered By Digitalization

Stephan Erne, Chief Digital Officer, Handelsbanken [STO: SHB-A]
The Growing Importance of Cards

The Growing Importance of Cards

William Kniering, SVP, Head of Commercial Card, Texas Capital Bank
Refocusing On Payment Adoption and Transformation

Refocusing On Payment Adoption and Transformation

Aris Jerahian, AVP Card Services, Orange County’s Credit Union
Navigating the Wild West of Payments – From a Community Banking Perspective

Navigating the Wild West of Payments – From a Community Banking...

Chris Slane, Vice President of Cards & Payment Services, Robins Financial Credit Union