How to Create a Successful Security Culture Program
CIOReview
CIOREVIEW >> RSA Security >>

How to Create a Successful Security Culture Program

Masha Sedova, Senior Director of Trust Engagement, Salesforce
Masha Sedova, Senior Director of Trust Engagement, Salesforce

Masha Sedova, Senior Director of Trust Engagement, Salesforce

Ask a Chief Information Security Officer (CISO) about their employees’ security habits and a typical answer follows: “I want people to make less security mistakes.” In reality, this is just as much a description of security habits as it is of culture–a set of behaviors that people regularly perform.

The keyword there is regularly. Changing the way people operate when it is something they do regularly is no easy task, but when the security of a company could be at risk, it is imperative that CISOs do everything they can to help change this culture.

Culture change can be overwhelming if a CISO does not know where to begin. To effectively start building the security culture you want, you must first identify the measurable behaviors that will make up that culture. There are three key questions to ask when selecting simple, concrete, and measurable security behaviors:

1. What behaviors am I trying to change?
2. What will people do differently after my effective program is instituted?
3. How can I measure whether the program was successful?

Choosing Key Behaviors

Every CISO usually has a list of security changes they would like to see. Before embarking on a culture change, it is important to identify the top priorities for an organization-this can be a challenge since priority is subjective to the individual and their experiences. Below are some questions to help you identify the priority behaviors for your team:

• What are the most frequent security incidents?
• What would be the most damaging to the company?
• What would have the greatest impact on the company’s security posture?
• What does the team already have metrics on?
• What do the company’s stakeholders care most about?

 ​Many times, employees are not aware that a behavior is a security threat until someone points it out to them 

By focusing on select behaviors, rather than a laundry list that may discourage employees, CISOs can give them time to digest the information and apply this learning to their work. This also gives CISOs the ability to test how well their lessons are working by sampling the group’s behavior before and after training, which is not practical when taking on numerous changes at once. This will help you understand the influence of the security behavior training on the organization.

Designing an Effective Program

Many times, employees are not aware that a behavior is a security threat until someone points it out to them. CISOs can create programs to help employees identify these behaviors and teach them how to avoid specific threat instances in the future.

It is important that CISOs make these lessons tangible for employees and not speak in generalities. By identifying the specific behavior change, employees can easily apply these lessons to their day-to-day work. For example:

• General behavior: I want my employees to be less susceptible to phishing links.
• Specific behavior: I want my employees to report all suspicious emails to the security team.

Do not forget to make it fun for employees to participate and celebrate their successes. This will encourage them to want to learn more and successfully practice other security behaviors.

Measuring Desired Behavior

It is critical to have measures in place to show progress against culture change. Since security is often described as never having a finish line, it is imperative to define milestones to market back the success of the program to yourself, the participants of your campaigns and management.

Measurement of behaviors can be both quantitatively tracked, as seen with click through rates, or quantitatively, with employee surveys. In the above phishing example, for quantitative results, you could say: at least 20 percent of emails sent in any phishing exercises against my employees were reported to my incident response team via email.

Once progress is made against one behavior, it is a great opportunity to recognize and reward the organization for becoming more secure, celebrating its success, and encouraging the next behavior change.

Read Also

Basic And Applied Research In Aerospace Sciences At The Office Of Naval Research

Basic And Applied Research In Aerospace Sciences At The Office Of...

Knox T. Millsaps, Ph.D., SES Director, Division of Aerospace Sciences Office of Naval Research
CRM: The New Center of the Marketing Universe

CRM: The New Center of the Marketing Universe

Ryan Malone, Founder and CEO of SmartBug Media™
Insurance Market is in Full Swing in Tune with the Digital Transformation

Insurance Market is in Full Swing in Tune with the Digital...

Adilson Lavrador, Executive Director of Operations, Technology and Claims, Tokio Marine Seguradora
A Pro-Active Risk Management Approach Guides Pg&E's Supplier Quality Assurance Team

A Pro-Active Risk Management Approach Guides Pg&E's Supplier Quality...

Jamie Martin, Vice President of Supply Chain and Chief Procurement Officer, Pacific Gas and Electric Company
The Future Of Oil And Gas Industry With Digital Solution

The Future Of Oil And Gas Industry With Digital Solution

Azfar Mahmood, Product Manager, Jeremy Angelle Vice President Digital Solutions at Frank’s International
Epc Oil And Gas Companies’ Role In Scaling Up In Energy Transition

Epc Oil And Gas Companies’ Role In Scaling Up In Energy Transition

Matthew Harwood, GVP Strategy and Sustainability, McDermott International