Security Culture:

The Strategic Frontline Against Escalating Cyber Threats


The front line of cybersecurity is as much about psychology and culture as software and technology.
Recent cyber incidents illustrate that human vulnerabilities are the most easily exploited vectors in ransomware and cyber-attacks, with sometimes catastrophic consequences for corporationsand their employees.

Recent cyber attacks on British retailers illustrate the severe impact of such breaches. The Co-op has
confirmed that all 6.5 million of its members have had their data stolen, M&S has admitted it will face a £300 million hit to profits, months of disruption, and a loss of customer and staff data, and Harrods reported that a cyber attack restricted internet access at its sites, but was spotted quickly.

CSOs and CISOs need to balance their well-established technical defences to cyber attack with broader and
targeted efforts to create a security culture where employees and third parties understand their role in keeping the company safe.

Six Insights for Effective Security Culture

Our work with security culture leads in many of the largest multinational corporations highlights six
key insights for an effective security culture:

1. Measurement matters

  • Effective change management requires metrics:
    • Baseline: where are we now?
    • Goal: where do we want to be?
    • Progress: how fast do we expect to move?
  • Use metrics that correspond to behaviour changed rather than activities completed.
  • Make metrics accessible via an accessible dashboard.

2. Risk-based approaches to training

  • Shift from one-size-fits-all training to training that is risk-based: from workers on an oil rig and HR staff processing payroll, to a branch bank manager, an investment banker, or a IT help desk worker, each has different needs.
  • Incorporate real-time nudges when an employee does something right or wrong, so the learning is delivered when it has most impact.
  • Respond to cyber-related news events to provide more context for employees whose interest has been piqued.

3. Campaign with caution

  • Security awareness campaigns can reinforce security culture messages and create visibility.
  • Campaigns can be time and resource intense: use metrics to measure return on investment and learn lessons about what really works.

4. Elevate security champions

  • Security champions can be a useful resource.
  • Recruit senior as well as junior staff members in this role.
  • Ensure your security champions are well organised and resourced.

5. Senior leaders are critical

  • Senior buy-in is critical.
  • Identify opportunities for senior leaders to champion security culture: year end results, town hall meetings, cyber week and campaign activities, and Executive Committee meetings.
  • Senior accountability for security culture is impactful; the most mature organisations tie executive performance to security culture metrics.

6. Partner with corporate communications

  • Support from the corporate communications team is critical to security culture maturity. The most effective security functions build strong and productive relationships with communications colleagues.

PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save