Cybersecurity culture is a hot topic among many organizations and security professionals. But what are organizations doing to build a strong security culture?
To help shed some light on the topic, KnowBe4 asked attendees at Infosecurity Europe 2022 for their views. Of the 179 participants, 41.3% were from large enterprises, and 64% stated they were in a security or IT position, including CISOs and Heads of Security.
Where are efforts focused?
Participants were asked where they were focusing efforts to build a security culture, with most directing efforts into security awareness training (84.5%) and communicating values and expectations from employees regarding security (84.5%).
More than one-quarter (27.2%) do not put much effort into measuring employees’ understanding of security. This begs the question: Are most organizations still caught up in the compliance mindset of delivering training and not being interested in measuring whether employees fully understand the implications of their actions?
Factors driving security culture
According to the survey results, the threat of cyberwarfare (30.2%) and experiencing a data breach or cyberattack (30.2%) are the most significant influences for wanting to improve security culture. Cyberwarfare has undoubtedly been influenced in recent months by the ongoing war in Ukraine and the associated cyberattacks that have taken place.
Witnessing other organizations in the same industry suffer a cyberattack was also a significant driver (29.1%).
While getting a push to improve security culture from external events or sources is always positive, all the goodwill in the world will not impact the culture unless it is through effective communication channels.
How to improve your organization’s cybersecurity culture
Having security awareness advocates is the most effective way of communicating security awareness messages (27.9%), with gamification ranking second (24.6%).
These are not surprising. As the adage goes, people buy from people they trust. This is why security advocates are considered so effective and essential to any organization’s strategy to improve its security culture.
Gamification tends to be popular because of the level of engagement it brings. Furthermore, it reinforces the message that information needs to be delivered in an engaging and consistent manner to ensure the lessons are taken on board.
Is a strong culture worth it?
It appears as if many organizations are keen to build a strong security culture. But is this a case of keeping up with the Joneses, or is there a real benefit to building a strong culture?
The vast majority (92.9%) said that it is very or somewhat likely that having a solid security culture can reduce the risk of security incidents.
Ultimately, reducing the risk of security incidents is the objective of cybersecurity, whether through technical controls, procedures, or educating colleagues.
While the focus for many years has been on the technology side of security, we cannot neglect the human factor. By working on building a strong security culture, organizations can ensure they are doing the best they can to minimize the risk of security incidents to their organization.
Information in this article was provided by our partners at KnowBe4.