7 Ways to Build a Culture of Risk-Awareness

Creating a secure culture begins with investing in security awareness training with both financial resources and time. Rather than burdening IT with training your employees about evolving cyber threats, you need to build a culture of risk-awareness to defend against attacks.

A recent Ponemon Institute survey of 612 chief information security officers (CISOs) indicated “The “human factor”, and human error, are some of the biggest worries keeping CISOs awake at night”.  It’s no surprise that 54% of CISOs cited inability to reduce employee negligence as a major security threat. However, there are aspects of security awareness that can be shared across all areas of the company. 

So how do SMBs build a security-centric culture in their organizations? First, you need to establish the cybersecurity practices you expect your employees to follow. Then you need to provide consistent and ongoing training. There is a difference between security and security awareness. Changing the culture of your business to be more aware of cyber threats does not only require technical skills, but you must treat cybersecurity as a profession. It’s not an add-on task for members of the IT department. You can’t pass the buck of securing your business onto other departments.

A 2017 survey of security awareness professionals by the SANS Institute found that more than half (55%) of respondents are currently promoting awareness and behavior changes, and are well on their way to establishing long-term, sustainable programs. 

Here are 7 tips that have helped survey respondents build a more mature security-aware culture.

1. Build a human solution: The two biggest challenges security awareness professionals face are sufficient time and effective communication. The SANS data shows that a lack of resources hinders growth of security awareness programs across many organizations. But awareness is not a technical solution, it’s a human solution–one that requires engaging and collaborating with others, and carving out the time to communicate.
2. Make training meaningful. Do away with the stale, once-a-year training on these topics. Technology has evolved to delivery new tools that can help you identify where employees are weak so that you can design your training programs to target those areas directly. Offer shorter, but more meaningful training and focus on communicating the goals and the problem areas to the end users. Cybersecurity training should continue throughout the year, at all levels of the organization.
3. Make awareness a full time job: The more employees you have dedicated to awareness training, the more successful your program will be. If your company does not have a dedicated security awareness professional, it’s time to add that responsibility to the job description of at least one full-time employee. Anything short of staffing a full-time position is likely just checking the box for compliance purposes.
4. Accept the difference between time and money: Yes, budget does have an impact on the maturity of your program, but the survey data shows that the the correlation of money and maturity isn’t nearly as compelling as the correlation between time and maturity.
5. Develop the soft skills. Security awareness employees need to be able to communicate risk across all levels of the company. But, the lack of soft skills–the ability to collaborate, plan, manage, and instruct– are roadblocks to building a security-aware culture. Sill more important than any of these skills is the ability to communicate.
6. Get leadership on board: The culture of any company comes from the top down, and a security awareness training program that focuses only on the employees will fail to effectively change the culture. The survey data found that the more leadership support an awareness program has, the more likely the awareness program will succeed.
7. Build strong partnerships: Get an individual from each department on board as a cyber liaison. Rely on your communications department to help communicate the value of your program. Have HR start security awareness training as part of the on boarding process. Ask for help within and outside of your company. Begin to change the culture of your company by building relationships within your organization, but also recognize where you need the help of a trusted third party.