An organization’s cybersecurity culture is much more than enforcing policies and asking your employees to change their passwords regularly. It is firmly embedded in your organization’s basic framework and can be measured by metrics.
Four cornerstones of cybersecurity culture
To properly assess your organization's cybersecurity culture, you need to know the various elements that strengthen, support, or hinder resilience to cyber threats. However, a healthy and entrenched cybersecurity culture is a complex framework. To fully comprehend it, knowing the four basic elements of it is certainly a good place to start:
1 – That which is visible to the eye
This includes the components within the organization that are easily tangible and visible to the eye. For instance, these may be organizational structures, formal processes, or written information security policies.
A cybersecurity culture is much more than enforcing policies and asking your employees to change their passwords regularly. A healthy cybersecurity culture includes that security is ensured and fostered at all levels of the organization, and not just seen as the responsibility of IT services. Cybersecurity can only work if it is seen as a shared responsibility that applies to the entire organization. Security-related policies should not just be adopted 1:1 from a textbook, they should be tailored to your business and fit seamlessly into work routines and company practices. Employees at all levels need to be made aware of risks and trained in how their actions (or, indeed, misconduct) can impact the entire organization.
2 – Official statements
A second essential component is your organization's official statements of values, beliefs, and principles. These can include mission statements or a commitment to respect user privacy.
3 – Invisible shared assumptions
In third place come invisible, shared and tacit assumptions, which are at least as much a part of any corporate culture as the visible components. They are the reason why corporate cultures generally cannot be changed simply by reformulating or publishing a new mission statement. Such invisible but powerful assumptions emerge over time and reflect an organization's accumulated experience and knowledge. If you want to embed your cybersecurity culture deeply within the organization, there is no getting around this level.
4 – The knowledge of risks
Last but not least, the fourth and perhaps most important component of a solid cybersecurity culture is to be mentioned: the knowledge of cyber risks and information security. Only when all employees are aware of the devastating consequences of cyberattacks will they understand why they need to strictly follow security policies and procedures in their daily work and why awareness and security trainings are necessary for the organization's information security.
But with this knowledge gained, how can you determine which elements of cybersecurity are already in place in your organization and which are still missing? There are several methods to determine how your cybersecurity is doing:
Five stages of a strong cybersecurity culture
A model has been developed by the SANS Institute which allows you to determine the current status of your cybersecurity awareness program and track its progress. The SANS Institute distinguishes the following five stages:
1. Non-existent: a security awareness program does not exist. Employees have no idea that they are potentially a target and that their actions have a direct impact on the security of the organization. As a result, they do not know or follow corporate policies and easily fall victim to attacks.
2. Compliance-focused: Your organization's program is primarily focused on meeting specific compliance or audit requirements. Training is only offered on a yearly or ad hoc basis. Employees are unsure of corporate policies and their role in protecting your organization's information.
3. Promoting awareness and behavior change: The program identifies the different audiences and training topics with the greatest impact. The program goes beyond a yearly training session and the training content is delivered in an engaging and positive manner, skillfully promoting behavior change. The result are employees who understand and follow security guidelines and actively identify, prevent and report incidents.
4. Long-term sustainment and culture change: Your organization's awareness program has processes, resources, and leadership support necessary for a long-term life cycle, including a yearly review and update of the program. As a result, the program is an established part of the organization's culture. The program goes beyond behavior change: It changes employees' beliefs, attitudes, and perceptions about security.
5. Metric framework: Your organization has a robust program aligned with your business that can measure progress and track impact. As a result, the program is continuously improving and achieves demonstrable success.
What is the state of your organization's cybersecurity culture?
You’re not sure or want to learn how to strengthen it? Then read our eBook «Stay safe with a healthy cybersecurity culture» or contact or security experts: We look forward to hearing from you!