Perry Carpenter, Chief Evangelist for KnowBe4 Inc., emphasizes the importance of focusing on curbing human actions in cybersecurity rather than relying solely on technical controls. The concept of security culture is gaining traction at the C-level, but there is confusion about what constitutes a security culture and the consequences of neglecting it within an organization.
Security culture is defined by the shared values, attitudes, beliefs, and behaviors of employees towards cybersecurity. It reflects how an organization prioritizes security and how employees perceive and interact with security measures. Neglecting to nurture positive security behaviors, attitudes, and values can lead to an unhealthy security posture, similar to weeds choking a garden without proper care.
Factors indicating a negative security culture include a lack of cybersecurity prioritization, non-compliance with security policies, and a lack of awareness about cybersecurity issues among employees. To foster a positive cybersecurity culture, organizations can implement measures such as measuring the current security culture, setting end goals and objectives, establishing a strategic plan, and continuously refining goals and methods.
Measuring the current security culture involves assessing employees’ understanding of cybersecurity, compliance with security policies, and willingness to report security incidents among other indicators. Setting end goals and objectives involves defining the desired attitudes, behaviors, and level of participation in cybersecurity initiatives. Implementing a strategic plan involves gaining leadership buy-in, activating ambassadors to influence employees, and utilizing various communication methods to promote positive cybersecurity behaviors.
Refining goals and methods involves reflecting on the success, lessons learned, and setbacks of the culture change efforts and adjusting the strategy accordingly. Creating a sustainable security culture requires ongoing positive reinforcement and collective effort from all stakeholders. By demonstrating results and progress to leadership, organizations can secure support for future investments in building a strong security culture that aligns with security priorities and best practices.
