Part 5 of 6: This blog series details 5 practical steps for creating a culture of cybersecurity in the workplace.
The process of creating a security culture does not end after awareness training is complete. In fact, each of the preceding steps in this series have built upon one another to get your organization to this point. Now is when the ongoing task of keeping cybersecurity front-of-mind begins.
If you’ve followed our first three steps for creating a culture of security, you’ve set you, your employees, and your organization up for success in these final two steps. The assessment has revealed key strengths and weaknesses in your current cybersecurity environment. Creating buy-in has developed the framework for a company that values security. Your awareness training has provided all key stakeholders with the necessary tools for spotting and mitigating potential cyberthreats.
Now it’s time to test your efforts and recognize those that exceed expectations for keeping organizational data safe. Mike Saurbaugh, an independent security consultant and faculty member with IANS Research, stresses that developing a comprehensive security awareness program should not be considered a destination, but a journey. It requires dedicated oversight and should be ongoing, with engaging exercises. It should certainly not be seen only as part of a compliance or an audit initiative since that is likely to result in ticking off checklists rather than implementing any lasting behavioral change.
Employees need to understand the part they play in achieving a common security vision — but in an engaging way, not one that is condescending or demeaning. Threatening repercussions such as termination if an employee fails should be avoided because this creates mistrust and fear.
Here are a few tips for engaging employees with a security awareness program:
Creating an air of healthy competition will raise interest in the awareness program, especially where departments are encouraged to compete against each other for the top spot based on factors such as which caught the most phishing emails or reported the most suspected incidents.
Employees will be more engaged if the program is fun to take part in. For example, by using gamification techniques for personnel in security operations centers, not only do participants have fun while honing important incident response skills, but they will become more adept at protecting the organization in the process.
Publicly recognizing success is key to making employees feel valued and can easily be done via the intranet, newsletters, internal marketing materials and general recognition from management. These methods may be preferred over monetary incentives such as gift cards or extra paid time off.
Form Security Awareness Allies
Promoting security awareness doesn’t have to be the sole responsibility of the security team, which is often understaffed and time constrained. By getting other departments or branch locations involved, individuals outside of security can help to be the eyes, ears and voice of the program.
Also consider accountability programs. Encouraging your employees to give away another for not following best practices will just erode trust. However, encouraging your employees to gently hold one another accountable will ensure compliance with best practices.
The other side of reward is security advancement. Provide opportunities for team members to grow into a dedicated security role through advancement. Make security a career choice within your organization.
Additionally, consider making security awareness a component of employee scorecards and requiring employees to meet a security leader standard to be eligible for promotion. This will not only provide an incentive for the employee, but will also help you to build an executive team that values security.
While, undoubtedly, not as fun and engaging as the above tips, compliance programs still play a major role in creating a security culture. This is how you can ensure that all employees are on the same page about what is required and expected. While the goal is to move toward a workplace culture that innately values security, There will always be a few late-adopters initially and it is important that you still have a protocol to back you up when they fail to get on-board.
By comprehensively instilling security in all aspects of your organization’s corporate culture, every key stakeholder will begin to recognize security culture as an integral piece of overall corporate culture. Consistently testing security awareness and recognizing good cybersecurity hygiene will help to highlight the importance of security in all aspects of the workplace environment.