Part 6 of 6: This blog series details 5 practical steps for creating a culture of cybersecurity in the workplace.


Read Part 5

Creating a culture of security, as you’ve likely gathered, is not a static process. A common mistake organizations make with their security awareness program is failing to plan long term. Often times, they get caught up in the initial roll-out of their training, but forget to plan on updating their program periodically. New types of attacks are consistently generated, so it is important that senior management and the IT department work together to stay ahead of the hackers. The key to maintaining a strong security posture is consistent review and updates. 

Here are a few considerations to keep in mind:

  • Creating a security culture is so much more than compliance, but if your main goal is to meet compliance requirements, keep in mind that these standards are constantly changing. You need to update your program to stay current. In addition, which standards you must comply with can also change based on organizational evolution. 
  • Hopefully your goal is to take your security awareness program to the next level and change behaviors in order to develop a company culture that values security. Developing a security culture requires a strong focus on the top human risks to your organization. However both technology and threats are constantly adapting and changing, so too must your awareness program. For example, while Cloud technology or BYOD may not have been a concern last year, this could become a top human risk you need to address as your organizational processes and standards change.
  • Finally, going back to Step 3, remember to consider engagement. If you continue to provide the exact same training year after year, people will quickly tune you out. By updating your training, you will more effectively engage your staff and ultimately change behaviors.

So, how do you sustain security awareness and stay ahead of cyber threats? Here are 5 practical tips:

Identify when to review your security awareness program.  

The time-frame for this review process will vary from organization to organization, but minimally, conduct a formal review of your security awareness program on an annual basis. Each year you may choose to start with a security risk assessment to effectively identify any new threats to your organization. If you choose not to conduct a risk assessment annually, consider starting by re engaging employees prior to training to be sure all stakeholders are still buying-in to your culture of security.

Identify new or changing threats or compliance standards and updates needed.

This step is crucial and can not be done on just an annual basis. The threat landscape is constantly evolving, and if you wait until a formal annual review, you may miss a new threat and may be too late to educate employees. Your security team or outsourced security firm should constantly be monitoring the cyber threat landscape. This ensures all key stakeholders are educated and trained to catch new schemes, scams, and hacks and mitigate potential risk.

Conduct periodic assessments of organization security awareness and compare to baseline.  

The purpose of each of the steps in this process has been to move your organization towards a stronger security posture through education and training for your first line of defense - your employees. As in most aspects of business, measurable outcomes are the ultimate goal of security awareness training. Periodically assessing your employees cybersecurity awareness will provide quantifiable results of the efforts put forth by managers and the security team to create a culture of security.

Survey staff for feedback (usefulness, effectiveness, ease of understanding, ease of implementation, recommended changes, accessibility).  

As discussed in the Creating Buy-In step, it is crucial that all employees feel like they are an integral piece of your organization’s cybersecurity puzzle. Keeping employees ‘bought-in’ and engaged is a continuous process. One way of doing so is by inviting and genuinely listening to their feedback. It’s easy to make policies from a security standpoint, but oftentimes, the people making those policies do not experience their outcomes in day-to-day operations. Periodically surveying staff for feedback will not only make them feel like their voice is being heard, but will also allow you to identify any remaining security weaknesses or procedures that impede efficiency.

Maintain management commitment to supporting, endorsing and promoting the program.

Similar to the previous step, this one is also a vital component of sustaining a culture of security. All decision-makers within the organization must be committed to maintaining a security awareness program, long term. This will not only ensure funding and support for security awareness efforts, but will also serve as an example of the importance of security within the organization for all employees.

In this six part series, we’ve outlined a practical five step process for creating a culture of security within your organization. Similar to developing a corporate culture, the creation of a workplace culture that values security is not an overnight activity. Yet, it is a worthwhile process for organizations of all sizes to undertake. Your employees hold the ‘keys to the kingdom’ when it comes to sensitive customer, personnel, and company data; so ensure those keys are in capable hands.

Each of these actionable measures can be executed by current management and security personnel. However, working with a dedicated cybersecurity firm will yield greater outcomes in the long-run. From the security assessment to the ongoing update and review of policies and procedures, these highly trained professionals will ensure your resources and efforts mitigate the greatest amount of cybersecurity risk. 


Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.

Author: Jennifer Guidry, CMO | HCISPP