As security leaders, one of our ultimate goals is to create a strong security culture in our organizations. But what does that actually mean in practice? We are often focused on growing security awareness – the knowledge and understanding of security issues and processes. But awareness is only the first step when it comes to building a real security culture. It’s also crucial to consider other important factors in how people at your company work together:
Attitudes: feelings toward security issues and protocols
Behaviours: actions and activities of employees that have a direct or indirect impact on the security of the organization
Communication: quality of communication channels, sense of belonging, support for security issues and incident reporting
Compliance: knowledge of written security policies and the extent that employees follow them
Norms: knowledge of and adherence to unwritten rules of conduct
Responsibilities: employees' perception of their role as a critical factor in sustaining or endangering the security of the organization
Source: Forrester Consulting report on behalf of KnowBe4 (2020)
https://www.knowbe4.com/hubfs/Security-Culture-Report.pdf
These factors show that fostering a security culture is as much about feelings and attitudes as it is about knowing what the rules are and complying. Once employees are more aware and understanding of security principles then they are more likely to behave in ways that comply. However, just making people behave a certain way is not a security culture - not really. Only when that behaviour is fuelled by their own motivation, reasons and feelings, can we consider it fully embedded in the organization as part of the culture. People have to care.
But how do you go around doing that, exactly?
You can simply tell people to care, but frankly speaking, this probably is not going to be successful. It’s a long process to shift company culture and you have to work cross-functionally to influence norms and job responsibilities. But as a security leader you can start down this path by engaging with your audience first and influencing their feelings and attitudes, not just their knowledge.
- Show, don't (just) tell
Security policy can quickly bore your audience if not presented right, and negatively affect their attitude towards security. It’s often hard to see why policies are relevant or important. Use real-life examples and scenarios to illustrate concepts. When possible, use practical and interactive exercises to bring policies to life. This will not only improve understanding, but also foster more positive attitudes and help shape desired behaviour
- Make it personal
Any instruction or message coming from an unidentified entity will automatically carry less value than something communicated by a known person. Try to put a familiar face and name to policies, or other employees in the organization who are easy to relate to. It will increase the sense of belonging,and sense of responsibility, and will highlight unwritten norms
- Utilize storytelling
Storytelling is a great way to increase emotional engagement. Play it to your advantage - illustrate key security messages with relevant stories that your employees can empathize with. This will help employees feel more emotionally connected to security as a fundamental part of how they work.
These approaches help you influence employees’ feelings and attitudes, and are the first step towards embedding a strong security culture at your organization. The change won't happen overnight, but it is never too late to start ensuring security is fundamental to how your organization works every day.
To see how SAME Solutions brings these principles to life, get access to the demo at