You are here

4 ways to build a better security culture

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Robert Lemos, Freelance writer

While the vast majority of security professionals believe a stronger cybersecurity culture would improve their business, nearly all companies—95%—have a gap between their desired culture and reality, according to new research.

The 2018 Cybersecurity Culture Study, conducted by ISACA (formerly the Information Systems Audit and Control Association), found that 88% of companies believe they can transform their cybersecurity culture for the better. The organizations with the most mature cybersecurity processes were those that invested in their employees, said Rob Clyde, chair of ISACA's board.

"Those companies that felt more mature in cybersecurity were investing more in their people—literally. It was over twice as much on a percentage basis, so it was not even close."
Rob Clyde

The study found that efforts focused on employees are the fundamental component of creating a cybersecurity culture that will serve to improve business and reduce risk. Nearly 70% of the study’s 4,815 respondents, for example, believe that clearly communicated policies strengthened security culture. Sixty percent believed that employees following those policies also strengthened security culture.

Employees who recognize that they serve a role in identifying and preventing security threats, and who participate in regular security training, are the most engaged in helping their company tackle cybersecurity risks. Such efforts result in companies with mature security cultures that have better visibility into risks and fewer cybersecurity incidents. They are also able to get back to business faster following an incident.

Here are four efforts that security experts say will improve cybersecurity culture and help your business head off threats.

[ Understand what's driving the next-generation SOC with TechBeacon's guide. Plus: Download ESG's report on the state of cloud-based security analytics and operations ]

1. Security training requires employee feedback

The top priority of a company’s efforts to improve cybersecurity culture focus on training employees. Eighty percent of companies plan to improve their cybersecurity culture through employee training, while 79% of respondents plan to better communicate behavioral policies.

But a key component of making such training and communication work is turning these interactions into a dialog. Companies with successful security cultures discuss security issues with employees and, just as important, take into account their feedback, according to the study.

About 80% of companies with a very successful security culture have assessed employees' views about the business's cybersecurity culture, compared to only 47% overall.

2. Bring lessons home with exercises

Most employees have no context to evaluate cybersecurity risks and threats. Incident response exercises can help employees gain experience. More than half—57%—of companies conducted hands-on training with employees to improve cybersecurity culture, according to the study.

Doug Dooley, chief operating officer of application security firm DataTheorem, says: "Security is a weak-link sport, not a strong-link sport."

"Because security is asymmetric warfare, you have to be focused, and you have to find a way to bring security to the individual."
Doug Dooley

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]

3. Lead from the top

Companies that fail to create a cybersecurity culture are often not getting leadership from the top. One in three respondents to the survey cited executive support as the major stumbling block. 

Management needs to walk the talk, ISACA's Clyde said. "They need to take ownership of their own cybersecurity."

"I've seen a lot of incidents where the management says that cybersecurity is important, but then they turn around and ask for exceptions—and that is the death knell of any cybersecurity program."
Rob Clyde

4. Incorporate more automation

Finally, companies should support employees and look for places where security, or automation, can be incorporated into software development and daily processes. When automation makes employees' jobs easier—while incorporating cybersecurity into their daily workflow—it can significantly improve a company's cybersecurity posture, said DataTheorem's Dooley.

"Automation is powerful. The automation helps speed their work, and it almost becomes addictive."
—Doug Dooley

While improving cybersecurity culture helps set the foundation to reduce a business's future risk, success is not just about culture, ISACA's Clyde said. Tools are necessary as well to support employees, and companies should focus there as well.

"All the training in the world will not prevent a company from having a person click on an email. We are going to get diminishing returns to training people, and, for those reasons, putting in additional tools also has to be part of the equation."
—Rob Clyde

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]