Organizations that prioritize a strong cybersecurity culture reap considerable benefits, including risk reduction, reputation protection, and increased sales opportunities in regulated industries.
Building a successful company-wide culture reduces risk far better than relegating it to any single department or team. In addition, TechTarget explains that a strong cybersecurity culture leads to “improved confidence in the company’s reputation and trust for developers, partners, customers, stakeholders, and employees.”
Because building a robust security culture is so important, executives, managers, and board members all must support any efforts to accomplish this goal. When it comes “from the top,” building a strong security culture that touches every part of the organization is much easier. Decision-makers can do the following to shape a culture of cybersecurity.
Decision-makers can start by modeling good cybersecurity processes and demonstrating their commitment to cybersecurity through their actions. Leading by example begins with small, conscientious habits, such as password-protecting a laptop when not in use.
It’s also essential to present security as a long-term business enabler — not a hindrance. Your organization should understand that strong security can help you win against the competition, successfully target new markets (especially highly regulated ones like finance and healthcare), and close more business.
Being public about cybersecurity efforts and celebrating milestones like achieving SOC 2 compliance are great ways to communicate to the team that security is important at the organization’s upper echelons.
Developing and implementing clear cybersecurity policies and procedures and communicating them to all employees regularly is critical.
Be sure to create and enforce policies around the following business activities:
When it comes to building a culture of security, one of the keys is making sure that security-related processes and procedures aren’t a huge burden for the teams responsible. Security automation can make a huge difference in reducing manual efforts and ensuring time is spent in the best possible way.
For instance, Christopher Reddekopp, Level 2 Support at Tullahoma Utilities Authority, lacked the resources to enforce cybersecurity procedures across his organization consistently. He collected logs from across his organization but didn’t have the time or resources to review them all. To streamline investigating and responding to incidents, he implemented SIEM automation with Blumira.
Reddekopp reports the automation “has saved me a lot of time and heartache from having to parse through logs and attempt to set up log filtering. It’s like having a watchdog over the house 24/7, knowing that if an intruder does come in, it will sound the alarm.”
Decision-makers should provide employees with ongoing training and resources to protect themselves and the organization from cyber threats. Essential training topics include phishing and social engineering awareness, best practices for storing data securely and using two-factor authentication (2FA), VPNs, endpoint security solutions, etc.
Cybersecurity training should be tailored to employees’ roles and responsibilities and delivered in various formats, such as online courses, workshops, and simulations. Remember to update training modules regularly to reflect changes in the threat landscape and the organization’s business needs.
Because 74% of breaches involve human error, widespread security awareness training significantly strengthens your organization’s cybersecurity posture. Employees can protect customer data and proprietary information better than any tool or process.
By creating a culture of security awareness and vigilance, your organization can work together to protect customer data and company secrets. Increasing participation and interest in security can lead to better business results and a stronger public image.
Princeton University’s three-year security strategy is a real-world example of establishing security awareness. They spread security awareness to their community of thousands of students, staff, and faculty — a three-year-long process that took plenty of creativity and out-of-the-box thinking. Once their program was in place, they identified key strategies that helped them succeed, including:
As you implement these practices, tracking quantitative metrics, analyzing results, and identifying improvement areas are essential. Here are some key metrics to consider:
MTTD measures the average time it takes to detect a security incident, while MTTR shows the average time it takes to respond to a security incident and contain the damage. IBM’s 2023 Cost of a Data Breach uncovered that when businesses used security tools such as AI and automation to lower their MTTR, they saved $1.8 million in data breach costs.
Examining Blumira’s customer data, we’ve found that our average time to identify an incident is about 32 minutes. In contrast, IBM reports an average detection time of 212 days or 5,088 hours. Therefore, Blumira’s detection time is 99.4% quicker than the average.
When companies reduce MTTD and MTTR, they can
The sooner an incident is detected and the faster it is contained, the less damage an attacker can do. So, MTTD and MTTR are key metrics to pay attention to as you develop a security culture at your organization. Of course, you’ll need strong security tools in place to ensure you can measure these metrics on an ongoing basis.
Measure the percentage of users or constituents at your organization who have completed cybersecurity training. This metric shows the success of a training program and can also reveal gaps in information delivery. In some cases, teams can identify specific groups or departments who need more training or hone in on ways the training needs to be streamlined to make it more “doable” or approachable for everyone.
In Princeton University’s case, training completions directly correlated with adopting strong security practices, such as using a password vault to store strong passwords.
ISACA reports, “Due in large part to the awareness program, Princeton users exhibit better password management, reduced phishing risk, understanding of the threat to both their personal and professional lives, and a heightened awareness of appropriate actions and responses for cybersecurity: After only one year Princeton counts 1,100 LastPass accounts, 75 percent of which are used regularly, out of a 2,500 staff target.” It’s key to remember that you won’t achieve perfection right off the bat, so focus on continuous improvement.
When organizations provide their employees with robust security awareness training, they can
By measuring the percentage of users who click on phishing links, organizations can better understand the effectiveness of their security training programs and security culture at large. A lower phishing click-through rate shows that a team can successfully identify phishing schemes and will better protect organizational data from malicious activity.
Many organizations use phishing simulations to train staff members and to get quantitative measurements of phishing click-through rates. Shift, a healthcare technology provider, uses KnowBe4’s phishing simulator to train and test their employees. As a result, the Shift team reports that “approximately 80% of our employees contact our IT/security team to determine if an email is a threat and how to handle it.” Again, perfection is rarely attainable, but 80% is a respectable coverage rate!
Leadership teams can rely on risk assessments to steer their security efforts in the right direction. TechTarget recommends five general steps to include in a risk assessment:
Organizations can customize these steps to match their specific objectives. By evaluating and resolving risk in an organized way, they can target the key areas of risk within their organization rather than try to “boil the ocean” and possibly waste valuable resources and budget.
When done right, risk assessments can help organizations:
Although many leaders want to foster a strong cybersecurity culture, some might find adding cybersecurity to their already-full plates is overwhelming. These leaders need to choose solutions that empower them to build strong security practices that are manageable and maintainable.
We designed Blumira’s solutions to help busy leaders achieve a strong cybersecurity culture.
Our platform supports time-pressed teams with:
Want to learn more? Listen to our CTO & founder explain how to build a security culture in a time of increasing complexity.