How to assess and improve the security culture of your business

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Security Product Marketing Manager Natalia Godyla talks with Cygenta Co-founder and Co-Chief Executive Officer Dr. Jessica Barker, author of “Confident Cyber Security: How to Get Started in Cyber Security and Futureproof Your Career” and co-author of “Cybersecurity ABCs: Delivering awareness, behaviors and culture change.” In this blog post, Jessica talks about how to build a security culture.

Natalia: How are most organizations doing? What is the state of cybersecurity culture?

Jessica: It varies—a lot of it comes down to resourcing and the emphasis placed on security from the leadership level. It can also come down to the experiences of the security team, security leadership, and the organization in terms of security incidents or near-misses. We’ve seen a lot of improvement in recent years, and that’s largely because there’s more awareness among leaders that security culture is important. Just 5 years ago, but particularly 10 years ago, there was very little discussion around culture and security culture.

Every year, we ask ClubCISO, a private group for senior information security professionals and security leaders, about security. For the last three years, they said security culture is their number one hot topic for the year ahead. They even said it in March 2021, tying with cloud. When I think about the year that cloud has had and the forced digital transformation many organizations have been through, it speaks volumes that security culture is as important of a priority as securely moving to the cloud.

Natalia: What does a cybersecurity culture assessment entail?

Jessica: In a cybersecurity culture assessment, we listen to the organization and the people who work there and understand security assumptions. When I speak to people about security culture, there’s often this idea that it is about how people behave, and that if we collect metrics around phishing, for example, it will tell us about the security culture. However, that will tell us something superficial. It’ll tell us what people are doing, not why they’re doing it.

Understanding the “why” is absolutely crucial because that’s your point of influence to change behavior. The “why” helps in understanding underlying assumptions and determining what you can do if there are gaps between what the security team wants and what people are doing.

The first stage is to understand the organizational culture, mission, and values and review the cultural symbols in the organization, including the branding, training, and messaging. Then, we run surveys, focus groups, and one-on-one interviews to encourage conversation, facilitate discussion, and understand what’s happening on a day-to-day basis, and most importantly, why.

Natalia: What are the indicators that a company needs a cybersecurity culture assessment?

Jessica: One prompt for most of our clients is that they feel like they need to do more to manage human risk, but they don’t know what. There may be incidents or near-misses. There may be indications around phishing or how people are managing passwords. There may be behavioral indicators—what they want from the people in the organization doesn’t match reality. Another key prompt is not understanding why their current culture isn’t developing in the way that they would want. Often, the organizations will have tried to deal with this in one way or another through awareness-raising, and there’s frustration because they’re telling people what to do, and they’re still not doing it. It takes a level of maturity, and it often takes organizations that aspire to be people-centric, to help their workforce be more security-conscious.

We measure security culture by gathering a lot of qualitative data to understand why people are doing what they’re doing. It goes back to the classic “start with why,” and then crunching numbers from surveys. We use grounded theory to qualify the data we get back. We immerse ourselves in that data and identify patterns. We also use anonymous quotes, comments, and keywords from workshops, focus groups, and one-on-one interviews to bring that story to life.

Natalia: What are typical challenges to establishing a positive security culture?

Jessica: I’m working with a financial services client that has a very positive organizational culture and lives by their values. But there have been challenges around security culture in this organization for many reasons, including fast digital transformation and growth. It’s taken them until this year to understand what a security culture means for their organization.

Because the people who work there felt loyalty to the organization, they wanted to behave in a secure way. They understood the importance of it, but there were blockers, including a lack of communication on why certain security controls were in place. It’s an entrepreneurial organization that moves quickly, so there were underlying cultural influences encouraging people to behave in less secure ways while prioritizing productivity. We’ve been undertaking a program to help the security team better communicate the “why,” and the organization has been receptive to it.

It’s also very hard to change behavior if the security leadership or organizational leadership team is not on board. Another consideration is the perception of a just culture. If somebody clicks a malicious link or makes a mistake, do they feel that they can put their hand up and report it without being unduly blamed? If people have a perception that the culture is about retribution and “pointing the finger,” that’s damaging to security culture.

Natalia: What’s the biggest mistake organizations make when trying to build and foster a security culture?

Jessica: To try to build a security culture that is not aligned with the business culture. One organization I worked with a few years ago was a very positive and people-centric healthcare organization. They were always seeking to say, “Yes,” to people in their wider organizational culture, but the security team was pushing a security culture that said, “No,” and was perceived as the “Department of No,” like many security teams. That’s a really common problem because the organizational culture will always win out, and if you try and bolt on a security culture that runs against the wider organization, it won’t work.

Often, the organizational culture of a company is not prepared to build a positive cybersecurity culture, and change requires patience. It’s a slow journey. That kind of client isn’t ready for a security culture assessment, so the work focuses on influencing the senior leadership to show them the importance of security culture. When organizations want a security culture assessment, that’s when they’re ready for it.

Natalia: How does the psychological well-being of the security team impact the security culture?

Jessica: At one organization, there was a lack of communication around security. The security team was so stressed, burnt-out, busy, and overworked that they didn’t have time to engage with their colleagues in the rest of the business. It led to the impression that the security team was not friendly or approachable, and it created a barrier to a positive security culture. Taking care of the well-being of the security function is fundamental.

To immediately improve the well-being of their team, managers can talk about the issues. If you’re comfortable doing so, this can include talking about your own mental well-being or acknowledging burnout stress and impostor syndrome. These are real issues in the industry, and it can be a relief for people to hear that they’re not alone and to have this safe space. It makes everyone feel more comfortable saying, “Hey, I need a day off for my mental health.” Mental health days are crucial in organizations, but leadership must show that they’re a priority.

Natalia: Besides an assessment, how can security teams improve their understanding of human risk?

Jessica: Behavioral economics, neuroscience, and psychology are all disciplines that can teach us about the human side of security and security culture. I’d recommend books like “Nudge,” “Thinking Fast and Slow”, and the work of Tali Sharot, a neuroscientist, whose work on the optimism bias is very relevant to security. There’s also a lot of great work being done in academia on security culture—papers and research that are advancing the field. It was interesting as well to see this year that Verizon did a shout-out to security culture for the first time in their data breach investigation report. Security culture is going more mainstream and is now higher up on the agenda in the security profession.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

READ MORE HERE