7 Must-Ask Questions for Leaders on Security Culture

It's not uncommon in today's corporate world to see a creative marketer launching catchy security awareness campaigns, steering the entire company towards robust online safety practices. Elsewhere, job reviews increasingly assess how well employees are performing on the cybersecurity front. The shift in focus is clear.

Organizations have come to understand that sophisticated tech tools aren't the ultimate solution. People are the weak spot. In fact, researchers from Stanford University revealed that roughly 88% of data breaches are caused by employee mistakes.

Not to mention that we've observed a surging trend of attacks that sidestep technology and instead, zero in on people. The strategy is proving effective. Prominent ransomware incidents, such as those affecting Colonial Pipeline, JBS Foods, and Kaseya, have dominated headlines. As our tech-driven defenses become more advanced, malicious actors are adapting, always looking for the easiest entry point. Seeking efficiency and reduced effort, these cyberattackers often find employees to be the most appealing targets.

So, training everyone to have better awareness about cybersecurity isn't just a good idea; it's a must. Based on all this, we've got some recommendations for what leaders need to know and smart questions they should keep in mind for their next big meeting.

Here are five things leaders need to know about cybersecurity culture:

Understanding security culture

The ambiguity surrounding the term "security culture" often stems from a foundational problem: its frequent usage without a clear definition. This lack of clarity paves the way for varied interpretations and assumptions. With this work, we aim to bring clarity to the concept. Security culture is described as the beliefs, traditions, and collective behaviors of a group that shape its security posture.

Why does security culture matter?

Sometimes, employees adopt poor security habits, either independently or due to a lack of proper guidance from the organization. Addressing these habits can be challenging. However, establishing a robust security culture can change their behaviors, enabling an organization to safeguard its reputation, brand, and financial well-being.

What does a good security culture look like?

Suppose an employee, Alex, receives an email from a bank filled with typos and featuring a suspicious link. At a workplace lacking a security culture, Alex thinks, "This is odd. I'll set it aside for now." However, in a company with a solid security culture, Alex’s immediate reaction is, "This could be dangerous. I need to inform IT." Such a prompt action gives the tech team an early warning, allowing them to act before more damage occurs. It isn't about turning every employee into a cybersecurity specialist; it's about ensuring each individual acts responsibly, embodying the qualities of a "security champion."

Prioritizing values, attitudes, and beliefs over rules and policies

Cyber threats often catch organizations off-guard because a significant portion of their workforce isn't adequately informed or prepared for these risks. Leaders hope for their teams to act responsibly, like locking an unattended computer or reporting suspicious emails. However, just organizing training sessions or phishing drills isn't the complete answer. It's the foundational values, attitudes, and beliefs about security that truly drive safe actions. A genuine security culture, anchored in shared responsibility and trust, surpasses standalone policies or tech solutions in effectiveness.

Cybersecurity culture gives your organization a competitive advantage

When employees handle important data and systems daily, they play a key role in maintaining security. It's more than stopping threats; their careful actions make the business more reliable. This strong focus on cybersecurity can make your organization stand out and become a top choice for customers who value safety.

Seven questions leaders need to ask

Leaders must take a front-foot approach to embedding a cybersecurity culture. Evaluating the depth and effectiveness of such a culture requires critical self-reflection. To aid in this endeavor, consider these seven pivotal questions:

Is cybersecurity a priority at all levels?

Cybersecurity should be important at every level of an organization. The Cybersecurity at MIT Sloan consortium has a maturity model that talks about four different stages of organizations’ cybersecurity awareness. At the top stage, everyone knows cybersecurity is part of their daily job. In contrast, at the starting stage, people just know that some tools they use come with security features.

How often are employees trained on cybersecurity best practices?

Cybersecurity isn't a one-time lesson; it's a continuous process. While many companies might provide an initial training session, it's crucial to keep everyone updated about the ever-evolving threats. The best practice is not just to remind them but to engage them. Regular sessions, say every 4-6 months, using interactive methods like examples and videos, can help in retaining the information and ensuring they implement it in their daily tasks. After all, the more informed the staff, the stronger the organization's security front becomes.

What mechanisms are in place for reporting and addressing security incidents?

For an organization to react quickly to security threats, there must be a clear system for spotting and sharing these risks. Every team member should be familiar with the signs of potential security threats and know exactly how to report them. Equally crucial is the company's response – there should be an established process to address and mitigate these incidents.

How do we encourage a proactive security mindset among employees?

The key to strong security isn't just responding to threats but anticipating them. By nurturing an anticipatory approach to security among employees, they won't just react; they'll be ready. They might even stop potential risks before they become real issues. This proactive approach ensures the team is always a step ahead, safeguarding the company's assets and reputation.

Are we measuring the effectiveness of our security culture initiatives?

Without metrics and regular evaluations, it's challenging to determine if security initiatives are making an impact. Metrics can range from tracking the incident frequency and training completion rates to monitoring phishing simulation success rates and the time taken to respond to threats. Regularly assessing metrics like these provides a clear picture of the organization's security posture, ensuring it remains resilient against evolving threats.

How are we addressing the human element of cybersecurity?

Machines can be updated and patched, but human behavior is more complex to modify. Acknowledging humans as a potential weak link means directly addressing their everyday online habits, training frequency, and awareness levels. Solutions might range from behavioral analytics tools that detect unusual actions to regular, hands-on training sessions that simulate real-world cyber threats.

Are our leaders and executives setting the right example?

Leadership's behavior and commitment to cybersecurity cast a significant shadow over the organization. When top-tier leaders actively uphold and emphasize secure practices, it fosters a ripple effect, cultivating a collective sense of responsibility.

Conversely, if these key figures seem careless or not strict towards cybersecurity measures, it could inadvertently send a message down the line that such precautions are secondary or optional. The stance of leadership on cybersecurity not only defines the current values and principles of the organization but also paves the way for future decisions and responses.

Leaders hold a crucial position of trust and responsibility in shaping the cybersecurity culture of the organization. Every moment of delay in addressing culture-related concerns could be costly. By bringing these questions to the forefront during leadership discussions, they can set the organization on a secure path.

Blog courtesy of AT&T Cybersecurity. Author Irfan Shakeel is a cybersecurity thought leader, entrepreneur, and trainer; he is currently vice president of Training & Certification services at OPSWAT. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program. Read more AT&T Cybersecurity news and guest blogs here.