The secrets to building a successful security culture

Your security culture is – and will always be – a subcomponent of your larger organisational culture. In order to meet to your security awareness goals, you have to weave security-based thinking and values into the fabric of your organisation’s primary culture but how do you achieve this? I’ve identified four secrets to success when it comes to building a strong, intentional and sustainable security culture:

1.Understand where you’re coming from and where you’re heading

The old saying, “Failing to plan is planning to fail,” holds true here. The key to implementing secret number one is to leverage a framework that ensures you are approaching things in a structured manner, rather than simply making it up as you go along. This is particularly true in large global organisations where it’s important to conduct a series of interviews or quick surveys to understand how different divisions and leaders view security, understand policy and best practices, and what is important to them. The outcomes will reveal if your key executives are in alignment and if there are some political or logistical hurdles that you need to work through as you build your plan.

Once you have these insights, you can begin to create your goals for the year. The SMARTER goal setting framework is proposed by several productivity gurus, and I think it works well in this instance. There are a few different versions of the SMARTER framework – one I recommend is the Michael Hyatt version. (SMARTER = Specific, Measurable, Actionable, Risky, Time-keyed, Exciting, Relevant.)

2. Use your organisational culture to view security awareness

Organisational culture and security culture are not one in the same but it’s important that they are closely aligned.

There is often confusion on what organisational culture really is. It’s the sum of subconscious human behaviours that people repeat based on prior successes and collectively held beliefs. It’s not the sum of roles, processes and measurements. Similarly, security culture is not (just) related to “awareness” and “training”; it, too, is the sum of subconscious human behaviours that people repeat based on prior experiences and collectively held beliefs.

While culture is shared, learned and adaptive, it can be influenced. It takes a group working collectivity and it begins with the leaders.

The existing culture in your organisation must be the driver to impact change and behaviour around your security culture. For instance, if your organisation has a marketing organisation that helps with internal communications, then you have to understand how they leverage the communication methods, formats, and branding. You have to do this so that *your* communications speak with the established voice/tone of the company; this way they aren’t seen as un-connected and (worst of all) irrelevant. You also need to get an idea of where there divisional, departmental, and regional nuances. Work within the specific cultural frameworks of each of these segments And, to make things easier and more efficient, know what your organisation’s existing communication channels are so that you can plug-in to them for example: existing meetings, executive videos, etc)

3.Using behaviour management principles to shape good security hygiene

One of my favourite phrases is, “Just because you’re aware, doesn’t mean that you care!”  What I mean by his is that security awareness and security behaviour are not the same thing. Your security awareness program shouldn’t focus only on information delivery. There are plenty of things that people are aware of but may just not care about – we need to make people care.

Because of this, if your security awareness program is focused on reducing the overall risk of human-related security incidents in your organisation, you need to incorporate behaviour management practices. We need to create engaging experiences for users to drive specific behaviours. BJ Fogg’s on behaviour model and habit creation give great examples of this principle.

Simulated phishing platforms are a good example to consider for your security culture program. They distill some of the behaviour management fundamentals into an easy to deploy platform that lets you to send simulated social engineering attacks to your users and then immediately initiate corrective and rehabilitative action if the user falls victim for the simulated attack. Do this frequently, and you will see dramatic behaviour change.

4.Take a realistic approach to the short-term and be optimistic about the long term

Be a realistic optimist within your organisation who knows your place and your scope of influence, while remembering that culture starts at the top.

Understand the foundation of your culture and then create a customized roadmap for security culture management. To do so, you must evaluate four areas:

  • “How we engage” focuses on how people collaborate internally and with external stakeholders to deliver on their goals.
  • “How we make decisions” outlines the general leadership style and how this affects the outcomes of the organisational culture.
  • “How we work” defines the working style of teams, how solutions are created, and problems are solved, which affects organisational outcomes.
  • “How we measure” describes organisational performance metrics, and how they affect organisational achievements.

By understanding these four attributes of organisational culture, security leaders and corporate leaders can make informed choices when trying to change cultures and improve an organisation’s overall defence.

When you have completed your planning, created SMARTER goals, understand the nuances of your organisation, and are focusing on creating real, sustainable change, you’re ready to get started and stay the course.  Many aspects of your program will be spaced throughout the year, requiring you to be consistent with your efforts so tenacity is important. As you move forward, keep in mind that to be successful you have to train people how to be trained. Good luck.


By Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.