Why a robust security culture begins with people

With today’s increasingly fragmented workforce and the constant evolution of geo-political threats, the security function of businesses needs to be more resilient than ever. As companies combat unknown threats in the wake of the pandemic, it is important to put people at the centre of any response strategy and encourage a positive culture of understanding and awareness around security issues. 

A recent study by ClubCISO, supported by Telstra Purple, surveyed 100 CISOs in its largest research project yet. Unveiling the current security and cyber resilience issues facing businesses across the globe, the study identified cyber resilience as one of the top three hot topics on the CISO radar, along with security culture and cloud security.  

Why security culture is key

Strengthening the security culture of a business in turn increases its cyber resilience to internal and external threats. There is progress on this front, with the research showing that 39% of CISOs have implemented a strategic security operating model to embed security awareness within the culture of the organisation.

However, despite CISOs’ optimism about their organisation’s preparedness to respond to current challenges, employees are falling foul of phishing messages as malicious external attacks continue to target remote workers (40% of material incidents caused by malicious outsiders and 42% by non-malicious insiders as cited by CISOs in the report). Additionally, while nearly all CISOs report they’re working to establish a good security culture, few admit to being at ‘best practice’ stage with fewer than half believing their organisations have a positive security culture. 

The complexities of establishing a functioning security culture and the inherent difficulties and unpredictability of these attacks illustrate the importance of putting people back at the heart of security. The success of CISOs is contingent on a well-informed workforce that practises good cyber hygiene.

Building a functioning security culture 

It is important to deliver interesting and engaging security awareness training that feels useful and practical to employees. Having sessions that everyone in the organisation can understand and implement will further establish what the security norms of the organisation are. 

Beyond awareness training, organisations need to adopt a whole-of-company approach by implementing a wide range of measures. For instance, they can introduce security champions and a proactive ‘report it’, ‘no blame’ policy to foster a stronger security culture. The key is to effectively engage individuals, which requires behavioural measurements to track progress.

However, there is still room for improvement for the organisations surveyed, as 49% of CISOs report that organisational culture is a blocker to achieving their security objectives. Further, a significant proportion still observe an organisational culture that is quick to assign blame for security incidents. Such incidents are being driven underground because fewer than half have a proactive ‘no blame’ policy on reporting these breaches.

Openness, not fear, to achieve long-term goal

With news of data leaks, cyber attacks and cyber warfare frequenting headlines, it is understandable why fear is often associated with cyber security. CISOs must take ownership of this and lay the groundwork for openness and understanding. Many breaches go unreported as targeted employees are concerned about the repercussions of reporting an attack associated with them.

It is therefore vital that CISOs train their employees and provide a supportive environment where they can openly ask questions, spot and avoid threats, and report suspected incidents. As a strong security culture can only be shaped by the behaviours of individuals over time, leaders also need to set an example for employees to emulate. While this requires a sustained commitment and effort, it will lay the foundation for a robust security culture to underpin the organisation’s long-term success. 


By Manoj Bhatt, Head of Cyber Security Advisory and Consulting at Telstra Purple EMEA.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.