Experts predict that global businesses will spend a whopping $172 billion on cybersecurity this year (up from $150 billion in 2021). Despite such steep investments in cybersecurity systems, cyber-attacks continue to break new records. This is because most attacks have more to do with faults in human behavior rather than security technology itself.
Human behavior can neither be predicted, programmed, or controlled by technological defenses. That’s why security culture is becoming an increasingly important defense strategy. Security culture can be defined as a combination of beliefs (an internal feeling regarding cybersecurity which usually stems from one’s own experiences and external influences), values (what employees consider important from a security perspective), attitudes (how employees perceive security and approach situations that result in a behavior), behaviors (actions that employees can do when they encounter a potential cyber threat) and social pressures (the shared expectations and modeled behaviors that comprise a group’s unwritten rules) that are reflected in the daily actions of employees.
Sculpting human behavior is a complex process and even the most security-savvy organizations can find it challenging to sustain a robust security culture over the long term. Some of the roadblocks that organizations encounter while building a security culture include:
- Mental Biases
Our minds are often clouded by distractions, emotions, and habits which can result in impulsive judgements and risky behavior. Actions that employees take on a daily basis are a result of habits, past experiences, peer influence and preconceived notions. Such biases impact security in many ways; they can create blindspots and result in miscommunication or misinterpretation of a well thought-out security program.
- Poorly Drafted or Implemented Security Policies
Information security policies and procedures are one of the most fundamental tools that organizations use to influence cybersecurity culture. When policies and procedures are not drafted or implemented well or not communicated properly, they can be one of the least effective tools from a cultural standpoint. If employees are not adhering to policies, or working around them, it is likely that they are not properly designed or are preventing them from performing their jobs effectively. It’s a natural response. If a worker confronts an obstacle, they will find ways to bypass it. So the directive to “change passwords every six weeks” is all too easy to ignore and forget.
- Failure to Lead by Example
It’s impossible for organizations to be successful in cultural change if leaders themselves don’t walk the talk and promote the importance of positive security behavior. Everyone knows that culture is infectious and actions that leaders take can have a big impact on people. If leaders blatantly ignore security protocols or avoid participating in cybersecurity training, then they are setting a bad example in front of employees. Eventually, employees will get worse, not better.
- Absence of a Continual Improvement Model
Technology is continuously evolving in sophistication and hackers too are evolving alongside it. The type of attacks an organization experiences today most likely won’t be the same as what it experiences tomorrow. In absence of a model for continuous improvement, sporadic or episodic training initiatives will not make significant impact on culture. Subsequently, the organization and its employees will be left vulnerable and exposed to a range of threats that they have not adequately been prepared for.
- Programs That Work Against Human Nature
Security culture isn’t one-size-fits-all. Every organization is unique from a security perspective and every employee has a different level of security maturity. Additionally, human beings are inherently social creatures of habit. Security programs that do not account for this reality often tend to fail because organizations expect too much from their employees or it’s working against their basic human nature.
- How Can Organizations Avoid These Cultural Roadblocks?
The first step organizations should take is to invest their time and effort in identifying and understanding cultural challenges using a data-driven approach. Start by creating a baseline assessment of the attitudes, beliefs, biases, behaviors, and social norms that exist in the organization and create a strategy to track and improve those metrics over time. Ensure your information security policy is a “living document” that updates as employee requirements and the technology landscape changes. Get leadership teams to recognize and practice security culture as a core pillar of the organization’s foundation and not label it as some risk mitigation initiative. Training programs and phishing simulation exercises must always include real-world examples, must be exciting (even gamified), engaging and test workers on the latest threats. An overarching cybersecurity committee from diverse departments should ensure that security programs are updated regularly and work in favor of employees, not against them.
Keep in mind that security culture isn’t something that can be built overnight. Having said that, sustained investments in security culture will bring better security ROI in the long run and help organizations build a human defense layer that every industry today desperately needs.
Written by Perry Carpenter.
Have you read?
Managing Cybersecurity in the Workplace.
Positive Impact Through Philanthropy by Ron Book.
The COO as a new CEO Revenue Partner by Brent Keltner.
Out of the Destruction of the Pandemic, Healthier Businesses That Will Flourish Over the Long Run Will Emerge by Steve Schwartz.
Evvy Explains Its New Equal Research Day Initiative.
The Joy of Achievement and the Thrill of Creative Effort: The exclusive interview with Evgeniya Kuzmina.
Follow CEOWORLD magazine headlines on: Google News, LinkedIn, Twitter, and Facebook.
Thank you for supporting our journalism. Subscribe here.
For media queries, please contact: firstname.lastname@example.org