The Elephant in the Room: Security Culture Goes Beyond Compliance

Elephant in the room. NIST


Compliance—the adherence to security standards and processes—is a common sight in the cybersecurity industry. For example, organisations implement the National Institute of Standards and Technology (NIST) framework and the International Organisation for Standardisation (ISO) 270001 standard for information security. Besides helping organisations avoid legal fines for non-adherence, the ISO 27001 standard and NIST frameworks provide security awareness policies and training. The policy educates staff about healthy security behaviours.

There is, however, a sticking point: compliance with security standards like the NIST framework and the ISO 27001 standard tends to use a one-size-fits-all checkbox approach to drive security awareness. Christian Toon, Head of Cyber Professional Services, shared a similar sentiment: “Compliance can drive a culture of checking the box to deliver the bare minimum, and this is wrong on so many levels when it comes to cybersecurity.” While a checklist compliance strategy helps certification, it may be too generic or fail to drive a security culture.

To improve employee education using compliance, enterprises must consider the context of their organisation and in-house culture. Security culture dictates the ideologies that guide information security in an organisation. It ensures that every employee understands their role and responsibilities in the cybersecurity chain. Security culture focuses on strengthening human weaknesses, which cybercriminals typically target, to thwart malicious actors.

How to Build Security Culture in an Organisation

Irrespective of the technological tools and policies you implement, you’re as secure as your weakest employees. Creating a company-wide security culture begins with implementing an effective awareness program. For instance, although 98% of organisations have security awareness training sessions, more enterprises rely on once-or-twice-a-year training to improve employee behaviour—you can’t create a thriving security culture with this approach.

The context of your organisation should dictate the awareness training. For instance, a company without on-site offices should implement remote work policies and secure communication channels for workplace collaboration and file sharing.

The quality and style of training sessions are essential cogs in the awareness wheel. The conventional lecture-based once-in-a-year training style is ineffective, as employees typically forget training sessions after six months. Instead, conduct one-on-one conversations with employees to determine the best training methods that work for them. Furthermore, add videos and interactive elements to improve knowledge retention and prevent learning fatigue.

Psychology is another element you should consider. Cyberpsychology evaluation improves the cognitive and emotional abilities of employees, the traits cybercriminals target for social engineering attacks. Cyberpsychology evaluation also helps understand how to interact with technological tools better.

Another efficiency gimmick is tailoring training based on the personality and knowledge level of individual employees. It helps organisations build an inclusive cybersecurity culture. A practical example is encouraging junior, non-skilled workers to “speak up” when they see unusual movements during a predefined period. To the junior employees, cybersecurity is “speak up.” It’s simple yet effective.

To measure the effectiveness of training sessions, speak with your employees. Collect feedback about their training to gauge their knowledge growth and potential blockers affecting their progress. Use the feedback to refine your training strategy.