Security Awareness Training

    9 Ways to Build a Robust Cybersecurity Culture

    Effective cybersecurity requires a pervasive organizational culture where everyone knows what to do and is committed doing it.

    by Bill Camarda

    Key Points

    • Creating a culture of cybersecurity requires honest, plain-English communication that motivates people around a common goal.
    • The cybersecurity awareness training that’s needed to achieve this should be relevant, entertaining and ongoing.
    • A positive and constructive approach almost always works better than one that’s punitive and fear-inducing.

    While advanced technologies such as AI and machine learning have become cybersecurity essentials, they are still insufficient. As most CISOs and cybersecurity professionals realize, technology alone will never be an adequate safeguard. When it comes to security, distracted humans will always be the weakest link, and cultivating a culture of cybersecurity is critical to your organization’s defenses.

    One way of thinking about your company’s cybersecurity culture is that it’s “what happens with security when people are left to their own devices.”[1] Are employees likely to think about security and do the right thing when it matters? If so, the organization’s security culture shaped their reaction and behavior — and strengthening that culture means actively intervening to ensure more of the reactions and behaviors you need. That’s what cybersecurity awareness training is for — and here are nine ways to make it as effective as possible:

    1. Explain What’s at Stake

    It’s surprising, but at many companies employees still don’t know the value of what they’re being asked to protect. So tell them. To wit: sensitive customer data they’d want to remain private if they were your customer; competitive secrets, such as marketing initiatives and product research; information the organization has a legal responsibility to safeguard, such as HIPAA-protected medical records. And explain how all this bears on the company’s reputation and even its survival — given that it could be held publicly accountable for any violations or breaches.

    Employees also need to realize that in this new age of working from home, anyone who targets their employer is also targeting their household; by protecting the company, they’re also protecting themselves.

    2. Make Sure People Know You Really Need Their Help

    Security pros may realize that technical safeguards aren’t foolproof, but many rank-and-file employees do not. Some still think they can click on whatever they want because the company’s security systems will always keep them safe. They need to understand that no security measures are perfect, and that it’s up to them to minimize any threats and avoid unnecessary risks.

    3. Explain Why You’re Doing What You’re Doing

    It’s not enough to make employees security aware if you fail to keep them up to speed. So, if you take additional steps like adding a VPN or requiring two-factor authentication, you need to explain the reason for these changes and why any inconveniences are worth it in terms of greater threat protection.[2]

    4. Make It Easy for Employees to Do What’s Right

    Ask yourself: Do employees know where to report a suspicious email or how to double-check the authenticity of a business-related phone call? Is there a simple way for them to contact corporate security to ask a question or request advice?[3]

    5. Put Out the Welcome Mat

    Does an employee’s “radio silence” mean all is well, or that the person is afraid to reach out for fear of being punished or patronized? At too many companies, people think that interacting with the cybersecurity team means they’ve done something terribly wrong. Organizations with strong cybersecurity cultures allay these fears with routine communications and casual outreach.[4]

    6. Be Constructive, Not Punitive

    It’s been proven time and again: Rewarding good behavior works much better than punishing mistakes. Fear of reprisal only leads to grudging acquiescence, not the deeper buy-in you want. And when people are afraid to admit a misstep, they look for ways to hide what they’ve done, which can only increase the company’s risks.

    7. Make Cybersecurity Training Fun, Engaging, Comprehensible and Continuous

    The worst thing you can do is to present cybersecurity training as a one-and-done exercise in compliance. If you want to turn off your audience and belittle the subject matter, there is quite honestly no better way.[5]

    If you want employees to embrace cybersecurity and take it seriously, take the opposite route. Provide training that’s fun and based on real experiences, and deliver it in bite-sized, easy-to-consume, plain English presentations. Brief and frequent lessons do more than make the subject digestible; they also carry the message that cybersecurity is now a regular and important part of corporate life.

    8. Imbue Your Training with a Heavy Dose of Reality

    Relevance is golden. For your cybersecurity awareness training sessions, grab any opportunity to base them on real incidents — either at your company or reported in the news. Statistics — no matter how powerful — are easy to forget. But people will always remember the lessons of an incident involving people they work with and circumstances they can relate to.

    9. Encourage Executives to Walk the Walk

    Your company’s most senior executives are cybercriminals’ biggest targets; that’s why they refer to them as “whales.” These corner-office occupants have the greatest access to mission-critical systems and the most authority to transfer funds and dispense cash. Unfortunately, at many organizations, they’re also among the most resistant when it comes to maintaining good cyber hygiene.[6] In other words, your executive team needs regular cybersecurity training at least as much as anyone else — although their training should also emphasize why they’re the top targets for criminal hackers and how the example that they set can either denigrate or elevate the entire organization’s culture around cybersecurity.

    The Bottom Line

    Even the most sophisticated security technologies will be only as effective as the people who make use of them, and to rally employees to make their best efforts requires a strong culture of cybersecurity. A cybersecurity awareness training program that takes all nine best training practices into account is the cyber professional’s best tool for building that culture — one that can serve as the anchor for your company’s cyber defenses.


    [1]6 ways to develop a security culture from top to bottom,” TechBeacon

    [2]The Importance Of Training: Cybersecurity Awareness As A Firewall,” Forbes

    [3]Employee Reporting,” US Cybersecurity Magazine

    [4]Cyber Security Culture: Why It Matters for Your Business,” CyberTrails

    [5]Don't Make Security Training a 'One-and-Done.’” Dark Reading

    [6]How important is security awareness training for executives?” TechTarget

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page