GRC Viewpoint

5 Ways To Foster A Healthy Security Culture

In an environment riddled with data security breaches, ransomware scams and other exploits related to the ongoing persistence of cyberhackers, few would argue against the importance of establishing a healthy security culture. 

The Importance of a Strong Security Culture

In the past, responsibility for cybersecurity efforts rested almost exclusively with CISOs and IT departments. That’s an old-school approach. Today, most companies recognize that the responsibility for developing a strong security culture rests with everyone in the organization—from the top down. 

But understanding the importance of instilling a sound security culture and actually being able to make it so are two very different things. Lack of clarity about what a strong security culture means can easily lead to misunderstandings and missteps. Let’s look at five practical ways to instill a robust cybersecurity culture.

1. Understand that everyone in the organization must be involved

Security is something that everybody in the organization must be involved with. Why? Because every employee has the opportunity to make or break the security of an organization. 

From staff working in the front office to those on the loading dock, everyone has a role to play. In organizations where shared responsibility is not present, security incidents are more likely. Fostering an open and transparent security climate, where employees recognize their responsibility and—importantly—not be afraid of reporting an incident or admitting a mistake, is the key to strengthening security. 

2. Speak their language

If your policy documents, guidelines, and plans related to security are dry, lengthy, and filled with jargon, you’re not likely to engage anyone—even IT department employees. Instead, take steps to ensure that these documents are engaging and easy to digest.

Use simple language that’s relevant to employees based on the type of work they do. Yes, that means creating more than one version of the communications you’re sending out. Tell people what’s expected of them in different situations that they can relate to. The more clearly you can convey this information to employees, the more likely they are to understand and follow through on training and instructions. Make sure employees know what kinds of social engineering threats they need to be aware of; what they need to do if they suspect a potential threat, and what to do if they experience an incident.

3. Make training and awareness ongoing

One of the weaknesses of security awareness and training is that it has tended to be episodic—something that occurs annually or when an employee is onboarded, or during a compliance mandate review. Instead, this training should be ongoing—and engaging. Training and awareness efforts should be updated regularly to include new real-world cases and new information about emerging threats.

Making training real through the use of simulated social engineering tests (such as phishing simulations) can also help to reinforce security best practices by getting employees to remain on high alert to potential threats—even if those threats are presented as tests of their awareness and effective responses. 

Consider adding a gamification element to these efforts by including rewards and incentives to boost interest and participation. 

4. Lighten up on your “IT as police” control

Employees will continue to turn to their own trusted devices and preferred apps. Instead of trying to block them from doing so, look for secure ways to enable them. Although it may go against engrained IT security beliefs, allowing employees to have some discretion and flexibility in the tools they use can help create more transparency while eliminating potential risks.

5. Recognize, reward, and celebrate employee efforts

Organizations that want to minimize negative behaviors—like actions that can lead to security breaches (i.e., falling for phishing bait or downloading rogue files) —recognize that a punitive culture won’t yield the results they’re looking for. Employees who fear being sanctioned or punished for reporting an incident aren’t likely to report many.

Publicly rewarding positive outcomes and good behaviors makes it more likely that those behaviors will be repeated and imitated by others. Instead of dreading any interaction with the IT department or security team, employees in reward-based environments are more likely to look forward to those interactions. 

By broadening the responsibility for cybersecurity efforts, focusing on communications that are relatable and compelling, engaging employees through transparency, flexibility and reward, companies can be better positioned to strengthen their security culture and achieve tangible business resilience.  


By Perry Carpenter, Chief Evangelist and Security Officer At KnowBe4

About the Author

Perry Carpenter is author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] His second Wiley book publication on the subject. He is chief evangelist and security officer for KnowBe4 [NASDAQ: KNBE], the world’s largest security awareness training and simulated phishing platform.

Related Articles

Latest Articles