Creating a security culture that sticks
Let’s start with a paradox: Without question, your most important weapon in the fight against cyber attacks is your workforce. Yet ironically, employees are considered the biggest risk potentially to IT security.
The trick to breaking this paradox is to raise awareness of security by combining compelling communication with engaging education and training that connects with your people on a personal level. It’s about thinking outside traditional methods to implement campaigns that embrace different cultures and the values of your organisation. It’s also about treating security awareness as a management of change process where you transition individuals, teams, and the entire organisation to a desired state. In this case, the desired state is a positive and sustainable security culture – transforming from a state of simply paying attention to security because it’s part of their job to one where security awareness is a natural part of everyday behaviours.
Make it personal
At HPE, we believe such change needs a committed investment of time, resources and ongoing effort to be truly impactful against current risks. We also understand that every company has a different security culture, heavily dependent on intercultural and individual aspects. That’s why our awareness campaigns are as individual as the company itself. And because we regard security as a management of change process, we focus very much on the internalisation of values and well as knowledge transfer. We believe it’s much more effective to engage with employees on an emotional level, understand what’s important to them, and align their values and existing corporate culture with a core set of security skills.
Think about it as being much more about employees recognising the risks in their daily work and less about drilling a list of ‘do’s and don’ts’ into them. They can then combine their understanding of risk with supportive behaviours on a personal level that contributes to the overall protection of your organisation.
Also in the fight against cyber crime, it’s crucial for IT Managers to think beyond mere technical tools to protect data. An effective and sustainable IT security system and culture works if it cuts across processes, hierarchies and roles. A clear view of the organisation, its culture and interdependencies means security awareness can be targeted at specific groups of employees, delivering a set of core security skills relevant to individual roles.
Be creative and cultural
Every person and organisation is different so for an awareness programme to be effective, it needs to be interactive, creative and dynamic – using a mixture of channels and approaches to address different regional and national cultures.
Equally, the more employees can apply their learning and embed their security culture outside of work the more it becomes a natural part of behaviour – in the way they use the internet and social media for example. This is by no means an easy task, primarily because it requires a fundamental shift in current patterns of behaviour and routines. But if you use a targeted individual and group approach to security awareness you’re much more likely to address real and current needs in both an employee’s working life and private life.
Responsibility, trust, communication and cooperation are the four cornerstones of an engaging security culture – and one in which your employees are motivated to play an active role. With the right approach, they can use both their successes and mistakes as opportunities to learn and improve, and by understanding what and how to protect security employees become your greatest allies in the war against cybercrime.