6 Keys to Navigating and Influencing Security Culture

Updated on September 9, 2024

At the basest level, culture can simply boil down to things people do when nobody is looking—those repeated subconscious behaviors done by habit. Culture is shared and integrated. For instance, when somebody new joins the company, they may notice how coworkers lock their computers, or how they hang access cards around their necks showing their ID. Culture is adaptive—as situations change, so does the culture of an organization.

Influencing Cybersecurity Culture 

Achieving any kind of cultural influence or change can be difficult because people have acquired certain notions, traits, and attitudes based on past experiences. Let’s explore key steps that can help bring about positive change to a security culture:

Take Stock of Where You Are and Where You’re Going

Conduct a culture survey to understand current patterns, assumptions, and norms. This will help discern the gap between where you want to be, and the strategy used to bridge that gap. Establishing a baseline can help with benchmarking, measurement, and the reporting of your progress. Interview different divisions, departments, and leaders. Know their expectations. Solicit feedback on whether the changes you propose will have a positive or negative effect. 

Focus on Educating Users, Not Just Making Them Aware

Throwing information at people and expecting them to take action doesn’t really work. People need to understand why they are being asked to practice security. What’s in it for them? Make things relatable, communicate in a language or format they understand. If you tell staffers there’s a blue Hyundai in the parking lot, they might not care. But if you said, there’s a blue Hyundai in the parking lot with graffiti spray painted on the hood, then that would draw their attention. Similarly, people know they should use multi-factor authentication, but if they do not understand how, it can protect their login credentials then it might feel to them like unnecessary work. 

Leverage Human Psychology To Shape Good Hygiene

Do you care what people know or do you care what they do? In a cafeteria setting, if you put healthy foods at eye level and unhealthy choices lower down, people tend to select the healthier option. In the men’s room at Amsterdam’s Schipol airport, an image of a fly superimposed in the urinal caused users to aim more deliberately, resulting in a cleaner restroom. Sometimes you have to understand human psychology to influence behavior. If you find yourself uncomfortable dealing with behavior issues, then perhaps recruit talent from HR, marketing and public relations, or recruit outside help. 

Be Realistic with Short Term and Optimistic About the Long Term

Applying sudden changes can sometimes lead to distraction, confusion, and friction. Tread carefully and do not apply too many changes too fast. Don’t try to implement the toughest things first. People need time to accept change. Habits don’t change overnight. Cut people some slack, expect mistakes, and empathize. Start with incremental changes then let the cadence ramp up while keeping an eye on the long-term prize of improving the company’s security posture. 

Be Aware of Your Scope and Sphere of Influence

If you’re a junior security person, then you probably do not have the experience to influence major change. This is where leadership must step in because culture works and spreads from top down. Culture also has informal and social components to it. Leaders lead by example. Identify champions within the organization—individuals that are naturally security focused. Fold them into your strategy so they can serve as advocates, influencers, and guides. 

Account for Dependencies Before Rolling Out Change

Any culture change exercise must be treated like a planned technology rollout, accounting for dependencies and risk mitigation. For example, if you tell cigarette smokers that they must use the back door and lock it, be sure to install a keypad to make re-entry easy and secure as possible. Similarly, if you want employees to report phishing emails then you should make the task seamless and frictionless by loading a “report phishing” browser button, providing clear reporting steps and access to a security hotline. Empower users rather than overburden with extra processes.

Security culture is gaining momentum in boardrooms and CISO agendas. But the concept of culture is still misunderstood because culture can be confused with security awareness. Even if security awareness does not immediately translate to a healthy culture, it still holds an important role in your culture change program. Use awareness as a lens to understand the culture. When designing your program, think what you are doing from an awareness perspective—how it impacts the culture versus how you would like it to impact the culture. Then, leverage and reshape awareness exercises along with the recommendations mentioned above – taking stock of where you are (status) and when to apply user education, which should always be a prolonged effort. 

Erich Kron
Erich Kron
Security Awareness Advocate at KnowBe4

A 25-year veteran information security professional with experience in the medical, aerospace, manufacturing and defense fields, Erich Kron is Security Awareness Advocate forKnowBe4. Author, and regular contributor to cybersecurity industry publications, he was a security manager for the U.S. Army's 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and many other certifications. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in information security.