Mon, Oct 14, 2019

Eight Steps to Get Employees and Management to Buy Into Your Security Culture Program

As a cyber security manager, you know security culture is important. You know organizations that build and reinforce strong cyber security cultures are better positioned to not only mitigate cyberattacks, but also to respond and recover more quickly when incidents happen. 

But getting people to internalize a security mindset can be a daunting task. The challenge is greater if obtaining the necessary support from the C-suite or board is proving more difficult than you expected. 

This article aims to provide guidance to those who are working to overcome barriers such as a lack of management support, the pressure of time constraints or the common issue of “where do I start?”

Regardless of industry sector, size or turnover, your organization likely falls into one of three general stages on the journey to cyber maturity:

  • Just starting to sow the seeds and get management buy-in.
  • Internal support exists, but a “kick-start” is needed to decide on and implement activities.
  • Mature program but recognizes that it must continually keep improving.

The following eight tips will help you have a more productive conversation with leadership and inspire more champions for your cyber security culture transformation.  

  1. Launch With a Burning Platform
    Like any behavioral change initiative, you need to identify the burning platform. By that I mean, how would you answer this question: “The consequences of not changing are… what?” Now, many of us know the critical risks encompassed by “what” because we live and breathe security every day. But you need to be able to articulate these risks in a clear and compelling way to convince your sponsor, manager and other key decision-makers why security culture must be embedded within your organization. 
  2. Get Buy-in With Data
    Poor security behaviors are often already occurring, they just aren’t being captured and documented in a manner that will inspire action. Some of our clients run phishing exercises alongside tests of physical security controls that address risks such as unauthorized access and tailgating.1 They then compile the results of their efforts and compile them into a report that can be hard to ignore. Nothing seems to raise more red flags than seeing how someone pretending to be an IT contractor made their way into the building, popped their sandwich in the toaster in the common room, chatted with staff and then proceeded to collect confidential information, plug access points into the network and spend the afternoon wandering around the building! This kind of proof can translate into support from the highest level of an organization. Knowing the pain points will also help you define your metrics and ultimately measure the impact of the program. 
  3. Vary Methods and Tools
    While computer-based training modules play a valuable role, too many security programs rely on them to the exclusion of anything else. The most successful programs regularly incorporate a variety of awareness tools, including newsletters, posters, games, newsfeeds, blogs and phishing simulations. Efforts that encourage active participation tend to deliver the most success. Importantly, materials should reflect the different demographics of your users. Diversify your materials to appeal to as many users as possible. There is no such thing as a successful “one size fits all” approach. 
  4. Partner Up
    Proactive risk management is a dynamic, multifaceted opportunity for companies of all sizes. Ensure you are partnering with people who have influence in the organization and who can help you find ways to effectively build a plan and communicate the messages. In their book “Blue Ocean Strategy,” W. Chan Kim and Renée Mauborgne suggest starting with people who have disproportionate influence in the organization.2 Once they are committed to the cause, they can help shine a spotlight on your program so others get the message too.
    Influencers can also provide much needed insight into what will or won’t work depending on an employee’s role, the channels they can access and the success of other behavioral change initiatives. The stakeholders who will understand an organization’s underlying drivers include internal communications and human resources. Executive assistants can also prove helpful in connecting with C-suite leaders. 
  5. Don’t Reinvent the Wheel
    Look for ways to align and leverage existing forums, champions or risk training activities. This can help ensure the message sticks. Opportunities include the quarterly staff roadshow or town hall, lunch and learn series, risk or change champions networks or other activities where people have already gathered. Then find ways to incorporate your message. These forums are also a terrific way to connect to more people in the organization, especially if you have limited resources for your program. (Hint: why not join a local or regional security awareness group or industry-specific association and leverage the collective knowledge and experience of a community of people) 
  6. Show Me the Budget
    At the end of the day, the goal is clear: to appropriately assess and mitigate risk to the enterprise and its key stakeholders. Accomplishing this will require leaders committing to providing a sustainable budget. Practically every data breach and security event can be traced back to a significant human factor, whether it was user error, misconfigured coding or poor security behaviors. You can bolster your business case for funding by citing industry-relevant case studies and media coverage of real-world events that show how things can go wrong. 
  7. Positively Reinforce Success Stories
    Build in ways to regularly capture and share stories about individuals or teams that demonstrate positive security culture behavior and reward them. For example, if someone has reported an incident or highlighted a risk, give them a virtual “high five” on your corporate social media platform or send them a personalized desk note from the cyber security team thanking them for their efforts.
  8. “Flicking the Switch” to Think Securely
    Thinking securely isn’t about recalling a set of security-related facts. It is about viewing the world in such a way that the security mindset “switch” can be automatically flicked on. One proven strategy that helps achieve this more ingrained, natural response is to ask staff what they want to see in a security culture program. We find focusing on the personal impacts of security, such as social media risks, cyber bullying or online fraud, is an effective way to grab attention. Try and make it fun—some ideas include sharing quirky YouTube videos about security incidents or creating a cyber security mascot with some catchy slogans. Stories can engage people in a topic they may not necessarily feel interested in.
    You can then tailor messaging, based on meaningful data, that links to the security culture behaviors you want to see embedded in the workplace. Ultimately, being cyber safe in every aspect of life—at work, home and play—will work to continuously reinforce the security mindset.


Final Thoughts

Building and nurturing a security culture is an ongoing journey. Sustainability must be built into your program, otherwise factors like fatigue, apathy or employee turnover will throw everything off track. Enlisting the support of security culture experts can help ensure your program gets a regular infusion of impartial assessments, best practices and fresh ideas.

Kroll has been a trusted security culture partner to organizations around the world. To learn how Kroll can help you jumpstart your program or take your existing program to the next level, contact us today. 


1 The InfoSec Institute defines the tailgating scenario as “an attacker seeking entry to a restricted area … The attacker can simply walk in behind a person who is authorized to access the area.”
2 Kim, W. Chan. Mauborgne, Renée. Blue Ocean Strategy: How To Create Uncontested Market Space And Make The Competition Irrelevant. Boston, Mass. : Harvard Business School Press, 2005. Print.




Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.