What happens to an organization when it has no security culture?

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Jacqueline Jayne, Security Awareness Advocate, KnowBe4

Let’s begin by looking at what culture is and why it matters. Culture is tacit and elusive in its very nature. It is often unspoken, based on behaviours, hidden in the thoughts and minds of people. We often see it embedded in the organization’s framework: in its vision, mission and values, which can also describe the attitudes it has towards various things. Such as, does it value innovation over tradition? Does it focus on people or processes? Does it embrace change? Or, will it fight it every step of the way?

Observable culture is the way an organization welcomes new employees, comes together (or not) at a time of crisis, manages performance, celebrates birthdays, responds to change and ideas or treats its customers and vendors.

Culture is also the way you go about your day-to-day work when no one is watching. This was highlighted when we moved to a remote working situation as a result of COVID-19 and witnessed an uptick in cyber incidents and successful breaches.

We are all familiar with the term ‘toxic culture.’ This describes an organization that is not a nice place to work. People are mean, no one really wants to come to work, bad behaviour gets rewarded or ignored and the general perception is not at all positive.

What is a security culture?

This depends on who you ask. In November 2019, KnowBe4 commissioned Forrester Consulting to evaluate security culture across global enterprises. In this study of 1,161 people, 758 unique definitions were given for security culture. Those 758 unique definitions were then broken down into five different categories based on the general sentiment reflected in each of the proposed definitions. Here is the breakdown:

  • 29% believed that security culture is compliance with security policies.
  • 24% said that it was having an awareness and understanding of security issues.
  • 22% said that it was a recognition that security is a shared responsibility across the organization.
  • 14% indicated that it had something to do with establishing formal groups of people that could help influence security decisions.
  • 12% said that a good security culture meant that security was embedded into the organization.

While all the responses are correct in their own way, one stands out as it incorporates them all, and that is the 12% of people who said that a good security culture meant that security was embedded into the organization.


What is the World Economic Forum doing on cybersecurity?

The World Economic Forum’s Centre for Cybersecurity drives global action to address systemic cybersecurity challenges and improve digital trust. It is an independent and impartial platform fostering collaboration on cybersecurity in the public and private sectors.

Contact us for more information on how to get involved.

What is a good security culture?

A good security culture is where people make the right decisions when it comes to security, are aware of the threat landscape, know what red flags to be on the lookout for, report all suspicious activity and understand their role in cybersecurity as the human endpoint.

A (cyber)security culture is not just completing training or reporting phishing emails. It’s the unseen and sometimes unmeasurable situations that occur and the subsequent response. Let’s look at the benefits of having a culture of security versus not having one.

The following situations are from the point of view of the human – your users – and represent what is going on in their minds when they’re presented with a security-based situation.

Situation 1 – A phishing email (malicious email) arrives in an inbox from a bank. It has multiple grammatical errors, a link that is clearly suspicious, multiple font sizes, is unformatted and the sender’s email address is clearly fake.

Situation 2 – A USB device is found on the floor of an office corridor with ‘Payroll 2022’ written on it.

While these situations seem second nature to those of us who live and breathe information security and cybersecurity, they are not second nature to everyone else. I promise you that this is exactly what your people are thinking and doing every single day.


You have a security culture at your organization, but is it the one you want?

It’s true. Every organization already has a security culture whether you like it or not. The challenge is to understand it as it stands today, define what you want it to be and go about making that happen.

To understand the security culture you have today, you need to ask some questions, make some observations and take the time to document what you discover.

Start by asking: Do your people understand the impact to your organization if a breach were to happen? Are they aware of the cyber threat landscape? Do they lock their devices when they step away from them in all situations? Do they follow existing policies (internet usage, clean desk, reporting incidents, etc.)? How do they respond to phishing and other social engineering? Do they consistently create insecure workarounds (use a personal Dropbox or unsecured personal devices at work, etc.)?

Once you have an idea of where you are, it’s time to consider, discuss and define what your organization’s security culture should be.

The KnowBe4 Seven Dimensions of Security is a great place to start as it looks at the following elements:

1. What attitudes do you expect your people to have towards security?

2. What behaviours are you wanting to change or see?

3. Do your people have an understanding, knowledge and sense of awareness?

4. How do you go about communicating with your people and do they feel like part of the solution?

5. Have you considered and included your people in your policies and do they know what to do?

6. When it comes to the unwritten rules of conduct at your organization, have you thought to include (cyber)security?

7. Lastly, and perhaps most importantly, as without it you are doomed to fail, do your people understand why cybersecurity is everyone’s responsibility and that they have a critical role to play?

Once you have the answers to these questions, you are well on your way to creating and nurturing the security culture that you want. From here, the next step is to ask your people a set of questions using our Security Culture Survey from our Security Culture Report 2022, which gives you a baseline for the Seven Dimensions of Culture.

Ask, does my organization care about security? Which areas of the business are least and most security-minded? Which employees are most risk-averse? How strong or weak is our security culture? In what part of our organization do we need to improve security culture? And, how effective is our security culture programme?

In addition to answering operational questions like those above, the Security Culture Survey provides you with indicators for reporting your organization’s security posture to the board or executive team. It also gives you a starting point to implement awareness, education and training across your organization.

Now back to the initial question: What happens to an organization when it has no security culture? Let’s flip it to this: What happens to an organization when it has the security culture you want?

Building a strong and positive security culture as defined by you is an effective mechanism to influence your users’ behaviour and, thereby, reduce your organization’s risk and increase resilience.

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: