Instilling a Culture of Cybersecurity

Posted on: October 24, 2019
Author: Safi Raza

Hands typing on a keyboardWhat exactly is the culture of cybersecurity?

The culture of cybersecurity is an organization’s attitude towards information security, assurance, and privacy. Security culture requires the sharing of knowledge about potential threats as well as anticipating and communicating about threats that an organization may face in the future. A good security culture can be developed by employing an effective security program that is consistent, adaptable to the organization’s needs, measurable, and can be sold to all employees. An information security program that is designed to spark a cultural shift has three basic elements: security awareness, training, and education.

Here is a four phase approach to instill a good cybersecurity culture.

Phase 1: Ask a lot of questions.

You will need a few brainstorming sessions to answer the following questions.

  1. How would you align your security program with the overall organizational objectives?
  2. Have you defined your goals and scope?
  3. What do you want employees to learn?
  4. How would you make training relatable to the employees?
  5. How and where will you communicate the news regarding the security program?
  6. What are the roles and responsibilities of program participants?
  7. How would we measure the effectiveness of the program?
  8. How often would you need to evaluate and update the program?

Where is the start line?

The very first step when introducing a security awareness program is to understand where do employees stand today. How much attention to they pay to the information security breaches around the world? How much do they understand the misuse of IoTs? And most importantly, do they know how to protect their personal and professional data?

A phishing campaign would be a good start, assuming you already have management’s buy-in. Send some emails with malicious links, drop some USB drives in the parking lot, or call the help desk to reset the passwords. The results will give you an idea of where you need to go to get your employees better prepared for cyber threats.

Important Regulations and Compliance Framework

Understanding regulations and frameworks that impact your organization will set focused areas for your training. HIPPA, PCI-DSS, and GLBA are some of the standards that affect health, credit card processing, and financial organizations, respectively.

Create a 30-Day Plan

During the first 30 days of your awareness campaign, you can conduct your phishing tests and meet with the managers and employees to understand what their pain points are with cybersecurity. Do they understand the value of the data they process? Are they ignoring the basic checks because they believe these additional precautions may impede their progress?

Employees need to understand that your job is not to hinder their productivity but to help them carry on their work securely.

Phase 2: Create your Security Awareness Program

Security awareness is the prelude to security training. It provides a general awareness of cybersecurity and prepares employees against low-level threats. Security training teaches employees how to perform their job securely and educating involves learning new techniques and skills to enhance an organization’s security posture.

Awareness, Training, Education


Understand your audience. Are they technical or non-technical? If they are non-technical, then you may want to avoid using technical jargon in your program. It will also help to know if your audience consists of entry-level, middle management, or executive employees. Moreover, identify any specific behavior you would like to focus on. For instance, if people are leaving their computer screens unlocked, then it will be useful to discuss the risk of leaving a computer unlocked.

All users need to understand the importance of security and the consequences of its failure. During the security awareness program, you will notice that some of your coworkers in various departments are more engaged than others. These employees can be your security program ambassadors and can reinforce the security culture in their departments. The recognition of these program ambassadors in newsletters or company-wide events will attract other employees to get involved and help create a culture of cybersecurity.


  1. Training can be instructor-led, self-paced, online, or one on one. You can utilize different methods for different groups.
  2. Use best practices and interactive training. There are various learning technologies available; Use the one that would benefit the most.
  3. If you are using an online tool, then ensure that the interface is easy to use and employees short and interactive modules.
  4. A small group is the best group when providing training in person.


Awareness and training are usually topic-specific and focus towards a group of employees. The education, however, refers to a robust effort to increase employees’ skills and to meet management’s mandates. Think of a secure development course that may last few weeks. While proven useful, education can be costly and put a resource constraint on an organization.

  • Keep the program fun and engaging.
  • The program must align with organizational objectives.
  • The program will need to be relevant with the organization’s IT structure.
  • The training must be relatable to the audience’s personal and professional lives.

Phase 3: Driving Cultural Change

Now that our Security awareness program has been created, we will use our program to initiate behavioral changes towards a security-minded model.

Security is everyone’s responsibility

Most employees believe that security is the sole responsibility of the information security team. Sustainable security culture requires that everyone in the organization assumes the responsibility.

Recruit security liaisons

Security liaisons are your ambassadors and security advocates in each department. During the security awareness sessions, you will notice a few individuals will show more interest in the training. These individuals are your candidates for information security liaisons. They will assist you in promoting the security culture in their department.  Employees are more willing to make a change if their peers are driving it.

Make it fun

Make the security program fun: Pass out swags with security tips, share an interactive security quiz, etc.

Reward and recognition

Some employees will go above and beyond their call of duty to protect the organization. Recognize them. A $25 gift card to a favorite coffee shop or a gift card to a book or music store will go a long way. You can also buy lunch for any department that completes the security training with the best scores.

Phase 4: Maintenance and Continuous Improvement

Measuring the effectiveness of your security program can be a challenge. How do you track a change in employees’ behavior? If the security program has been effective, then a few differences should be visible. For instance, fewer employees are clicking on the phishing links and more employees are reporting suspicious emails or behavior, etc.

A survey can be used to capture employees’ feedback. It will help optimize the program and will keep the employees interested. Meeting monthly with your information security ambassadors over lunch and lessons learned help ensure the continuity of the program.

Patience and consistency is the main ingredient of a successful cultural shift. The change will not happen overnight. It will take significant effort and continuous tweaking of the program.