Organizations that prioritize a strong cybersecurity culture reap considerable benefits, including risk reduction, reputation protection, and increased sales opportunities in regulated industries.
Building a successful company-wide culture reduces risk far better than relegating it to any single department or team. In addition, TechTarget explains that a strong cybersecurity culture leads to “improved confidence in the company’s reputation and trust for developers, partners, customers, stakeholders, and employees.”
Because building a robust security culture is so important, executives, managers, and board members all must support any efforts to accomplish this goal. When it comes “from the top,” building a strong security culture that touches every part of the organization is much easier. Decision-makers can do the following to shape a culture of cybersecurity.
1. Lead by example
Decision-makers can start by modeling good cybersecurity processes and demonstrating their commitment to cybersecurity through their actions. Leading by example begins with small, conscientious habits, such as password-protecting a laptop when not in use.
It’s also essential to present security as a long-term business enabler — not a hindrance. Your organization should understand that strong security can help you win against the competition, successfully target new markets (especially highly regulated ones like finance and healthcare), and close more business.
Being public about cybersecurity efforts and celebrating milestones like achieving SOC 2 compliance are great ways to communicate to the team that security is important at the organization’s upper echelons.
2. Set clear expectations and standards for cybersecurity
Developing and implementing clear cybersecurity policies and procedures and communicating them to all employees regularly is critical.
Be sure to create and enforce policies around the following business activities:
- User authentication: The organization should mandate a password management strategy and implement multi-factor authentication (MFA), single sign-on (SSO), password vaults, and/or other modern authentication best practices.
- Secure access: Employees should know how to work securely in the office or out. Consider deploying VPNs and ensuring employees never log in to work assets or environments on insecure or public WIFI networks.
- Data management: Ensure clear policies around handling and storing data, including where to store sensitive data, what can and can’t be saved on personal computers or drives, and secure file sharing.
- Reporting: Employees must know how to report any potential incidents (e.g., a phishing email that lands in their inbox). This should follow an official process and be straightforward for employees to handle as part of their day-to-day work.
- Software updates: Company devices can be configured to install software updates and bug fixes automatically to mitigate any vulnerabilities as quickly as possible.
3. Embrace automation
When it comes to building a culture of security, one of the keys is making sure that security-related processes and procedures aren’t a huge burden for the teams responsible. Security automation can make a huge difference in reducing manual efforts and ensuring time is spent in the best possible way.
For instance, Christopher Reddekopp, Level 2 Support at Tullahoma Utilities Authority, lacked the resources to enforce cybersecurity procedures across his organization consistently. He collected logs from across his organization but didn’t have the time or resources to review them all. To streamline investigating and responding to incidents, he implemented SIEM automation with Blumira.
Reddekopp reports the automation “has saved me a lot of time and heartache from having to parse through logs and attempt to set up log filtering. It’s like having a watchdog over the house 24/7, knowing that if an intruder does come in, it will sound the alarm.”
4. Invest in continuous cybersecurity training
Decision-makers should provide employees with ongoing training and resources to protect themselves and the organization from cyber threats. Essential training topics include phishing and social engineering awareness, best practices for storing data securely and using two-factor authentication (2FA), VPNs, endpoint security solutions, etc.
Cybersecurity training should be tailored to employees’ roles and responsibilities and delivered in various formats, such as online courses, workshops, and simulations. Remember to update training modules regularly to reflect changes in the threat landscape and the organization’s business needs.
Because 74% of breaches involve human error, widespread security awareness training significantly strengthens your organization’s cybersecurity posture. Employees can protect customer data and proprietary information better than any tool or process.
5. Create a culture of security awareness
By creating a culture of security awareness and vigilance, your organization can work together to protect customer data and company secrets. Increasing participation and interest in security can lead to better business results and a stronger public image.
Princeton University’s three-year security strategy is a real-world example of establishing security awareness. They spread security awareness to their community of thousands of students, staff, and faculty — a three-year-long process that took plenty of creativity and out-of-the-box thinking. Once their program was in place, they identified key strategies that helped them succeed, including:
- Delivering information in bite-sized pieces: Because Princeton’s team had to work with limited time and attention, they condensed content into easily digestible mediums, such as short videos and posters.
- Providing relevant context: To get each individual’s attention, the team presented security-related information in each audience’s frame of reference, answering questions like, “What is my risk as a student?” and “Why would anyone want to attack me as a professor?” Tailoring the information makes it more relevant and increases the likelihood that you’ll achieve full participation.
- Keep it positive: As the team educated staff and students on security risks, they maintained a positive spin. According to Princeton’s Information Security Awareness and Training Program Manager, Tara Schaufler, “We never say end users are the weakest link. They are guardians at the gate to us, the last line of defense…with positive messages, we can change their thinking. We want the entire University to be security champions.”
Evaluating Your Cybersecurity Posture
As you implement these practices, tracking quantitative metrics, analyzing results, and identifying improvement areas are essential. Here are some key metrics to consider:
Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)
MTTD measures the average time it takes to detect a security incident, while MTTR shows the average time it takes to respond to a security incident and contain the damage. IBM’s 2023 Cost of a Data Breach uncovered that when businesses used security tools such as AI and automation to lower their MTTR, they saved $1.8 million in data breach costs.
Examining Blumira’s customer data, we’ve found that our average time to identify an incident is about 32 minutes. In contrast, IBM reports an average detection time of 212 days or 5,088 hours. Therefore, Blumira’s detection time is 99.4% quicker than the average.
When companies reduce MTTD and MTTR, they can
- Decrease risk
- Reduce downtime
- Increase response times
- Mitigate the impact of actual breaches
The sooner an incident is detected and the faster it is contained, the less damage an attacker can do. So, MTTD and MTTR are key metrics to pay attention to as you develop a security culture at your organization. Of course, you’ll need strong security tools in place to ensure you can measure these metrics on an ongoing basis.
Security awareness training completion rates
Measure the percentage of users or constituents at your organization who have completed cybersecurity training. This metric shows the success of a training program and can also reveal gaps in information delivery. In some cases, teams can identify specific groups or departments who need more training or hone in on ways the training needs to be streamlined to make it more “doable” or approachable for everyone.
In Princeton University’s case, training completions directly correlated with adopting strong security practices, such as using a password vault to store strong passwords.
ISACA reports, “Due in large part to the awareness program, Princeton users exhibit better password management, reduced phishing risk, understanding of the threat to both their personal and professional lives, and a heightened awareness of appropriate actions and responses for cybersecurity: After only one year Princeton counts 1,100 LastPass accounts, 75 percent of which are used regularly, out of a 2,500 staff target.” It’s key to remember that you won’t achieve perfection right off the bat, so focus on continuous improvement.
When organizations provide their employees with robust security awareness training, they can
- Decrease organizational risk
- Increase trust from both users (employees, students, etc.) and customers in the case of businesses
- Create less work for security teams, allowing them to focus on strategic security improvements
Phishing click-through rates
By measuring the percentage of users who click on phishing links, organizations can better understand the effectiveness of their security training programs and security culture at large. A lower phishing click-through rate shows that a team can successfully identify phishing schemes and will better protect organizational data from malicious activity.
Many organizations use phishing simulations to train staff members and to get quantitative measurements of phishing click-through rates. Shift, a healthcare technology provider, uses KnowBe4’s phishing simulator to train and test their employees. As a result, the Shift team reports that “approximately 80% of our employees contact our IT/security team to determine if an email is a threat and how to handle it.” Again, perfection is rarely attainable, but 80% is a respectable coverage rate!
Risk assessment findings
Leadership teams can rely on risk assessments to steer their security efforts in the right direction. TechTarget recommends five general steps to include in a risk assessment:
- Risk identification
- Risk analysis
- Risk evaluation
Organizations can customize these steps to match their specific objectives. By evaluating and resolving risk in an organized way, they can target the key areas of risk within their organization rather than try to “boil the ocean” and possibly waste valuable resources and budget.
When done right, risk assessments can help organizations:
- Prioritize security strategies and actions
- Reduce risk while managing costs
- Decrease unintentional risky behaviors that could open the door to threats
Positioning your Company for Cybersecurity Success with Blumira
Although many leaders want to foster a strong cybersecurity culture, some might find adding cybersecurity to their already-full plates is overwhelming. These leaders need to choose solutions that empower them to build strong security practices that are manageable and maintainable.
We designed Blumira’s solutions to help busy leaders achieve a strong cybersecurity culture.
Our platform supports time-pressed teams with:
- An all-in-one approach to security, combining SIEM, endpoint visibility, and automated response into one location
- End-to-end visibility of the entire environment improves vital KPIs such as mean time to detect (MTTD) and mean time to respond (MTTR)
- User-friendly interface and fast deployment, making it easy for leaders and technical users to get started
- 24/7 SecOps support provides leadership with the expertise they need to respond to unusual or challenging situations
Want to learn more? Listen to our CTO & founder explain how to build a security culture in a time of increasing complexity.