Ask a Chief Information Security Officer (CISO) about their employees’ security habits and a typical answer follows: “I want people to make less security mistakes.” In reality, this is just as much a description of security habits as it is of culture–a set of behaviors that people regularly perform.
The keyword there is regularly. Changing the way people operate when it is something they do regularly is no easy task, but when the security of a company could be at risk, it is imperative that CISOs do everything they can to help change this culture.
Culture change can be overwhelming if a CISO does not know where to begin. To effectively start building the security culture you want, you must first identify the measurable behaviors that will make up that culture. There are three key questions to ask when selecting simple, concrete, and measurable security behaviors:
1. What behaviors am I trying to change?
2. What will people do differently after my effective program is instituted?
3. How can I measure whether the program was successful?
Choosing Key Behaviors
Every CISO usually has a list of security changes they would like to see. Before embarking on a culture change, it is important to identify the top priorities for an organization-this can be a challenge since priority is subjective to the individual and their experiences. Below are some questions to help you identify the priority behaviors for your team:
• What are the most frequent security incidents?
• What would be the most damaging to the company?
• What would have the greatest impact on the company’s security posture?
• What does the team already have metrics on?
• What do the company’s stakeholders care most about?
By focusing on select behaviors, rather than a laundry list that may discourage employees, CISOs can give them time to digest the information and apply this learning to their work. This also gives CISOs the ability to test how well their lessons are working by sampling the group’s behavior before and after training, which is not practical when taking on numerous changes at once. This will help you understand the influence of the security behavior training on the organization.
Designing an Effective Program
Many times, employees are not aware that a behavior is a security threat until someone points it out to them. CISOs can create programs to help employees identify these behaviors and teach them how to avoid specific threat instances in the future.
It is important that CISOs make these lessons tangible for employees and not speak in generalities. By identifying the specific behavior change, employees can easily apply these lessons to their day-to-day work. For example:
• General behavior: I want my employees to be less susceptible to phishing links.
• Specific behavior: I want my employees to report all suspicious emails to the security team.
Do not forget to make it fun for employees to participate and celebrate their successes. This will encourage them to want to learn more and successfully practice other security behaviors.
Measuring Desired Behavior
It is critical to have measures in place to show progress against culture change. Since security is often described as never having a finish line, it is imperative to define milestones to market back the success of the program to yourself, the participants of your campaigns and management.
Measurement of behaviors can be both quantitatively tracked, as seen with click through rates, or quantitatively, with employee surveys. In the above phishing example, for quantitative results, you could say: at least 20 percent of emails sent in any phishing exercises against my employees were reported to my incident response team via email.
Once progress is made against one behavior, it is a great opportunity to recognize and reward the organization for becoming more secure, celebrating its success, and encouraging the next behavior change.