Main menu


Cybersecurity training and techniques alone are not enough. Requires a “cultural change”

featured image

Companies spend billions of dollars on cybersecurity products to protect their networks and data from hackers, but some industry experts say the money is wasted if companies don’t change their internal cybersecurity culture. I’m saying

In September 2021, Cybersecurity Ventures released a stunning report stating that global cybersecurity spending will exceed $1.75 trillion by 2025. The report predicts another year of growth in investment in the sector, this time he will see 15%.

Companies continue to invest in protecting their increasingly digital business assets. From Internet of Things (IoT) devices to cloud and hybrid work endpoints, cybersecurity spending has increased and changed since COVID-19 changed the way the world works.

Cybersecurity Ventures founder Steve Morgan said: “Right now, it is he one of the largest and fastest growing sectors in the information economy.”

Security practitioners are adding features focused on Zero Trust technologies, automation, responsive SOAR platforms, Secure Access Service Edge (SASE) models, fraud technologies, and more.

However, if the human element is not improved, the technology can at best limit the damage.

Also Read: Best Cybersecurity Awareness Training for Employees

Security culture is key to cyber defense

PwC’s 2022 Global Digital Trust Insights report reveals that cybersecurity spending trends show no signs of slowing down. In fact, 69% of surveyed organizations expect security spending to increase in 2022.

But Peter Carpenter and Kai Roer, two veteran security professionals, told KnowBe4, an employee cybersecurity training leader, that business leaders overlook the main ways hackers infiltrate systems. . They say the best defense against cyberthreats lies in an organization’s security culture.

Their latest book, The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer, combines insights from 35 years of security culture experience with data-driven insights from over 40,000 global organizations. I’m here. They believe that security awareness alone is not enough. Organizations must “build security into their culture.”

Carpenter has spoken eSecurity Planet On the importance of a strong security culture. According to Carpenter, the organization has become an expert in technology-based security tactics such as firewalls, email gateways, and endpoint protection. However, despite advanced defenses, organizations still face the problem of large-scale data breaches.

“Technology-based defenses have made hacking into organizations so difficult that cybercriminals are increasingly relying on social engineering to achieve their goals,” said Carpenter. said.

The industry needs to focus just as much on preparing for human-based defenses as it does for technology defenses. Carpenter’s recommendation is to deliberately invest more time, effort, and investment into building this layer of defense.

“This means focusing on the ABCs of cybersecurity: awareness, behavior, and culture,” says Carpenter.

Improving cybersecurity communications and metrics

Carpenter described the basic flow of executive communication and uncovered a simple formula designed to improve all cybersecurity messages. It all starts with information that creates stories and stories. Stories are essential for workers to identify problems. This way they remember concepts better.

“Those who share information need to find ways to connect information to something bigger, broader, and more emotional than simple facts and figures,” Carpenter said.

The formula is:

Information 🡪 Stories/narratives 🡪 Transparency and metrics 🡪 Insights and direction.

In this formula, facts, figures, and supporting details should only be introduced in ways that support the broader story. Transparent, clear, and honest interpretation of metrics is also very important when implementing metrics. Indicators of cybersecurity and security culture can be victories, stumbling blocks, or challenges that move the story from one point in the plot to another. This is where insight and direction come into play.

Measuring an organization’s security culture is becoming increasingly important to get a 360-degree vision of a company’s strengths and weaknesses. Carpenter’s method of measuring security culture is far superior to others, as he measures seven dimensions through a technical and scientific approach.

“We categorize security culture into seven different measurable dimensions: attitudes, behaviors, perceptions, communications, compliance, norms, and accountability,” Carpenter explained.

Each dimension can be measured by direct observation or by looking at evidence and data. One of the methods used is a proprietary security culture survey. The survey contains a series of science-based questions designed to get to the heart of each of the seven dimensions.

“One of the tricks to getting accurate answers in a survey like this is to not ask anyone for a particular behavior or understanding. Instead, how do you perceive other people and groups within your organization?” Are you sure,” Carpenter said, adding that such indirect questions would be more honest.

The advantage of measuring your organization’s security culture on the seven dimensions is that it gives you a better picture of the issues that need to be addressed. Additionally, each dimension exerts a gravitational effect on the other dimension. If an organization focuses on improving one or two aspects, it is expected that other aspects will improve as well.

Protecting data with a strong security culture

For years, technology-based tactics have been touted as the ultimate defense against cyberattacks. However, Verizon’s report reveals that 82% of all breaches involve the human element. Today’s sophisticated cybercriminals target the weakest link in your system, your employees, leaving your organization open to attack no matter how strong your cyber defenses are. These weaknesses can only be strengthened by strengthening your security culture.

Read next: Top Cybersecurity Companies for 2022

Affiliate links or sponsored partnerships displayed on this page may result in a commission, but any affiliate has no influence over the editorial content. Please see our Terms of Service page for more information.