Article
Most organisations invest in firewalls, endpoint protection, and monitoring tools… Yet breaches keep happening. That’s because the majority trace back to human behaviour.
That is not a criticism. It’s an opportunity.
That’s because human behaviour can be changed, so long as the right culture is in place. And building a genuine security culture means shifting how your people think about and respond to threats every day, not just in the midst of a breach.
In this piece, we’re going to explore the steps you should take to establish a security culture that sticks. For those of you pressed for time, just look at the following seven steps:
For those of you who want the detail, stick with me. We’ll go through each step so you can take this back to your team and build a lasting security culture.
In plain terms, security culture is what your people do when no one is watching.
Employees who understand threats make better decisions like spotting phishing attempts and reporting suspicious activity while following
company policies.
With that definition in mind, let’s get to how we can actually build it.
You should start narrow. Trying to change everything at once guarantees you change nothing meaningfully.
How to identify the behaviours:
With your behaviours identified, it’s time to make a plan. Expect this first cycle to play out over a quarter or two.
You cannot be everywhere. Your plan needs to scale beyond your team, without your constant oversight.
How to design your plan:
Invest time in briefing your champions and making them feel ownership over the programme; they will be key to making it happen.
No cultural shift succeeds without visible support from the top.
How to get leadership buy-in:
“Ransomware is our biggest exposure. I want to reduce it by improving how staff spot and report phishing. I need your backing for a short programme and five minutes at the next all-staff.“
Executives are the most visible employees of any company, so having them publicly on board is important. They can help acquire champions for you, as well.
Telling people to lock their screens means little without context. Explaining that an unlocked screen can take less than 60 seconds to compromise, and that this has happened in organisations like yours, lands much better.
How to apply this:
Explaining the reasons behind each change will hammer home the personal relevance of the project.
A well-designed plan still needs room to adapt; no plan survives first contact with the sales team…
How to execute:
So long as you’re listening out for criticism and examining how the plan can be adapted, you’re in good shape.
What gets measured gets improved. This protects your programme’s budget and support (especially from those execs we talked about earlier).
How to measure effectiveness:
Hard numbers make future buy-in far easier to secure. (Remember executives want outcomes, not process detail).
Security culture is not a project with an end date. It is an ongoing programme that you’ve just signed up for!
How to plan your next steps:
With each iteration, the process gets smoother and the culture shifts further in the right direction.
Cybersecurity awareness training works best when it sits inside a structured, repeating programme, not as an annual video and a quiz.
If you want to see what this looks like in practice, Trustack offers a proof-of-concept of our human risk management platform.
You will see what our data-led training programme looks like for your organisation before committing to anything.
To provide the best experience on our site, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site.