Many organizations neglect the most important aspect of implementing a cybersecurity strategy — the need to foster a security-focused culture. Up to 90% of data breaches stem from human error, meaning even the most robust protection measures can be thwarted by employee mistakes.
Education is a foundational aspect of cybersecurity, but a true security-centric culture goes beyond handbooks and online courses. To drive behavioral change, leaders must make training dynamic and relevant while positioning the security team as a strategic partner.
Training Strategies for a Security Culture
Research indicates that only 10% of employees remember all of their cybersecurity training. Companies must get creative to raise that number. Consider the following strategies.
-
Make training relevant.
People are more likely to adopt behaviors that protect them personally, but many organizations only highlight cybersecurity’s importance to the business. Leaders should reposition their training to focus on knowledge that is relevant beyond the workplace.
Recommended:
A Closer Look at Browser Security in 2024
Training programs should teach cybersecurity skills that employees can use in their personal lives, such as best practices for online shopping and using public Wi-Fi. This content directly impacts individuals, resulting in better engagement and retention. This approach benefits the companies in two ways. First, practicing good cybersecurity skills at home transfers to better practices at work. Second, many people use their work computers for personal activities. Any risky behavior they take on that device compromises company security.
-
Build targeted training.
Companies should build educational content targeted to specific groups. Threats facing the finance department differ from those facing the IT department, so why would they receive the same training?
Tailoring content to focus on the most relevant, pressing threats to each department or cohort makes training more engaging and impactful. Employees will understand the material’s relevance and can concentrate on the elements most pertinent to their specific job functions.
-
Introduce variety.
Seeing the same cybersecurity presentation repeatedly can cause employees to tune out. Security teams must execute a variety of educational approaches to maintain attention.
Targeted, live presentations or small group sessions increase engagement by allowing opportunities for real-time discussions and questions. Lunch-and-learns are another approach. Everyone loves free food, and this type of event creates a more casual environment.
Top CIO Insights:
The Preflight Checklist For SASE and SSE
Don’t be afraid to get creative.
For example, consider hosting a unique training session tailored specifically for employees and their children. Parents can learn about protecting their kids online while picking up useful skills to apply in their own lives. Unique experiences like this help demonstrate an organization’s commitment to fostering a culture of security that permeates every aspect of our employees’ lives.
Evaluating Training Success
Offering training, however engaging, is only the first step to encouraging good cybersecurity practices. Organizations must evaluate the training’s effectiveness by monitoring engagement metrics, such as how many people use a phishing reporting tool. This proactive, data-driven approach enables organizations to continuously adapt and improve training programs.
Cybersecurity is a Partnership
When employees perceive cybersecurity as a laundry list of rules separate from their daily activities, they are more likely to bypass security controls or disregard guidance entirely. To overcome this divide, cybersecurity teams must become strategic partners rather than bureaucratic obstacles.
Security professionals can establish themselves as trusted advisors by fostering strong relationships and showcasing a sincere commitment to enabling business success. Teams should engage with each department to understand its unique challenges and objectives and create policies that support organizational goals. Employees are more likely to embrace cybersecurity best practices from a source they perceive as having their best interests at heart.
When presented with a new initiative or technology proposal, the security department should focus on finding solutions rather than outright denying requests. Security professionals can work with business units to identify innovative approaches to achieve goals without compromising security. Actively listening and demonstrating a willingness to find common ground foster a culture of partnership and trust.
Security is a business enabler. It must be deeply embedded into an organization’s essence, not treated as an afterthought. Effective security leaders recognize that their role extends far beyond mandatory training sessions; instead, they focus on inspiring a fundamental mindset shift in employees.
By adopting a comprehensive, people-centric strategy, security becomes a shared value that permeates every level of the organization.