Awareness isn’t enough -- it’s time for security leaders to change behaviors

Learn what you need to do to move beyond perfunctory awareness and training programs to change behavior and instill a security culture (the ABC of security).

As 2021 gets underway, there has been significant elevation not only in the influence and importance of cybersecurity, but also in the human element of security. For example, human error is now recognized as a key contributor to the overall risk profile of an organization.  

Unfortunately, as an industry, we're still struggling to manage this risk.  

Also: Best VPNs • Best security keys • Best antivirus

For years now, CISOs have done a remarkable job of training users to understand security risks by purchasing solutions with extensive content libraries, administrative features, and assessments measuring all manner of user failures. But this focus on creating awareness falls short of changing long-lasting behavior. And CISOs know they need to shift focus to humans on the receiving end of these programs. Many are also acutely aware that organizations with strong security cultures have employees who are educated, enabled and enthusiastic about their personal cybersafety and that of their employer.  

To move beyond perfunctory awareness and training programs to changing behavior and instilling a security culture (the ABC of security), you need to do the following: 

  • Build a human-centric security program. Move beyond tactics and create a multiyear, sustainable strategy via a four-step plan that includes: 1) Identifying key stakeholder and threat communities; 2) Defining your behavioral baseline and target state; 3) Creating the initiatives that will influence each stakeholder community; and 4) Measuring and continuously improving the plan. 

  • Focus culture efforts up, across, down, and outside your organization. Move away from point-in-time engagement activities by building a strong culture at four distinct levels within the organization, taking a different approach for each constituent. Advocate at the executive level to get security visibility; rationalize investments with business leaders to assure security buy-in; communicate with employees to create a consistently high level of awareness; and extend your reach by building trust with external stakeholders. 

  • Design transformative security awareness initiatives. Unless people feel positive about the topic of security, the capabilities of your team and you as a leader, you will struggle to get them to truly buy into the need for security. To do this, your initiatives need to be impactful to resonate with the audience and continuously influence and motivate the audience to behave securely. Consider design principles when creating your transformative security awareness initiatives.  

  • Start by improving the culture and influence of your own security team. The biggest obstacle to security leaders' efforts today is the image of security itself. So transform your own team's culture, create an environment of psychological safety for your organization, and extend your influence with a network of security champions. Above all, hire people with good human-centric skills. They are what's desperately missing not only in your organization but in our profession. 

To understand the business and technology trends critical to 2021, download Forrester's complimentary 2021 Predictions Guide here

This post was written by Principal Analyst Jinan Budge, and it originally appeared here