Work From Home

How to Build a Sustainable Security Culture That Drives Behavior Change

Share with your network!

People are the new perimeter—anyone can be a target, and anyone can undermine their organization’s security posture with one slip-up or malicious act. Most security leaders understand this reality. But what they really want to know is how to flip the script and turn their organization’s biggest attack surface into a critical layer of defense.

The short answer is that you need to drive behavior change by building a systemic and sustainable security culture that’s customized to your organization.

This requires a significant change-up in how you approach security awareness training. Consider this: According to the “2022 State of the Phish” report from Proofpoint, 99% of organizations have a security awareness training program—and yet, only 55% of working adults know what the term “phishing” means. That’s certainly worrisome, considering that phishing has been a top cyber threat for years now. 

Even though the goal of security awareness training is to drive meaningful security outcomes—for example, fewer clicks on malicious links, fewer accounting compromise events and less-successful phishing incidents—many programs just aren’t inspiring lasting change. A couple of hours of training annually won’t prompt most users to adopt a security mindset for the long term. Building a robust security culture will.

What is a security culture?

When an organization has a sustainable security culture, employees feel that they and their co-workers are responsible for acting to prevent security incidents. They understand why cybersecurity is important. And importantly, they feel empowered to act—and comfortable reaching out to the security team when they see something suspicious or make a misstep.

The new Proofpoint e-book “Beyond Awareness Training” provide a definition of security culture that was first outlined by MIT researchers Keman Huang and Keri Pearlson in 2019. They describe a security culture as “the beliefs, values, and attitudes that drive employee behaviors to protect and defend the organization from cyber-attacks.” At Proofpoint, we subscribe to this definition.

Building a security culture and embedding it into the fabric of your organization’s core corporate culture requires finding ways to change how people think about security. Ultimately, as our e-book explains, your aim is to build a security culture that is:

  • Holistic and continuous—employees are always learning, and they’re engaged and vigilant because they understand their role in defense
  • Has cross-functional advocates—support for a security culture pervades the organization, including at its highest levels
  • Creates and sustains expectations—security policies are designed (and enforced) to drive culture norms

What are the benefits of a strong security culture?

When you create and sustain a robust security culture, your organization’s overall security posture improves—along with agility and resilience. Employees feel responsible to help prevent security incidents, and security teams can move faster to respond to threats and resolve incidents.

Also, you can reduce risk. With remote work, cloud migrations and the use of personal devices all increasing, cyber risk is rising rapidly. A strong security culture can help change unsafe user behavior more effectively because employees believe that cyber threats are a material risk to the organization’s success and could affect them personally, as well.

Pain-free compliance is another big plus. You can reduce the odds of users making missteps that can lead to fines and other penalties (and headaches) for the organization due to noncompliance with government regulations and industry standards related to data privacy and protection. 

The challenges to build a security culture—and how to overcome them

Building a security culture isn’t easy. It demands a significant investment in time, effort, resources and companywide support—that’s a fact. The “Beyond Awareness Training” e-book identifies the following as key challenges that security leaders often face when trying to build a strong security culture:

  • Getting buy-in from upper management
  • Quantifying the return on investment (ROI)
  • Convincing users why they should care and actively take part

These are daunting challenges, but they’re not insurmountable. Here’s a quick look at some strategies for overcoming these obstacles:

Obtaining leadership buy-in 

First, it helps to map out what-if scenarios for common security incidents to help build executives’ awareness about risk. They need to understand the business impacts of an attack, and which users in the organization are most risk and why. Another eye-opener is using tabletop exercises to demonstrate what it’s like to experience a real (and real disruptive) attack, like a ransomware campaign. And don’t forget about metrics: Hard data will appeal to leadership’s focus on the bottom line.

Justifying the cost and effort 

Speaking of the bottom line and hard data, if you need to change the minds of budget decision-makers in your finance organization, point to the cost of a breach—which is $4.24 million, on average, according to Ponemon Institute research. Then, compare it to training costs, which are obviously nowhere near the ballpark of that figure.

As for effort, look for solutions that can help automate manual security processes—and create time and cost savings for the business while reducing risk. If you’re security team lacks resources to manage more robust, customized and continuous security awareness training, consider engaging a managed security awareness training service to help shoulder the load.

Keeping users engaged 

You can’t expect users to adopt a security mindset if you don’t explain to them why it’s important. Many employees in your organization likely don’t see security as part of their job, or they simply don’t realize the value of making the extra effort to be an active defender.

Make things personal by showing users their risk profile. Also, provide regular communication about incidents happening in the “real world” outside of your organization. For example, share information about data breaches that make the headlines, especially if they impact your industry.

And finally, frame your program in a way that makes clear to users why the information and learning is personally valuable for them. Emphasize that they can use their security awareness skills anywhere—including at home, to help protect their loved ones.

Signs of real behavior change: what to look for

Actions, attitudes and beliefs define an organization’s security culture. And when you achieve a well-developed culture, the following behaviors and mindsets in your users will be evident:


Figure 1. The hallmarks of a strong security culture. (Source: “Beyond Awareness Training” e-book from Proofpoint.)

For more tips on how to build a sustainable security culture and sell the results to executives, download the e-book “Beyond Awareness Training” from Proofpoint. Find out why your organization must go beyond the same-old security awareness training to instill a security mindset that transforms your biggest attack surface—your people— into a critical layer of defense.