Is security a part of your culture? Maybe you should check

Many companies use phrases like “work hard, play hard” or “dynamic and fast-paced” to describe their culture and workplace environment—but what does this really mean? Culture is about repeatedly doing something that comes naturally, without having to think about it. But building that culture throughout an organization can take a lot of effort, and nurturing it requires careful thought and planning.

A critical element to consider when defining and building an organizational culture is security and awareness of the potential threats that might negatively impact the company. Requiring employees simply to complete compliance training cannot change the culture of an organization. There has to be a full program in place if the ultimate goal of the program is to create corporate cultural change.

What Does a Security Awareness Culture Look Like?

Every organization will start from a different place when it comes to creating a culture that includes security awareness, so measuring that starting point is critical to be able to build an effective program. This measurement should span a wide range of topics including physical security, data security and security policies and processes. In this way, security is multifaceted, permeating every part of an employees’ daily life. Assessment tools like CyberStrength are great for a broad measurement of user knowledge. These tools surface weakness and help clarify priorities for the security awareness program.

Affecting change and instilling security awareness as part of the corporate culture takes more than one tool.  And it must be easy for users to learn, change behavior and work in the new security aware culture.

Using a complete toolbox can help accelerate this including using different channels to communicate with users such as newsletters, materials such as posters placed around the office and security advocates as a local point of focus. It also has to be easy for users to become part of the solution. Using a tool such as Closed-Loop Email Analysis and Response (CLEAR) allows users to easily report suspicious emails and receive positive re-enforcement. 

Lastly, if employees understand why they need to be more security aware, it can impact change. Training them on threats that are impacting the organization and how attackers are targeting them not only at work but also at home can be useful.

How Do Organizations Measure Success?

The questions that many organizations ask themselves once they start to build security awareness into their culture is how do they prove it’s working? How do they measure it over time? 

Attaching key performance metrics to your company culture can be very hard—how would you measure your “work hard, play hard” culture? But assessing how ingrained security is into your culture is possible. Here are the metrics to focus on:

  • Rate of end users clicking on phishing simulation emails
  • How Very Attacked People (VAPs) within the organization are interacting with potential threats
  • Rate of end users reporting suspicious emails to IT and security
  • Knowledge improvement of key security topics
  • Engagement with security training

By monitoring these areas, an organization can understand if their efforts are successful.

Learn how Proofpoint Security Awareness Training can help build an effective security culture within your organization.