Perry Carpenter, Chief Evangelist for KnowBe4 Inc., emphasizes the importance of focusing on curbing human actions rather than solely relying on technical controls for cybersecurity. As the concept of security culture becomes more prevalent at the C-level, questions arise about what constitutes a security culture and the repercussions of neglecting it within an organization.
A security culture is defined by the shared values, attitudes, beliefs, and behaviors of employees towards cybersecurity. It reflects how an organization prioritizes security and how employees perceive and interact with security measures. Neglecting positive security behaviors can lead to the development of an unhealthy security posture, similar to how weeds can choke the growth of a garden if not tended to.
Signs of a negative security culture include a lack of priority on cybersecurity, employees not complying with policies, and a general lack of understanding and awareness of cybersecurity issues. To foster a positive cybersecurity culture, organizations need to prioritize cybersecurity, encourage compliance with policies, and promote awareness and understanding of cybersecurity issues among employees.
Recommendations for building a positive cybersecurity culture include measuring the current state of culture within the organization, establishing end goals and objectives, creating a strategic plan to target culture, and continually refining goals and methods based on successes and setbacks. It is essential to involve leadership in promoting positive cybersecurity behavior top-down, activate ambassadors within the organization, and regularly reinforce the importance of cybersecurity through various communication channels.
Creating a sustainable security culture is an ongoing process that requires positive reinforcement, collective effort, and alignment with security priorities and best practices. By articulating, monitoring, and building awareness of security culture, organizations can boost their security posture and mitigate risks effectively. The security sector must continue to prioritize and invest in developing a strong security culture to enhance overall cybersecurity resilience and defense capabilities.