Imagine a world in which we offer our firefighters, nurses, and teachers theory training only. Imagine that there was no longer the funding available for the rigorous and intensive ‘hands-on’ practice they currently receive, and that in its place they receive an email outlining the incidents they might encounter, a PowerPoint illustrating the risks their work entails, and online training covering the procedures they need to implement with patients, fires, or students.
Now imagine what kind of medical attention, fire response, or education you would be likely to get as an outcome of a training process which fails to both engage either the values or the practical engagement of those taking on vital roles in our society.
Thank goodness, we have made the decision that saving, moulding or mending human beings requires a wholly appropriate investment of time and budget.
So why don’t we invest the time and budget on switch on our employees’ desire to protect?
Firemen may be fighting fires but it’s the human victims that motivate them; nurses may be swamped with admin but it’s their patients that are the heartbeat of what they do; teachers may be disillusioned with the system, but it’s the students that keep them going. Without the human driver, security’s just a set of rules. But watch what happens when we start to talk about it as protecting the things that matter to us, and the ‘human factor’ kicks in as the missing link in every business’ security strategy. Our values and beliefs are our drivers; without them, we lack the motivation to behave differently.
How can we activate employees’ security drivers?
Values and beliefs can’t be bought, inducted, or forced; they are culturally determined. At Layer 8 we describe security culture as the way in which we demonstrate what matters most to us through the things we say and do on a daily basis. The security culture operating in our businesses is a direct reflection of the “informed values and priorities of an organisation’s leadership”.
We ‘soak in’ our cultural values through conversations, and through observing and copying the behaviours of others. If in our work environment, security is never mentioned in team meetings, or as part of the business, as usual, we quickly assess this to mean that it is not a priority, and we are more likely to ignore it when it is discussed. Equally, if we are given an annual security awareness talk, but observe that no-one is adopting security behaviours as a result, we’ll assess that the security policy is a paper exercise that can easily be ignored.
Developing an effective security culture
“While it’s difficult to build, security culture lasts a long time – without it, convenience always wins over security.”
Developing security culture requires an investment of time and resources to spread a conversation across the business to engage employees, and introduce campaigns for the adoption of key security behaviours. It’s not an instant process, and it requires dedicated advocates or staff who are passionately committed to making security something everyone does, talks about, and buys into rather than something that’s someone else’s responsibility.
“Cybersecurity culture is making sure that users — top to bottom, right to left – are keeping cybersecurity in their thought process no matter what they’re doing…”
The cost of not having an effective security culture is to have a business that is not being protected by its most valuable potential assets – the human beings at the heart of it.
Building the case for security culture is something more and more businesses are starting to tackle. Join the Layer 8 webinar “Culture Eats Strategy for Breakfast” – Creating the business case for security culture to find out how to:
- Make your argument clearly for senior management.
- Demonstrate the cast iron rationale for developing a strong security culture.
- Switch on your human firewall.
- Set cultural goals and measure progress.