By: Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4

It’s good in that the increased use of the phrase security culture signals an increased understanding that simple security awareness is not enough. And – more importantly – it signals that people understand that security technologies do not offer full or sufficient protection against data breaches.  

So, what’s the part about the increased use of the phrase security culture? It’s this: most people use the phrase security culture without knowing what it means. That’s a problem. 

Let me put that into perspective. In The Security Culture Playbook: An Executive Guide to Reducing Risk and Building Your Human Defense Layer, Kai Roer and I outline the results of a study conducted by Forrester Consulting on behalf of KnowBe4. In that study of over 1,000 security professions with manager-level responsibility or above, Forrester found that 94% of respondents believe that a strong security culture is a critical component of a good security program. That’s great – but the downside was that the study also found that there was no general agreement in what that meant. About 750 distinct and differing definitions where given by the respondent pool. The range of definitions was fairly broad but fell within 5 main buckets, as follows:  

• 29% of respondents believed that security culture is compliance with security policies.  

• 24% said that it was having an awareness and an understanding of security issues.  

• 22% said that it was a recognition that security is a shared responsibility across the organization.  

• 14% indicated that it had something to do with establishing formal groups of people that could help influence security decisions. 

• 12% said that a good security culture meant that security was embedded into the organization. 

Now imagine having a discussion with a room full of 1,000 people and asking everyone who believes that X is important to raise their hand. If 94% of people raise their hands, you might think everyone is on the same page and the only work to be done is motivating people to act on their belief. Then you send them off to execute on their belief and now everyone scatters… they didn’t have a clear understanding of where they should be going or how to get there. Situations like this belong in comedy skits, not as part of the unconscious assumptions driving our security and risk management programs. 

That’s why definitions are important. 

So, what is security culture? Here’s a definition that we (Kai Roer and I) propose rooted in deep research into the social sciences: 

Security Culture is the ideas, customs and social behaviors of an organization that influence its security. 

Security culture can (and should) also be measured so that your organization can begin to understand where you are and where you want to go. In other words, you understand what security culture consists of so you can measure it. And you measure it so you can begin to improve it. 

When it comes to measuring security culture, we recommend measuring across seven distinct dimensions:  

• Attitudes: Employee feelings and beliefs about security protocols and issues. 

• Behaviors: Employee actions that impact security directly or indirectly. 

• Cognition: Employee understanding, knowledge and awareness of security issues and activities. 

• Communication: How well communication channels promote a sense of belonging and offer support related to security issues and incident reporting. 

• Compliance: Employee knowledge and support of security policies. 

• Norms: Employee knowledge and adherence to unwritten rules of conduct related to security.

• Responsibilities: How employees perceive their role as a critical factor in helping or harming security.

By now you can clearly see that security culture can be a pretty deep concept. It gets to the heart of what your people think, what they value, the actions they choose to take, the actions they choose to avoid taking, how they interact with one another, and much more. In other words, your security culture is the beating heart of how your people engage with your security program, your IT ecosystem, your data, and all other security-related aspects of your organization.   

As we’ve seen over the past several years, the vast majority of data breaches can be traced back to social engineering or some form of human error. Let’s face it… we need to do better. Our technologies aren’t adequate at providing fail-safe ways of protecting data. And awareness – in and of itself – isn’t enough to shape beliefs, values, behaviors, and social norms. The best way forward is to continually improve the technology we have while also committing to place an intense and intentional focus on building-up our human layer.