Lessons Learned: Building Healthy Security Cultures

 

We’re hosting a new series highlighting members of our Security Awareness Manager community and their lessons learned while creating and running awareness programs that go beyond checking the box, they make an impact.This week we're happy to feature SAM Community member Nadja el Fertasi. Nadja is the founder of Thrive with EQ - a consultancy that helps organizations build digital emotional intelligence and resiliency. She brings her 20 year experience in NATO working in crisis management security and digital transformation bridging the gap between technical and non-technical people across a variety of disciplines.

 

"I like to turn human vulnerability into human empowerment."

 

How can we make security culturally transformative?

When security is approached purely as a compliance requirement with fear as the motivator, people will address the fear and not the root cause of their insecure behavior. As known, this may bring about short term results - allowing the org to check the box for compliance - but continues to leave the organization as vulnerable as before.

However, when you influence people to adopt positive security behavior instead of utilizing 'command and control' tactics, the effect is a stronger sense of ownership in their awareness. As Nadja points out "How powerful is it [when] they change because they want to change and understand why they have to change - this becomes more sustainable."  

 

Awareness is not the goal.

Being aware is not enough. Many employees today are aware that MFA is important and not having it will put them at risk and, yet, a majority of these same users still do not utilize MFA. This is emphasized in a VentureBeat article, "New statistics released in the [Microsoft Cyber Signals] report show that just 22% of Azure Active Directory identities utilize “strong” authentication in the form of MFA. The remaining 78% of Azure AD identities require only a username and password to authenticate, Microsoft disclosed."

Understanding, however, takes that awareness of MFA and effects behavioral change to implementing and utilizing MFA.

 

It's not only training, it's the way we communicate.

As alluded to previously, creating a healthy security culture is not only about compliance and training, rather it's the way we communicate to each other. It's one thing to ensure every employee receives training on MFA, it's another to address the reality that lack of adoption may, in part, stem from an employee's apprehension to installing it or learning a streamlined manner to use it so it does not become a major obstacle to their work.

As security practioners, being able to understand obstacles to adoption and finding effective methods of speaking to those barriers can begin to move the culture from awareness to understanding.

Nadja noted that 95% of behavior is driven subconsciously and because we value speed over time, we default to insecure digital habits until we can change our understanding.

She commented, "If we have a conflicting belief that installing multi-factor authentication is a stressful act, before doing it, already we are not going to feel that incentive or reward for doing it. We're going to try to cut corners because it feels uncomfortable. Changing a habit brings discomfort. Understanding how change happens to us but disruption happens within us, and explaining that to people and making it easier for them to have it as a lifestyle, will help implement new habits.

You cannot expect a very secure behavior from your people if you are leading based on fear, stress and speed."

 

How do you change habits at scale?

In working with informational security professionals, Nadja first addresses the emotional intelligence aspect and how to apply it to get buy-in from their organization. As there is typically resistance to adopting and understanding information security as a partnership and cultural change across departments, using the skillset of emotional intelligence empowers the security team to more effectively understand and address organizational barriers. 

Just as a motor cannot run long without oil, it's crucial to have leadership buy-in or the long term cultural change will not take root. Applying emotional intelligence in conversations with leadership can bring greater understanding and build bridges towards that buy-in.

Once the groundwork has been established, then it's time to look at training. As alluded to previously, simply ensuring every employee has sat in front of the mandatory videos and signed off on the required policies is not effective. Training must be more than one-directional.

As the brain is wired with one of the primary goals to help us survive, it can actually play against us in times of intense stress. As one of the most common methods of cyber criminals is triggering fear, it naturally induces our fight, flight or freeze instinct. To combat this natural instinct, Nadja suggests effective training needs to be experiential - one that ignites these same feelings and instincts but where they can be guided into learning a new response in similar situations.   Essentially, creating variations of simulated attacks through different mediums such as gaming, virtual reality and other out-of-the-box simluations to engage the learners in recognizing their heightened emotions and retraining their responses. 

When adding an experiential dynamic to the overall training program, along with the standard education, the technical aspects and business risk perspective, will provide greater context for employees to apply their understanding and demonstrate new behaviors.

 

Calculate risk and then direct your resources.

It may seem obvious, but before jumping in with whatever the latest trend is in security awareness, it's critical to first calculate risk across the organization and determine what will have the biggest business disruption. Then, take steps towards focusing your awareness efforts in those areas first. 

It's important to strive to attain a point where the organization can move away from a 'firefighting mode' to a maintenance mode in terms of established security behaviors. The longer a business stays in fighting fires as opposed to maintaining established and good cyber hygiene, the higher the risk to the business and the more depleted your teams and resources will be.

It takes time to build up a security mindset across an organization but once you reach this point of maintenance, it is one signal of a healthy security culture shift.

One misstep that many organizations make in creating experiential trainings is utilizing tools for these experiences but not tailored to the organization's needs. "The technology is there to adapt it to serve your [organization's] purpose." 

Along with understanding the business risk, it's important to consider the audience then who will be receiving a particular experiential training - Gen Z will generally respond to more advanced 'techie' gaming more readily than an organization or department with a more generationally diverse audience. In short, once business risk has been assessed, then assess the audiences who will be receiving the training to ensure the message is delivered in as many variations and mediums as necessary. This includes considering the business brand, employee values and employee experience and cultures to more effectively build out what is essentially a transformational change program.

Addressing the challenges in positive transformation

Unlike programming software that has relatively straightforward processes and procedures - working to transform the culture in an organization deals with people. People are the wildcard and come complete with emotions, insecurities, bias, assertiveness or lack thereof, home stressors, and more. While it is a challenge, according to Nadja, it also provides an opportunity. The opportunity is in cultivating relationships to create a two-way communication.

The security tech who sits behind the desk and only responds to tickets, while definitely doing their role, operates in a limited capacity. When applying emotional intelligence to the role, it broadens awareness of the employees to understand their needs and build relationships that can nurture greater security understanding and ultimately, better security habits.

In short, look for opportunities to cultivate understanding and establish relationships beyond the technical. Learn to utilize the skillset that emotional intelligence offers to make inroads for stronger (and healthier) security culture. When others in the organization feel heard and understood it opens the door for them to receive the messaging and training of awareness which leads to adoption.

 

Tips to get started towards building a healthy security culture

Nadja recommends:

"First, to build understanding. Build partnerships around information security. Whether through trainings, virtual coffees, incorporating it in meetings and making it a priority with leadership; work on changing the perception about information security. 

Secondly, don't use the same information security messaging and policies for all your departments. People have different needs.

Coders need to understand how to have secure collaboration with third parties and how they implement information from multiple sources.

Marketing needs to understand the information they are putting out and how it can increase social engineering risk.

Finance needs to understand the cost of business disruption; how to mitigate it; how to invest in the right resources to reduce the cyber attacks.

CEOs and other stakeholders need to know what are the regulatory landscapes specifically for me and my organizations and liability; as well as what is the impact on customers. 

You need to have your security policy but really focus on the 'why' and the outcome. And then build your program around it. Training is just part of it.

 

RESOURCES by Nadja

Podcasts & Discussions
 
Articles
 
 

Connect with Nadja on LinkedIn and while you're there check out our Security Awareness Manager community.

Build Healthy Security Culture_Infographic

Download Guide (PDF)

Looking for awareness training that is short, relevant and engaging? Check out Wizer’s free security awareness video library.