Improve Your Cybersecurity Culture in 8 Steps

ENISA framework cybersecurityIn our last post, we discussed the importance of establishing a strong cybersecurity culture to address the non-technological side of data risk because an overwhelming majority of breaches involve the human element. Now, it’s time to take action to build that culture.

Cybersecurity expert Kai Roer developed a framework that highlights the key elements of such a culture and explains how to make meaningful changes within an organization. This framework was adopted and further refined by the European Union Agency for Network and Information Security (ENISA), who published it online here. The ENISA framework provides an iterative approach to improving cybersecurity culture, and we recommend this as a good place to start. The section below captures a brief description of the framework’s key steps.

Step 1: Set Up Your Core Work Group

To begin, you need to create a core cybersecurity culture work group, who will be responsible for developing the cybersecurity culture program and strategy, overseeing the implementation of activities, and ensuring alignment with cybersecurity policy. They will also be responsible for achieving buy-in from the top down and serving as ambassadors of cybersecurity culture to the broader enterprise.

Step 2: Establish a Shared Understanding and Conduct a Risk Assessment

Next, you need to understand what values, beliefs, and practices already exist within your organization. This will help you develop an understanding of how current and future-state security measures align to the core business processes that drive your organizational strategy, identifying where synergies and conflicts exist.

Step 3: Define Goals, Success Criteria, and Target Audiences

Now, you need to define the primary goals of your cybersecurity culture program, prioritizing the most important issues and defining metrics for success. Further, you need to identify the employees you want to target with the program.

Step 4: Define the Current State and Complete a Gap Analysis

For each goal you identify, you need to analyze and define where things currently stand. Then, conduct a gap analysis to uncover the path to success.

Step 5: Define the Path Forward

Now that you see opportunities for improvement, you need to identify the activities that will bridge the gap between your current state and successfully achieving your goals.

Step 6: Bridge the Gap

You need to take action! Execute the activities you defined to achieve your goals and improve your cybersecurity culture.

Step 7: Analyze Your Results

You won’t know if you’re succeeding if you don’t measure your results. In step three you defined success criteria; now, you need to measure the effect of your activities relative to your goals.

Step 8: Reassess

Periodically, you need to stop and review your strategy and where you stand against your goals. Identify how your cybersecurity culture has improved and where there are additional improvements to be made. Based on your findings and experiences, determine how you will proceed with any next steps.

A Brief Example

The goal of your cybersecurity culture program is to improve behaviors, attitudes, cognitions, compliance, communication, norms, and responsibilities across one or more topics, but in this case, we’ll focus on just one example. Let’s say that the behavior that you seek to change is related to phishing emails. Data shows that in 2016, three of the top five cyberattack threats were human factors, one of them being phishing emails. To address this issue, you may do a test, sending a fake phishing email to employees across all business units. Based on the results you collect, you may decide to focus on one, several, or all business units to improve behavior in this area. If you previously set a goal of 90 percent compliance across business units, and two business units were not meeting that standard (60 percent), you may choose to focus your efforts on those two business units.

In order to improve this behavior, you may choose to execute several activities to not only create awareness of the problem but change behavior. These activities may include:

– “Mock attacks,” where fake phishing emails are sent to staff
– FAQs, in the form of flyers or posters online or in buildings, to create awareness
– In-person or online trainings and workshops to help employees recognize threats and the impact of clicking on malicious links, etc.

After completing the activities, it is important to retest and see how the behavior improved. Transparency and communication are important throughout this process to ensure employees understand what is expected of them and the importance of these exercises. It is also recommended to use rewards and sanctions to incentivize employees to adopt the desired behaviors.

Depending on the bandwidth of your cybersecurity culture team, and the breadth of your scope, you may be running activities across multiple topics simultaneously. Other topics may include policy compliance, secure passwords, social engineering, and/or safe internet behavior.

Your Cybersecurity Culture Team

It is important that this is a cross-organizational effort, and that your cybersecurity culture team should include representatives from various departments with different areas of expertise. See below for a summary of roles that may exist across a cybersecurity culture team:

1. Senior Management. A cybersecurity culture champion with board/C-Suite sponsorship. This person is responsible for championing the initiative, ensuring alignment with the overall business strategy, and communicating at the executive level.
2. IT Department. This person is responsible for contributing their expertise in cybersecurity and ensuring up-to-date technical measures. They can also offer risk-related insights to senior management and support decision making.
3. Information Security (CSO/CISO). This person is responsible for providing information security expertise and governance and helping to manage people and progress. They are also responsible for aligning IT and Infosec, drafting cybersecurity strategy and policy, and representing security at the executive level. The CISO communicates up to the board on progress and down to employees to set the tone that security should be embedded in everything the organization does
4. Human Resources. An HR representative is the bridge from management to employees, responsible for overseeing awareness, training, and communication. This person has insight into behaviors/culture of staff, understanding of roles, and how to embed new practices into already established processes.
5. Legal. This person is responsible for ensuring compliance with any newly established practices and legislation.
6. Marketing / Communications. This person is responsible for supporting change by designing and promoting cyber awareness and education through communication.

Contact me at [email protected] or (215) 901-0523 to discuss your organization’s cybersecurity culture and our recommendations for moving forward.

Michael Padgeon, Senior Consultant
Mike Padgeon



Change Management Done Right
Complete the form below to access the webinar recording and supplemental materials - courtesy of Navigate.
Your Information will never be shared with any third party.