For decades, organizations have spent millions attempting to educate employees on security awareness. The results have been marginal, at best, according to the Information Security Forum (ISF) a nonprofit association that researches and analyzes security and risk management issues.
“A really small percentage of organizations are able to say they’ve reached a heightened level of security awareness or positive behaviors that they’re really striving for,” says Steve Durbin, global vice president of ISF. “If what we’re currently doing from an awareness standpoint isn’t working, what do we need to do to be more effective in this space?”
The answer, he says, is to embed positive security behaviors into your business processes. Here are 10 principles that can help.
Let Risk Drive Information Security Solutions
Everything comes down to a risk-based approach. You need to perform a risk assessment on your data and people. What data will hurt you the most if you’re compromised? Which employees, from the CEO down, represent the greatest risk? Form a strong baseline and measurement criteria based on risk as a starting point, ensuring each security solution has a direct link to business requirements and addresses one or more risks.
“You will have a different type of risk solution depending on the profile of the people you’re taking the message to,” Durbin says. “Identify where the real crown jewels lie and tackle that first before you try to roll it out across the entire organization.”
Continue to Look for Alternative Processes
Embedding positive security behaviors is an ongoing process. Just because you’ve done it one way in the past doesn’t mean that’s the best approach going forward. ISF suggests you challenge complex systems and cumbersome processes rather than forcing behavior to change to accommodate them. Strive to ensure new systems and processes are as simple and user-friendly as possible.
“Go into it with an open mind,” Durbin says. “The process itself may be the problem. It may be you have a particularly complex system or cumbersome process and it doesn’t have to be that way. Ask yourself: ‘If we were starting fresh, how would we build security into this particular process that would make it easy for people to conform?”
Embed Positive Information Security Behaviors
Seek to promote and value behaviors that facilitate people playing an essential role in strengthening organizational resilience. It’s not enough to communicate what they should do, you need to help them understand why the behavior is important and help them feel ownership so they can recognize key moments and make the right decisions. This may require tailoring the message for the particular department or even role that you’re targeting.
Empower People to Make Information Security Decisions
Approach security solutions as a battle for hearts and minds. In today’s business world, there’s no getting around it: Employees will have valuable data at their fingertips. To achieve a positive security posture, you need to extend employees trust while motivating them to protect the business and empowering them to make the decisions necessary to do so.
“If you can win hearts and minds, then you can change attitudes and behaviors,” Durbin says. “You need to have adult conversations. You can’t do it at all levels of the organization, but you should really try to be trusting, empowering and motivating across as much of the enterprise as possible.”
Set a Realistic Timeframe for Changing Security Behaviors
Embedding positive information security behaviors in your organization doesn’t happen overnight. Many of the organizations that ISF says have successfully adopted this approach have taken years to get to their current security posture. It may take three to five years to effect lasting change. You have to accept there’s no silver bullet.
“We’re talking about years,” Durbin says. “This is a journey. Over the course of the journey, things will change.”
Aim for a ‘Stop and Think’ Approach to Security
The real goal here is to empower your people to make the right decisions or know when they need to consult with an expert. If you can get employees to stop and think at key moments, you will secure the human element. You won’t succeed in training your people for all occasions. That’s impossible in today’s business environment. But you can get them to recognize when something may have security implications.
“Let’s give the individual the ability to weigh the risk,” Durbin says. “Am I behaving as I should? Am I doing the right thing from a good security standpoint? We have to get to that point. We simply can’t lock things down anymore.”
When Communicating Security Behaviors, Move from ‘Tell’ to ‘Sell’
Part of the problem with old security awareness programs is they take a one-size-fits-all approach that fail to engage everyone on a personal level. You need to design persuasive solutions tailored to the risk profile of segmented audiences. It also helps to educate at the point of failure. If you run a phishing simulation to test your antiphishing program and someone clicks a phishing link, without value judgment provide information right then and there on what phishing is and how to avoid it.
Tap into the Right Skills to Define and Implement Security Solutions
This approach to security probably requires skills your information security professionals don’t have. Security awareness is often lumped in with learning and development activities, but this approach is more akin to change management. To successfully embed positive security behaviors, you may need to tap skills from the marketing department, human resources and even psychologists. You need to build a strong brand and identity around your program as well.
“It’s all about reaching out into other parts of the organization,” Durbin says. “And the best part is that information security is also being embedded in those departments that you’re reaching out to.”
Identify and Integrate Security Champions into Your Efforts
As with other change management efforts, to succeed you need to identify a network of champions from the business to help introduce and sustain positive behaviors. Train them and prepare them to take on their role with confidence. Business leaders are a good choice for this, but Durbin notes that you can take it even farther. He points to one bank that has dispersed its information security teams to its business units.
“The upside is the business is talking to them more,” he says. “From the information security perspective, they are seeing how users are going about doing their jobs on an ongoing basis, so they can provide light-touch knowledge of information security that is directly relevant to how people are operating.”
Hold People Accountable for Security Behaviors
Finally, you need to hold people accountable for their security behaviors. That means rewarding good behaviors and addressing unacceptable behaviors constructively — in the same way you would any other substandard performance.
“It’s about consistency,” Durbin says. “You have to try to do away with ignorance around all of this. It’s about getting across what good information security behavior looks like. If you are deliberately going to break these rules as opposed to making an honest mistake, there are consequences and those are embedded in our HR policies. But if someone makes an honest mistake, you want them to come forward. Create a positive environment where people understand that it happens.”