Cybersecurity Training and Tech Aren’t Enough; ‘Culture Change’ Needed

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Companies spend a staggering amount of money on cybersecurity products to defend their networks and data from hackers, but a couple of industry pros say that money is wasted if companies don’t change their internal cybersecurity culture.

In September 2021, Cybersecurity Ventures anticipated in a report that the total global cybersecurity spending would exceed a staggering $1.75 trillion by 2025. The report projected another year of growth in investment for the sector, this time at 15%.

Companies continue to invest in protecting their increasingly digitalized business assets. From Internet of Things (IoT) devices to the cloud and hybrid work endpoints, cybersecurity spending has also grown and shifted since COVID-19 changed the way the world works.

“In 2004, the global cybersecurity market was worth just $3.5 billion,” said Steve Morgan, founder of Cybersecurity Ventures. “Now it’s one of the largest and fastest-growing sectors in the information economy.”

Security executives have been adding features focusing on zero-trust technology, automation, responsive SOAR platforms, secure access service edge (SASE) models, and deception technology, among others.

But that technology can at best limit damage if the human element doesn’t improve.

Also read: Best Cybersecurity Awareness Training for Employees

The Key to Cyber Defense is Security Culture

PwC’s 2022 Global Digital Trust Insights report reveals that the spending trend for cybersecurity shows no signs of slowing down. In fact, 69% of surveyed organizations predict an increase in their security spending for 2022.

But two veteran security experts, Peter Carpenter and Kai Roer, at employee cybersecurity training leader KnowBe4 say business leaders are overlooking a hacker’s primary way into a system: vulnerable and exploitable human workers. They say that the best defense against cyber threats is in an organization’s security culture.

Their latest book, The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer, combines the insight of 35 years of security culture experience with data-driven insights from over 40,000 global organizations. They believe that promoting security awareness isn’t enough; organizations must “bake security into their culture.”

Carpenter spoke to eSecurity Planet about the importance of a strong security culture. Carpenter said organizations have become experts in technology-based security tactics such as firewalls, email gateways, endpoint protection, and more. However, despite advanced defenses, organizations still face massive data breach problems.

“Technology-based defenses have made it so difficult to hack into organizations that cybercriminals are increasingly turning to social engineering (tricking humans) to accomplish their goals,” Carpenter said.

The industry has to direct as much effort into preparing human-based defenses as they have their technology defenses. Carpenter’s recommendation is to put more intentional time, effort, and investment into building this layer of defense.

“This means focusing on our cybersecurity ABCs: awareness, behavior, and culture,” Carpenter said.

Improving Cybersecurity Communication and Metrics

Carpenter revealed a simple formula that describes the basic flow of executive communication and is designed to improve every cybersecurity message. It all starts with the information that creates a narrative or story. The story is vital for workers to identify with the issues. This way they will remember concepts better.

“The person sharing information needs to find ways to connect the information to something bigger, broader, and more emotional than simple facts and figures,” Carpenter said.

The formula is:

Information ? Story/Narrative ? Transparency and Metrics ? Insight and Direction.

In this formula, facts, figures, and supporting details should only be introduced in ways that support the broader story. It is also of vital importance, when introducing metrics, to interpret them transparently, clearly, and honestly. Metrics in cybersecurity and security culture can be victories, stumbling blocks, or challenges that move the story from one point of the plot to another. This is where insight and direction come into play.

Measuring the security culture of an organization is increasingly important to gain a 360-vision into the company’s strong and weak points. Carpenter’s method to gauge a security culture goes well beyond others, measuring seven dimensions through technical and scientific approaches.

“We break security culture into seven distinct, measurable dimensions. They are: attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities,” Carpenter explained.

Each one of the dimensions can be measured by direct observation or by looking at evidence or data. One of the methods used is their proprietary Security Culture Survey. The survey includes a set of scientifically based questions that are designed to get to the heart of each of the seven dimensions.

“One of the secrets to getting accurate answers in a survey like this is that we don’t ask someone what their specific behavior or understanding is; instead, we ask them how they perceive other people or groups in their organization,” Carpenter said, adding that such indirect questions invite greater honesty.

The benefit of measuring the security culture of an organization in seven dimensions is it provides a much more detailed view of the issues that need to be addressed. Additionally, each dimension has a gravitational effect on the others. If an organization focuses on improving one or two dimensions, the others are expected to improve as well.

Protecting Your Data Through a Strong Security Culture

For years, technology-based tactics have been preached as the ultimate defense against cyberattacks. However, a Verizon report reveals that 82% of all breaches are linked to the human element. Organizations will continue to be exposed to attacks—no matter how strong their cyber defenses are—because sophisticated cyber criminals today are targeting the weakest links of a system: its workforce. These weak links can only be strengthened by strengthening the security culture.

Read next: Top Cybersecurity Companies for 2022

We may be compensated by affiliate links or sponsored partnerships that appear on this page, but any affiliation has no influence on our editorial content. For more info, visit our Terms of Use page.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Ray Fernandez Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis