Build a Security Culture (2015)


In this chapter I will discuss who to involve, and why, when working with security culture - HR, marketing, management and so on.

Humans are impressive when we consider what we can learn to stay on top of our game. History is a clear tell-tale of what may happen when bright minds bring their heads together to evolve their ideas. Consider people such as Edison, Einstein, Marie Curie and Michelangelo. Look at people such as Sun Tzu, Napoleon and Churchill.

It is easy to think of such bright minds as people who did everything by themselves. When looking at their achievements it quickly becomes clear that they were not alone - they had help. They worked with other people. In fact, they knew how to involve the right kind of people, at the right time, to create the impact they needed.

They owe their success to other people.

When analysing security culture programmes that create success, it quickly becomes clear that such programmes are not one-man shows. Successful security culture is built by involving competence from around the organisation to leverage the competence available. Sometimes it also makes sense to look outside the organisation for inspiration, competence and help.

Asking for help may feel like failure. Especially if you are considered the subject matter expert, the one other people come to for answers. Being the expert may mean being used to having all the answers and that being right is expected. What do you do then, when the landscape changes and your experience no longer seems to apply?

You learn to ask for help. Instead of being the know-all, you become the hub who connects the different kinds of knowledge needed in a modern-day security culture programme. You focus on finding the people who have, or can come up with, the right answers. And you bring these people together in a project to build the culture you want to create.

Success today is like success yesterday: a result of the combined efforts of one or several teams. Building a successful team means understanding how to ask for help, and whom to ask it from.

Building security culture requires a lot more than just information security competence. Technology and policies are a part of security culture, just like people and competence. Your security culture team needs to reflect all the areas of security culture, not only those areas you are confident with.

Security culture is a subculture of the organisational culture, your company culture. As such, security culture should be designed and built together with those in the organisation who deal with organisational culture. In most organisations the responsibility of culture lies with HR. HR in turn receives instructions and direction from management through the company employment policies, the company mission and vision, as well as the existing company culture.

HR knows culture. Setting out to create a new security culture in your organisation requires the involvement of HR, and preferably you want them to actively support and work with you. Your goal is to have HR embrace the security culture programme and implement it as a part of the existing company culture programmes.

Many organisations already have HR involved in security. Many employee on-boarding programmes come with “Read and Sign” security policies, mandatory IT security trainings, and distribution of keys and credentials. Organisations also have off-boarding programmes to ensure the handing off of employee keys, credentials and so on.

Security awareness trainings may also be included in HR-controlled trainings. Awareness trainings under HR are often motivated by compliance more than conformity, and often such training efforts are delegated to the security department.

And here is the challenge: unless the security department has dedicated resources who themselves are dedicated to awareness and culture, the training efforts delivered miss the target. Developing and delivering trainings itself is a specialist field, one sometimes referred to as Instructional Design.

The Association of Training and Development (ATD) has great experience in creating trainers and trainings for workforce development, and they provide their members with a special certification in instructional design. You can think of it as the training industry’s Certified Information Systems Security Professional (CISSP). There is a reason for that: developing training programmes for adults, programmes that yield the kind of results you want, is a skill and competence that requires training and practice. Just like working with security is a demanding sector that has its own requirements, creating and delivering trainings is a specialist field.

Working closely with HR will provide you with important insights to how culture is currently built and maintained. Piggybacking on the activities with smart messages to enhance security may be a successful strategy. Only by working with HR can you do that.

HR may also run and manage the security culture programme themselves, freeing up precious time and resources from the security team. Keep in mind your goal: to build and maintain security culture. There is nothing in that goal that does not let HR manage the security culture programme itself!

In addition to competence within areas such as training, security and culture, a successful security culture programme must also be communicated in a way that resonates with the audience. Our security messages must be presented using words, images and anecdotes16 that make sense to those we are trying to teach. Most of the time, they are not subject-matter experts on security - they do other things like sales, accounting, production, strategy and management. If we are to make them understand, we need to adjust the way we communicate with them.

We must learn how to communicate. Or, we can ask for help from those who know how to communicate.

Many organisations have a marketing or communication department. The names vary depending on sector and industry, but what you are looking for are those people who create information that explains what your organisation does, where the value lies and why others should care. If your organisation does not have a separate department that does this, find the team that does. Or look outside the organisation. Many companies prefer to buy external marketing services.

The kind of help you are looking for from this resource is divided into two parts:

1. Audience analysis

2. Message crafting.

Any great presenter adapts their presentation style, words and content to the audience. They understand that different people have different needs, focus and interests, and make great efforts forming their message to make it stick with that particular audience. To understand their audience, they will ask the organiser who the target audience is, what level of skills they have, as well as other relevant information like sector, industry, language, age, sex and so on17.

For an inexperienced organiser and speaker, these questions may seem strange and irrelevant, but it helps the speaker to adjust their content and delivery to ensure as many participants as possible take home their message. And that is what is important: hit home with as many as possible.

Analysing your target audience for your security culture programme follows the same principle: the more you understand your audience, the easier it is to ensure they understand your message. Target audience analysis is also something that marketing departments and advertising companies do for a living. To make the most out of the marketing budgets, the market is segmented into user groups with similar traits, who are then documented and analysed according to their demographics. Depending on the products and/or services sold, psychographics may also be applied. When building security culture, you want to consider both demographics and psychographics when analysing your audience.

Segmentation, or the art of dividing your market into subgroups, in your security culture programme can be done by using departments as segments. You may also choose to segment using other borders: countries, companies, teams, locations, language and so on. Each organisation is different, and may need a different approach.

When you have segmented your organisation, selected which segment to work with and analysed it, it is time to craft your message.

The second area where your marketing department may help in building and maintaining security culture, is crafting the message you want to send. Their expertise and creativity is a great asset in any programme that needs to communicate a clear message. By asking them to join your security culture workgroup, you can bring their skill-sets to your table, helping you create content that makes sense.

Remember that you are the subject-matter expert on security, and they are brought in as experts on communication. This implies that you need to trust their ideas and instincts, even if their ideas may be outside of your comfort zone. You are not the target audience, someone else is.

With all that said, a word of caution. Being creative and communicators, the marketing department does not know much about security, especially in the beginning of your security culture programme. You are the security expert, and as such you must ensure the message conveyed is correct and aligned with the security culture goals. Creativity is great, as long as it moves the programme in the right direction.

Working with creative people may introduce conflicts. The easiest way to involve creative people is by having a clearly defined scope. Narrow it down early on, and help them stay within the defined boundaries of your scope. Your job is not to say “NO!”, but rather to ask them nicely, “So how do you see this idea bringing us closer to our goal?”

If you experience a situation where the communication people have one idea and you have a different one, you may consider testing what works. Set up an A/B test with both ideas, using a subset of your target segment as a testing group. You may have to resort to one-on-one testing and interviews, unless your segment is large enough to create a true blind test.

Testing campaigns before you roll them out to a larger part of the organisation can be done using the 12-week campaign of the Security Culture Framework. Use one campaign to test the content, and the following 12-week period to run the content that gave the best results to the larger audience.

I have also had the not so pleasant task of working with someone creative who never accepted my boundaries. In meetings she would be fine with my objections, whereas later I would receive long emails explaining why I was wrong and she was right. She would also disregard my change requests. It became obvious that this could not continue, and she was quickly replaced. Unfortunately, there is no easy way to tell when to replace someone on your team; it is a call that must be made on a case-by-case basis. Ask yourself if the person is really that annoying, or if it is you who is creating the situation.

Knowing when to ask for help is a skill we all can develop. Knowing whom to ask may be a bit tougher. And knowing how to ask can be tricky too!

Table 1








Employee data

Organisational overview




Audience analysis



Crafting messages

Analysing results

A/B testing

Marketing/communication dept





Policy sign-off


Strategic planning

C-level management

How to ask for help is dependent on what you need and whom you ask. Asking your chief executive officer to support your security culture programme is different from asking your colleague to patch a server.

To enhance your chance to receive the answer you want, it is helpful to understand the other person’s perspective and focus. The more you can help them connect their own dots, the easier it will be for them to understand your question, your needs and therefore their interest in helping you. Think of it as audience analysis, where you look at what is important to this person and their role. Ask yourself questions like:

• what are the major challenges this role/person faces?

• how will my idea/challenge/programme be received?

• how can I adapt my idea/challenge/programme to help the role/person?

• how is my idea/challenge/programme fitting in with their major challenge?

Sometimes it also proves valuable to consider how the other person perceives you as a person: we are more likely to help people we like and connect well with.

The next chapter is dedicated to the psychology of how we are influenced by other people. Use that chapter to better understand other tactics you can apply to build the support you require to build and maintain security culture in your organisation.

Building your team

John, the CISO of a large, multinational bank, had a team of cyber security professionals to help him tackle incidents and run their security operations. His team was highly skilled, from networking engineering to intrusion detection system tuning, from security data analytics to incident response. And they all seemed to love their work. Except when the task of security awareness landed on their table. John thought it had turned into a game within his team to avoid any work with security awareness. He understood that his team’s lack of interest in awareness could be due to a number of things:

• Awareness is not considered sexy enough (i.e. not technical).

• A team member not having enough knowledge of awareness.

• Awareness work seems to never be successful, turning anyone working with it into a failure.

• A lack of funding to buy the coolest trainings or content available.

Most of these things can be handled easily enough - as soon as they are recognised. Let’s take each point by itself:

• Not considered sexy is a common excuse we receive from technical staff. There are several ways to deal with this issue, including hiring a security culture manager, as is increasingly being done in the Nordic countries (Norway, Sweden and Denmark), who will build, implement and manage a security culture programme. Another option is to use technical tools such as the Social Engineering Toolkit, a tool most techies will relate to and like. Communicating the importance and value of security culture work will also help motivate your team to take it on.

• A team not having enough knowledge of awareness is another challenge we see. Of course, if you do not have enough knowledge of a topic, it is hard to realise just how cool it is, right? To tackle this challenge, training your team in security culture is vital. The aforementioned Security Engineering Toolkit is an excellent way to raise knowledge and build interest. Other ways to show how critical and exciting awareness work can be, is to join or design a Social Engineering Capture the Flag (CTF) event with your team. Also, create an environment where it is easy to plan and execute security culture activities.

• The argument about security awareness never being successful is easily combated with good metrics, and an understanding of human behaviours. Use Metrics module to design and build goals and metrics that matters.

• A lack of funding is a challenge in all work - not just security. To get the funding you want, you will have to fight other departments and projects that may be more business aligned and better at communicating direct and indirect value. Again, metrics matter. And when it comes to securing budgets, communicating business value is critical. Do not expect a huge fund from day one. What is more common is that you must demonstrate results and value over time. Again, Metrics module is your friend. Also, a thinking out of the box, low-cost, use-what-we-have mentality will take you a long way when funding is low.

John had very little funding, and could not hire a full-time security culture officer. Instead, he asked his team for two volunteers to spend 40% of their time over the next three months on security awareness. He offered training in the Social Engineering Toolkit, as well as in the Security Culture Framework, and the three would evaluate the progress after the three months. John was hoping that he would motivate the two members who volunteered to take on the security culture work after the initial three-month trial, yet he had not anticipated just what he would get in return.

The new CultureCrew, as they quickly became known, fell in love with the Social Engineering Toolkit and used it immediately. They set up a Capture-the-Flag event of the security team, an event that became so successful people from outside of security wanted to join and asked when the next event would take place. When the review meeting with John and CultureCrew took place at the end of the three-month evaluation period, John was surprised to hear that both team members would like to go on; they even presented an 18-month plan on how to build security culture company-wide. They explained that the Security Culture Framework offered templates they had used to develop campaigns they could implement easily and with little extra effort, and they had all the resources they needed to start.

After a review and some minor adjustments, John signed off CultureCrew’s plan to get their security culture going, knowing that the heart of security operations, his team, had changed their mind completely about security awareness work.

16 While anecdotes are sneered at by more analytical people, they provide an excellent method of communicating with a broad audience. Steven Denning presents an excellent discussion of anecdotes as part of his argument for storytelling in business leadership (“Telling Tales”, Harvard Business Review, 2004).

17 Audience analysis differs subtly between disciplines, but in general recommends a few key features be examined: demographics (who the audience is - age, gender, culture, and so on), attitudes (disposition, beliefs, values), knowledge (what does the audience know about the topic) and environment (how is the information being presented, where is the audience when they receive the information, and so on). Depending on your particular circumstances, these will be more or less involved, and will enable you to tailor your communication to the audience.