According to a 2019 survey published by statista.com of over 1500 UK businesses only 27% of businesses had invested in security training for their staff within the previous 12 months. This got us thinking about the relationship between the culture of a business, its leadership team and approach and how this impacts on investing in cybersecurity to create a culture of security.
A businesses culture refers to the beliefs and behaviours that determine how its employees and management interact and manage the business across all its functions. Often, business culture is implied, not expressly defined, and develops organically over time from the cumulative traits of the people the company hires. With cybersecurity and the risks businesses face today, having a cultural approach to security is key to ensuring that business objectives in this area are met.
A culture of security will come from having a set of agreed and embedded values across the workforce which determines how everyone thinks about and approaches cybersecurity. Within this culture a business is able to promote and elicit the desired behaviours from its staff across all functions.
You can read more about our views on security culture here.
Owners and leadership teams need to understand and own that security begins with them, however it is the responsibility of all staff to ensure that security policies and processes are followed.
The first step to a secure business is a leadership team that understands that security needs to be addressed, what needs to be protected and how security can help the business meet business goals, if done right. Ensuring you have the right people or partners in place will create a solid foundation for building a culture of security.
Teams or roles dedicated to security should be taking their direction from the leadership team or business owner, and they should be able to listen to their colleagues and feel empowered to be informed by what they hear around the business. A good leadership team will trust their dedicated specialists.
Employees are often seen as a weak link when it comes to security, though with investment in training and awareness they can be an organisation’s biggest security asset, providing a critical first line of defence against cyber-attack.
One key responsibility outside of providing clarity and direction to their teams is ensuring that all staff are trained appropriately.
As we saw at the beginning, the level of investment in UK businesses around security training is worryingly low. But this presents an opportunity, and one which will change the cultural view of cybersecurity and demonstrate to staff that the leadership team are taking their role and commitment to security seriously.
For business owners and leaders there is an ongoing challenge as to whether investing in technical solutions alone will protect them from cyberattacks, our view is that no, this won’t happen if all you do is focus on the latest firewalls and security software. Investing in cybersecurity training is now a must do for all businesses.
However, investing in training cannot be seen a tick box exercise, especially when it relates to cybersecurity. Taking time to understand what your particular business needs and would benefit from is ever more important, as is being responsive to how people learn and what will work best for your people and your business. Taking this approach will also play back in to how your culture of security is built and evolves. We have a lot more to say about the importance of training, take a look here. Our approach to training at CyberScale focuses on making sure staff understand why specific policies and processes are in place from a cybersecurity perspective, and also we ensure that both the business and personal perspectives are covered.
Let’s not forget that as with all aspects of running a business, large or small, achieving a balance when building a culture and leadership style around security is what we are striving for as this will enable people to engage with being secure in the work they do and also do their actual job!