Significant changes have been made in recent years in dealing with cyber threats. The human factor is now taken seriously in safety. For example, human error is now recognized as a key factor in an organization's overall risk profile. Security awareness programs are not enough to train employees.
For years, CISO has done a remarkable job of educating users to understand the dangers of the internet. But companies need to do much more to build a solid foundation in security!
In order to go beyond security awareness training programs to change behavior and embody a security culture, you need to do the following:
- Create a people-centric security program. Go beyond the tactics and create a multi-year, sustainable strategy through a four-step plan that includes: 1) Identification key threats. 2) Determining the initial behavior and condition of the target. 3) Creating initiatives that will affect each stakeholder community. 4) Measurement and continuous improvement of the plan.
- Focus your efforts on the inside and outside of your body. Get away from activities «point-in-time engagementCreating a strong culture at four different levels within the organization, following a different approach to each ingredient. Consult the executive level to gain a picture of security, streamline investments with business leaders to ensure "buy-in security", contact employees to build a consistently high level of awareness and expand your approach by building trust with external stakeholders.
- Design transformational security awareness initiatives. Except that stakeholders are aware of piece of security, you have to fight to make them really behave in terms of security. To do this, your initiatives must influence stakeholders and motivate them to behave safely. Consider design principles at creation of security awareness transformational initiatives.
- Start by improving the culture and influence of your own security team. The biggest obstacle to the efforts of security leaders today is the image of security itself. So transform the culture of your own group. Hire people with good anthropocentric skills. This is not only something that is missing from your body but also from cybersecurity in general.
Source of information: zdnet.com