Why I’m no longer an advocate for culture change as the silver bullet to security.


For many years I have spruiked culture change as the key to reducing security risk. I made it my thing, requiring my teams across my career to ensure they had comms plans and event days, quirky videos and mouse mats with catchy security phrases on them. I even won a regional award for having a cyber strategy that was built on a foundation of culture change.  But I’ve come to realise that culture change isn’t the key after all.  Teaching staff about the benefits of security and what’s in it for them often only reminds those that were on board to begin with.  Those that are just trying to get their job done will still accidentally click on bad links in a rush to get through their email, transfer information to their Gmail to get work done at 11pm from home and sign up to any number of SaaS providers in the hope it will increase their efficiency in an ever-busier world.

I used to think that if we just talked to people often about their role in securing the organisation and showed them that data breaches were possible, we would all nod in violent agreement and join together in a call to arms.  But CIO’s, CEO’s and boards are investing loads of money and time into education strategies for a workforce who simply cannot see ‘what’s in it for them’ so pay little attention to what is being asked of them. 

I used to say that security culture needed constant nurturing.  I used to say we need more than posters by the coffee machine and annual compliance training.  If you have worked with me, you would know I love a persistent, 12-month rolling ‘comms’ schedule with creative ways to beat the security drum. But in almost twenty years in the industry people haven’t changed no matter how convincing passionate security staff are at a ‘lunch and learn’.  And while the security team try new ways to bring staff into the light, risky shadow IT has become harder to manage, phishing and whaling efforts have become more convincing and data breaches are not-if-but-when.

So.  I’m not suggesting we stop all this communication, event planning and culture change activities.  But what I am suggesting is that we might need to start to consider a little more carrot and stick from the top. Simply educating doesn’t create widespread behaviour change – employees need to have some skin in the game.  What if you put your money where your mouth is and handed out bonuses for exhibiting great security behaviour?  On the flip side, what if we actually disciplined someone if they breached the security policy?  You might say that seems severe and a little over the top? But aren’t we at the point where we need a little more incentive for staff to even read the policy (so they know the penalties and the benefits) let alone take responsibility for their insecure activities?

In a world where security salaries are increasing to pay for the fact they are the ones being held to account, and not the business, more and more investment will be needed anyway.  And in a world where micropayments are being used in other industries for behaviour change (think power companies paying you to turn off your air conditioner in peak times and micro-investment companies making you money off your spare change), these small rewards can change behaviour and make a difference.

Would your organisation consider rewards and punishments when it comes to security behaviour change?

Read more blogs here

Buy my book here

Sign up for my newsletter here