Measuring Cybersecurity Culture: Is your culture where it needs to be?

When you want to know how well any area of your business is doing, you measure it. Sales. Growth. Staff retention. Customer satisfaction. The sales director doesn’t guess whether they’ve met quarterly goals. The head of HR doesn’t speculate about hiring numbers. They reach for a tool, generate a report, and produce quantifiable, actionable results.

The state of your organization’s cybersecurity culture shouldn’t be any different. And yet it is. With tools like phishing simulations, awareness training, and brown bag sessions, you can teach employees what to look out for and show them what to do when they suspect a problem. But do you know how employees will act when they’re on their own?

Whether you measure it or not, your organization has a cybersecurity culture—company wide attitudes and behaviors about cybersecurity. Can employees recognize a risk and do they know what to do about it? Or are they too cautious or too careless?

What you need to know is, if something questionable happens, will your non-security employees help or hurt you? Will your cybersecurity culture keep you safe or land you in the news? And furthermore, when something questionable does happen, will you be able to prove that you assessed the risk, and acted diligently?

Measuring Culture with Surveys

Pen tests measure gaps in your defenses. Vulnerability scanners identify issues in applications or operational systems. SIEMs monitor and analyze suspicious activity. These tools are great examples of the importance of measurement in security.

But cybersecurity isn’t just about technology. It’s also about ensuring employees can safely use it—their knowledge, motivations, and actions. People are so important in cybersecurity that if there’s just one place you can put your money, investing in employee engagement actually has a higher ROI than any single technology you can put in place.

So how do you get a true baseline of your cybersecurity culture? Measure your people and your program, not just your technology. An employee survey can be highly effective without being overly complex.

If you’ve noticed that your Security Awareness product offering includes a pre-canned survey, be careful. Meaningful measurement requires a measured approach. All organizations, including yours, are unique. To truly understand how employees have received your existing program, you’ll need to ask specific questions.

Here are a few things to consider when planning for a survey about your security culture.

1. Get buy-in

Like any major initiative, getting everyone on board is essential. Employees need to know cybersecurity is a priority. If they catch a whiff of indifference from leadership, the only thing they’ll do when they see your survey is roll their eyes.

Once you have leadership support, introduce it to the whole company at an all-hands meeting (preferably) or in a company-wide email. Emphasize the importance of open, honest answers. Let employees know you’re not testing or judging them, but measuring the organization as a whole. You’re assessing the security program, not the people.

2. Build and deploy your survey

Don’t just ask people how they feel about security. Sentiment is important, but your goal is measuring awareness, adoption, and user experience of your existing security processes. This includes anything from casual interactions with your security team to formal tools and programs.

Pose your questions carefully. Eliminate the fear of getting in trouble for a “wrong” answer. Never phrase questions in a way that attempts to trick people into honesty—they'll see right through it. Your survey should send a message that employees can tell you anything; remember, you’re measuring the security team’s effectiveness here.

Be sure to ask about real-life, measurable experiences, not just how they feel. And keep it short. The last thing you want is people clicking through to the end without even reading your questions.

3. Turn results into action

Seeing the results is the fun part. Do employees know how to submit suspicious incidents? Do they use the phishing button, but not get a response to their submission? The answers to these questions will tell you where your program is breaking down.

Use results like these to build an action plan that closes gaps in employee engagement and strengthens your cybersecurity culture. Sharing the results alongside your action plan with your executive team will get them excited about what’s to come. This is a great opportunity to connect with other executives. Management teams love learning from employee feedback.

4. Make sustainable change

The first and most important step in improving your security posture is improving the culture. It elevates awareness, bolsters adherence, and inspires employees to step up and participate in new ways, like representing their department or team as a security ambassador.

Mike Hanley, CSO at Github, has seen the value in a strong security culture first-hand. In a recent episode of the Defense In Depth podcast, he states, “The whole security team—which is really the entire employee base… gives you just such a broad and robust sensor network. It’s better than any tool that you can buy.” To get to that place, you’ve got to start with measurement.

Whether you’re ready to dive in on your own, or prefer to bring in a partner to guide you, measuring your cybersecurity culture is a valuable step forward in securing the safety of your organization.