I am thrilled to introduce my most recent report, ‘Instill a Security Culture by Elevating Communication’. This is an update of my 2011 report “How To Market Security To Gain Influence And Secure Budget’. A different time called for a completely revamped report (read on to see what’s changed). To me, this always has been and remains a very personal topic and one which I’m very passionate about – people and culture are at the heart of what makes or breaks security.
This report is designed to guide CISOs and their teams as they traverse through the murky and often challenging waters of creating an engaging and binding security culture.
When we speak about security culture, people often jump to discussing traditional and often perfunctory one-off security awareness programs. These are not enough! Let’s up the ante and transform the security culture up, down and across the organization. Let’s create a hearts and minds engagement around the topic of security.
I was really interested to see what has changed during the 7 years since my initial report, and for those who do not yet have access, I want to share some key take-aways:
- In 2018, only 19% of global security decision makers said that a lack of visibility and influence within their organization is one of their biggest security challenges, down from 51% in 2010. This led me to ask the question “Have we nailed security communications”? As one peer kindly responded: “Nailed it? More like we put a nail in our own coffin”. The answer is a firm no!
- The title of the 2011 report contained ”Marketing”. This now feels so one-way. This led me to change the title and many of the themes entirely.
- In 2018, customers expect so much more from security than they did in 2014. We see a big need for us to instill a security culture, engage and influence outside of organisations as well as within. This was touched on in 2010, and has come through as a definite theme in the 2018 research.
- We STILL need to move away from instructional compliance. There is growing recognition that we need to engage not only the minds, but the hearts of our constituents, otherwise we will fail to get true buy-in. To do this, we need to be ridiculously relevant and at times, lighthearted.
In conclusion: culture change is a journey, not a miracle. So, be patient and above all, continue to evolve – these are not the times to rest on our laurels.
I would like to add my thanks to my Research Associate Seles Sebastin for co-authoring this blog with me.
As a follow-on to my most recent report I will be publishing a best practices report to showcase tangible examples security leaders can implement. Watch this space!!