Understanding the Shift in Cybersecurity Risks
In the world of cybersecurity, organizations are awakening to a critical realization: modern tools and technologies can’t solely shield them from cyber threats. As the complexity of tech stacks increases, so do the tactics used by cyber attackers. Rather than just targeting infrastructure vulnerabilities, many are now focusing on exploiting human behavior—some might say the true vulnerability lies within the people using these systems.
Data corroborates this shift. For the past five years, Verizon’s Data Breach Investigations Report has highlighted that human risk is the primary cause of breaches worldwide. In fact, their most recent report indicates that almost 60% of breaches in 2024 involved some aspect of human error. However, it’s essential to dispel a common misconception: the notion that “people are the weakest link” suggests that employees bear the blame when breaches occur. In reality, users are often struggling against a security environment that is overly complicated.
The Complexity of Security Protocols
The issue isn’t necessarily that employees are disregarding security protocols. Instead, the security frameworks they’re expected to navigate are frequently too complex or confusing. Policies appear more tailored for auditors than for the people who need to implement them daily. This misalignment can lead to frustration and errors from employees simply trying to do their jobs.
To better manage this human risk, organizations must prioritize establishing a supportive security culture rather than relying solely on technology or stringent policy enforcement. Creating an environment conducive to secure human behavior is key. Basically, until organizations invest in their security culture with the same seriousness as they do their tech solutions, human risk will perpetually pose a threat to even the most robust cybersecurity measures.
What Is Security Culture?
Every organization inherently possesses some form of security culture. The pressing question is whether it aligns with the security culture they aspire to achieve.
Security culture refers to the shared attitudes, perceptions, and beliefs about cybersecurity that exist throughout an organization. Do employees recognize the importance of security? Do they feel a personal responsibility? More critically, do they view themselves as targets? When security beliefs are ingrained, positive behaviors typically follow. Conversely, when these beliefs are lacking—such as viewing security as someone else’s responsibility or an impediment to productivity—the risk level rises significantly.
The challenge often lies not in apathy towards security but rather in its failure to mesh seamlessly with daily work routines. When security practices are viewed as additional burdens rather than integral parts of daily operations, employees may default to unsafe behaviors out of convenience. Therefore, it becomes crucial to foster an environment that encourages secure actions by integrating security into the fabric of organizational processes.
Key Drivers of Security Culture
To forge a robust security culture, it’s vital to assess four primary drivers:
1. **Leadership Signals**: The tone is set at the top; if leaders treat security as a non-negotiable priority—through appropriate budgeting, accountability ties to bonuses, and elevating security officers in the company hierarchy—it will resonate throughout the organization.
2. **Security Team Engagement**: The culture is also shaped by the security team’s approach to everyday interactions. Whether they are perceived as supportive or obstructive can largely influence employee attitudes towards security.
3. **Policy Design**: Policies are the backbone of security culture, but if they’re overly complex or convoluted, they can erode trust. Simple, clear, and intuitive guidelines encourage adherence.
4. **Security Training**: Often the most visible, yet frequently misunderstood aspect of security culture, training that is dull or irrelevant sends the message that security lacks significance. Conversely, engaging and relatable training reinforces the notion that security is part of daily responsibilities.
By examining employee feedback on these areas, organizations can gauge whether their security culture is genuinely effective or counterproductive.
Aligning Security Culture With Everyday Practices
While leadership support is vital for establishing a strong security culture, the essence of that culture is solidified by employees’ daily experiences. If what employees encounter in their roles conflicts with leadership messaging, the overall atmosphere around security suffers.
It’s crucial that all four cultural levers—leadership, team engagement, policies, and training—align cohesively. If leaders prioritize security through proper resourcing and accountability, this should be reflected in the day-to-day experiences employees have. Employees who feel they are punished for mistakes or ignored when seeking help are less likely to become proactive defenders of security within the organization.
Policy simplicity matters significantly. Long, technical guidelines can lead employees to choose convenience over compliance, heightening risk. In contrast, when policies are easy to understand and follow, secure practices can be integrated more naturally into everyday procedures.
Operationalizing Security Culture
For those interested in actively enriching their organizational security culture, consider attending the upcoming **SANS Orlando Fall 2025** event, where participants will have the opportunity to engage with the refined **LDR521: Security Culture for Leaders** course. This program offers a structured approach to evaluating current security culture, identifying potential areas for enhancement, and nurturing an environment where secure behaviors become second nature. Enroll to gain practical insights, real-world examples, and a definitive playbook geared towards leadership application.
Register for SANS Orlando Fall 2025 here.
Note: This article is based on the contributions of Lance Spitzner, Senior Instructor with the SANS Institute. You can learn more about his professional background and experience in the field.
