Security Behavior and Culture Programs: Adoption Strategies
Security behavior and culture programs (SBCPs) offer a holistic approach to risk reduction. How are leaders using SBCPs to drive security consciousness and what progress have they made so far?
One minute insights:
- The majority of respondent organizations are in the process of implementing their SBCP
- Most surveyed leaders say their SBCP communications are or will be integrated into existing workflows
- Respondents find it harder to win leadership’s support for an SBCP compared to a security awareness and training program
- Skills gaps within IT/security are a common challenge when designing an SBCP
Most respondent organizations do not yet have fully operational SBCPs
Only 13% of respondent organizations have a fully operational SBCP, while the vast majority are still in the design (31%) or implementation stages (56%).
While SBCP components vary among respondent organizations, the majority of surveyed leaders include or plan to include rewards for reporting incidents (48%), internal reporting to show program impact (47%), or reference materials like checklists or guidelines (46%).
Question: Do you have any final thoughts to share on your organization’s SBCP?
We have designed a ‘fit for purpose’ plan that seems to be working.
A SBCP is core to running our organization effectively, as well as running it on trust. If our systems can’t be trusted, then it’s tough for us to sell cloud services to customers. We have annual SBCP training that all employees must undergo. We are continually refining it based upon best practices and the latest in cyber threats to improve posture and messaging.
The majority of surveyed leaders say their organization’s SBCP strategy includes personalized engagement
Threat simulations (56%) and automation (50%) are the most commonly reported technical capabilities that respondent organizations use or plan to use for their SBCP.
And many surveyed leaders count data analytics (47%) and security monitoring tools other than user/entity behavior analytics (42%) among their SBCP’s technical capabilities.
57% of respondents say their organization’s SBCP communications strategy includes personalized engagement, and half (50%) note that communications are or will be integrated into existing workflows.
Most respondents (56%) indicate that functional leaders outside of IT/security currently or will contribute to their organization’s SBCP by guiding employees on how to apply cybersecurity policies.
53% note that other functional leaders currently contribute, or plan to contribute, by providing input on cybersecurity policies, materials or campaigns, or by tracking and reporting employee progress on simulation tests.
Question: Do you have any final thoughts to share on your organization’s SBCP?
We really are building out our strategy with smart metrics and punchy content and perhaps bringing in an entertaining outsider.
It’s worth doing, and incentives for employees that demonstrate good data hygiene are a good idea.
Executive buy-in and skills gaps in IT/security are common challenges for respondent organizations adopting SBCPs
55% of respondents report that their organization has had difficulty adapting SBCP materials for various levels of technical proficiency, and many struggle with skills gaps among IT/security leadership or staff (45%).
Question: Do you have any final thoughts to share on your organization’s SBCP?
A lot of the heavy lifting is in designing bespoke content suitable for our organization.
Focus will be on aligning with appropriate communications.
Want more insights like this from leaders like yourself?
Click here to explore the revamped, retooled and reimagined Gartner Peer Community. You'll get access to synthesized insights and engaging discussions from a community of your peers.