Security Behavior and Culture Programs: Adoption Strategies
Security behavior and culture programs (SBCPs) offer a holistic approach to risk reduction. How are leaders using SBCPs to drive security consciousness and what progress have they made so far?
One minute insights:
The majority of respondent organizations are in the process of implementing their SBCP
Most surveyed leaders say their SBCP communications are or will be integrated into existing workflows
Respondents find it harder to win leadership’s support for an SBCP compared to a security awareness and training program
Skills gaps within IT/security are a common challenge when designing an SBCP
Most respondent organizations do not yet have fully operational SBCPs
Only 13% of respondent organizations have a fully operational SBCP, while the vast majority are still in the design (31%) or implementation stages (56%).
Which of the following statements best describes your organization’s SBCP?
While SBCP components vary among respondent organizations, the majority of surveyed leaders include or plan to include rewards for reporting incidents (48%), internal reporting to show program impact (47%), or reference materials like checklists or guidelines (46%).
Which of the following components are or will be part of your organization’s SBCP? Select all that apply.
n = 149
Escalating warnings or penalties for repeat insecure behavior 27% | Clear brand for the security function 26% | Policy reviews based on violations or exemption requests 20% | Working groups or communities of practice 18% | Security champions within each team or function 17% | Feedback sessions 17% | Workshops on making informed tradeoffs between risk and efficiency 16% | Can not say 1% | Not applicable 1% | Don’t know 0% | Other 0%
Please join or sign in to view more content.
By joining the Peer Community, you'll get:
- Peer Discussions and Polls
- One-Minute Insights
- Connect with like-minded individuals
Question: Do you have any final thoughts to share on your organization’s SBCP?
We have designed a ‘fit for purpose’ plan that seems to be working.
A SBCP is core to running our organization effectively, as well as running it on trust. If our systems can’t be trusted, then it’s tough for us to sell cloud services to customers. We have annual SBCP training that all employees must undergo. We are continually refining it based upon best practices and the latest in cyber threats to improve posture and messaging.
The majority of surveyed leaders say their organization’s SBCP strategy includes personalized engagement
Threat simulations (56%) and automation (50%) are the most commonly reported technical capabilities that respondent organizations use or plan to use for their SBCP.
And many surveyed leaders count data analytics (47%) and security monitoring tools other than user/entity behavior analytics (42%) among their SBCP’s technical capabilities.
What technical capabilities are or will be part of your organization’s SBCP? Select all that apply.
n = 149
Nudges 32% | Gamification 31% | Data integrations 27% | Tools to improve user experience (e.g., password manager) 26% | Can not say 2% | Don’t know 0% | Not applicable 0% | Other 0%
57% of respondents say their organization’s SBCP communications strategy includes personalized engagement, and half (50%) note that communications are or will be integrated into existing workflows.
What communications strategies does your organization’s SBCP use or plan to use? Select all that apply.
n = 149
Newsletters or flyers 30% | Cybersecurity road shows 22% | Destination postcard 20% | Dedicated page(s) on company website 19% | Can not say 1% | Not applicable 1% | Don’t know 0% | Other 0%
Most respondents (56%) indicate that functional leaders outside of IT/security currently or will contribute to their organization’s SBCP by guiding employees on how to apply cybersecurity policies.
53% note that other functional leaders currently contribute, or plan to contribute, by providing input on cybersecurity policies, materials or campaigns, or by tracking and reporting employee progress on simulation tests.
How does your organization involve or plan to involve functional leaders outside of IT/security in your SBCP? Select all that apply.
Recognize their employees for demonstrating secure behavior 24% | Share employee feedback on SBCP initiatives 22% | Proactively inform security when certain access rights are no longer needed 19% | Integrate secure behavior metrics into performance reviews 15% | Grant certain security exceptions (e.g., access to blocked websites) 13% | Can not say 1% | Don’t know 0% | Not applicable 0% | Other 0%
Question: Do you have any final thoughts to share on your organization’s SBCP?
We really are building out our strategy with smart metrics and punchy content and perhaps bringing in an entertaining outsider.
It’s worth doing, and incentives for employees that demonstrate good data hygiene are a good idea.
Executive buy-in and skills gaps in IT/security are common challenges for respondent organizations adopting SBCPs
From your perspective, has it been more or less difficult to gain executive buy-in for your organization’s SBCP compared to its existing security awareness and training program?
Over two-thirds (68%) of surveyed leaders have found it more difficult to obtain executive buy-in for their organization’s SBCP in comparison to their existing security awareness and training program, although just a few say it’s been significantly more difficult (4%).
n = 149
Note: May not add up to 100% due to rounding
55% of respondents report that their organization has had difficulty adapting SBCP materials for various levels of technical proficiency, and many struggle with skills gaps among IT/security leadership or staff (45%).
What challenges has your organization encountered in designing its SBCP? Select all that apply.
n = 149
Insufficient budget 26% | Difficulty sourcing third-party experts 19% | Worker privacy regulations 17% | Security function lacks credibility with the organization 15% | Other* 1% | Can not say 1% | Don’t know 0% | Not applicable 0%
*Other includes: Insufficient staffing
Question: Do you have any final thoughts to share on your organization’s SBCP?
A lot of the heavy lifting is in designing bespoke content suitable for our organization.
Focus will be on aligning with appropriate communications.
Want more insights like this from leaders like yourself?
Click here to explore the revamped, retooled and reimagined Gartner Peer Community. You'll get access to synthesized insights and engaging discussions from a community of your peers.
Respondent Breakdown
Note: May not add up to 100% due to rounding
Respondents: 149 IT and information security leaders involved in their organization’s SBCP