Security leaders are working hard to stave off unidentified attacks that can slow down businesses. Despite their efforts, businesses continue to lack a strong security posture. KnowBe4’s annual security culture report finds all industries, including the more advanced like BFSI and tech score poorly in cybersecurity practices, underscoring how organizations need to do more to step out of the bull’s eye and defend against targeted cyberattacks. Another unsettling finding â€” there is no clear consensus on definition of security.Â Â
It is hard to nail down an organization’s security culture when a majority of its executives don’t agree on what the term actually means. Nevertheless, KnowBe4’s 2020 Security Culture studyOpens a new window attempts to do just that.Â
Around 94% of respondents, across security and managerial roles agree that security culture is an important aspect of not just an organization’s cyber health, but also business success (49%), business integrity (43%), and a sense of customer security (41%). In spite of the importance the term holds, 92% of organizations still experienced security incidents.
Kai RoerOpens a new window , Managing Director, CLTRe (a KnowBe4 security culture research company), the author of the report says, â€œAs someone who has built an entire organization based on security culture, I can appreciate many of the facets of building and maintaining a successful security culture within an organization.â€
So, where is the disconnect?
Problem With Security: Execs Have Varying Definitions
Industry leaders and decision makers gave 758 unique definitions for security culture which were further condensed into five major categories. The report revealed the following to be the top categories:Â
- Compliance with security policies (29%)
- Awareness & understanding of security issues (24%)
- A shared responsibility across the organization (22%)
- Advocacy and support (14%)
- Security embedded in the organization (12%)
This indicates a lack of understanding of the term, which probably harms an organization’s security posture.Â
â€œSecurity culture needs to be defined in a way that makes it easy to understand, easy to measure and easy to manage. By defining security culture as the ideas, customs and social behaviors of an organization that influence their security, it becomes clear that security culture is closely linked to culture. To work with culture, we must first understand it. It should be clear that to measure and manage culture, we need to apply other tools, techniques, and practices than traditional security controls,â€ explained Roer.Â Â
How KnowBe4 Evaluated Industries for Security Culture
Further, KnowBe4 split the quantification of strengths and weaknesses of individuals, organizations, industry sectors, regions, etc. in terms of security across seven dimensions. These are:Â
|Attitudes||The feelings and beliefs that employees have toward the security protocols and issues|
|Behavior||The actions and activities of employees that have direct or indirect impact on the security of the organization|
|Cognition||Employees’ understanding, knowledge, and awareness of security issues and activities|
|Communication||The quality of communication channels to discuss security-related topics, promote a sense of belonging, and provide support for security issues and incident reporting|
|Compliance||The knowledge of written security policies and the extent that employees follow them|
|Norms||The knowledge of and adherence to unwritten rules of conduct in the organization|
|Responsibilities||How employees perceive their role as a critical factor in sustaining or endangering the security of the organization|
Roer explained in an interviewOpens a new window , â€œSecurity culture is the attitude, the behaviors, the cognition, the communication, compliance, norms, and responsibilities of people in a group and how they work with these different things.â€
The security firm then indexed the aggregated scores of organizations between 0-100 using a proprietary statistical algorithm.
Traditional Industries Fail to Value Security
The industry-wise gap in security cultures is apparent from these scores.
With a mean & median score of 73, the study revealed underwhelming security culture for almost all industries. The top performers are Banking (76), Financial Services (76), Insurance (75), and Technology (75) while the laggards include Transportation (70), and Energy & Utilities (71) and Education (68).Â
Industry-wise security culture scores:
|75||Energy & Utilities||
Healthcare & Pharmaceuticals
|74||Retail & Wholesale||71|
|Not for Profit||72||Education||
As evident, industries relying on knowledge workers have scored the highest as compared to those with traditional roles with the exception of Education.Â Banking, the top scoring industry still falls in a moderate category, which means there is room for improvement.Â
Overall, 92% of organizations across all industries studied scored moderately in terms of security culture moderate. Only 7% managed to score â€˜good’, i.e., between 80-89.
Distribution of Organizations According to Their Security Culture Score
Roer further added, â€œThis study has shown us that a strong security culture is a business priority that leaders are still working to accurately define. Perhaps the most surprising finding from the study was that business principles, not risk mitigation, are the main motivation for building a strong security culture.â€
KnowBe4’s studyOpens a new window is based on data collated from 120,050 employees in 1,107 organizations across 24 countries and 17 industry sectors.Â