Creating a security culture

The security culture in companies has itself undergone a culture change. “Only a few years ago, companies were implementing awareness measures purely for compliance reasons,” recalls Marcus Beyer, Head of Security Awareness at Swisscom. This required employees to complete an annual awareness training. Proof of completion was often sufficient to meet certification requirements. Such an approach has a minimal impact on a company’s long-term protection, however.

To achieve the desired maturity and have a genuine impact on day-to-day business, both awareness experts rely on a wide range of different measures throughout the year. “In general, we use a number of different, ideally interactive, channels to provide information: training in the form of e-learning, lunch and learns, live streams, a blog and the occasional security escape room,” explains Monika Geitlinger.

Marcus Beyer uses similar formats. In the phishing awareness training, he had positive experience with gamification, with points up for grabs for every phishing e-mail identified. “The employees found it cool,” he asserts.

Marcus Beyer is also responsible for an Intranet video series in which he provides regular profiles of diverse cybersecurity professionals. “Employees want to know who is protecting us,” he explains. "And they also follow the example of the people presented, which itself helps to improve cybersecurity.

Monika Geitlinger too has seen the benefits of making cybersecurity more personal. “Employees now come up to us in the coffee room, for example, which can lead to some interesting discussions.” And ultimately has an observable impact on the security awareness of employees.

Of course, even the best phishing awareness training does not provide absolute protection against being scammed. Such a situation calls for both technical protective measures and cybersecurity professionals. It is therefore all the more important that employees report suspicious incidents and errors of judgement. Such information makes incident response much easier and helps to avoid major damage.

It is important to have an error culture where employees are encouraged to report such incidents. “An active error culture is enormously important to us. It is vital that our employees report incidents, even after the fact,” explains Monika Geitlinger. Taking away employees’ fear of this is integral to the security culture. Marcus Beyer echoes this: “Employees should feel able to report incidents without fear or a guilty conscience because they know that they are helping themselves and the company.”

Developing a security culture is an ongoing process, as Monika Geitlinger explains: “Cybercriminals are constantly finding new ways to exploit weaknesses in our systems and new avenues of attack. This means that our task is never truly complete as the landscape is constantly changing. We thus need to continue to adapt our efforts in the future to make sure we don’t lose ground.”

It is important that employees from all areas of a company are involved, and that appropriate action is taken to accommodate any new developments in the company, as Geitlinger continues: “With the digital transformation, companies may suddenly employ software developers. Awareness training is thus vital from the outset to ensure that these employees take cybersecurity into account even from the code writing stage.” An awareness programme may also involve IT professionals and focus on topics such as the secure configuration of systems and cloud platforms; something that is becoming increasingly important with hybrid and increasingly complex environments.

This culture change in a company’s security culture is not complete once a certain maturity level is reached. The work of Monika Geitlinger and Marcus Beyer is therefore never done.