Posted: 11 Aug. 2020 4 min. read

Embedding security into our employees’ DNA

In our previous blog we emphasised the importance of developing a strong security culture and increasing people’s awareness of their security responsibilities. Training and awareness campaigns are integral in keeping employees informed and engaged. However, we’ve observed that these are not always designed to enable a true cultural shift. 

Organisations often have fragmented and compliance focused training activities, which have a limited impact on changing staff behaviours. Research by the Centre for the Protection of National Infrastructure (CPNI) suggests that multiple interrelated factors need to be considered when attempting to change an organisation’s security culture.  

At Deloitte, we follow a set of key principles which ensure organisations have comprehensive and practical solutions to embed security behaviours that create a sustainable environment for improved security culture.

Language is everything

Before embarking on a change programme, it is critical an organisation is clear on how to communicate the desired security behaviours and outcomes to target audiences. Segmentation exercises, based on differing responsibilities and threat profiles, help us develop bespoke language for a variety of audiences, to better initiate and influence behavioural change within an organisation.  Ultimately, the more people understand the vision and buy into it, the more successful the change programme will be.

Make your audience feel valued

The audience needs to understand the threats affecting their organisation and the role they themselves play in protecting its assets. Employees, who are aware and committed, will naturally adopt responsibility for security. It is important the audience does not leave with the “it is security’s job, not mine” attitude.

Our brains like stories, especially if they can be linked to our personal lives

People like to relate and become invested in characters and a plot. If used correctly, storytelling is a powerful technique to drive behavioural change. An audience will reflect the emotions of the characters and ultimately mimic some of the desired behaviours. Story telling is therefore a good technique to help embed sustained behavioural change, not just at home but in the workplace too.

Head, heart, eyes and hands: a pattern for behavioural change

When designing a security awareness programme we try to make employees aware of good security practices (eyes), help relate this to their day-to-day activities (head), get them committed to change (heart), and then help them repeatedly apply this to their role (hands). Finally, we tie stories to personal lives as well as corporate, helping the audience clearly understand the risks at stake. We have found that security habits developed outside of the office will follow staff into the workplace. Ultimately, the head decides on our behaviours but the heart commits

Specific examples of incidents affecting your own organisation will help bring the audience closer to the real impact those events had and how people behaved at the time. Personal stories help employees commit key messages to the ‘heart’.

Not all people learn in the same way

We realise that every organisation and every audience is different when it comes to learning. We believe that a human-centred approach to security, using high impact interventions, can accelerate positive security culture change.

What does your organisation do to develop and embed sustained behavioural change? Please contact us, if you’d like to discuss more. 

Sign up for the latest updates

Key contacts

Agnieszka Eile

Agnieszka Eile

Director

Agnieszka is a Director in the Risk Advisory practice, where she focuses on Cyber, Digital & Data risk. She works predominantly with Financial Services clients, including banking and capital markets, and private wealth management. She has over 13 years of experience advising organisations on non-financial risk management. Specifically, she helps clients evaluate the maturity of their technology and cyber security risk and control functions; design, develop and implement risk and controls management frameworks; and enhance organisations’ overall risk management culture. Agnieszka has led and delivered several information security risk and controls assessments, internal audits, maturity reviews and regulatory reviews for organisations across a range of industries and sectors, helping national and global companies prepare for and respond to known and unforeseen risk events.

William Eden

William Eden

Senior Consultant

Will works within the Cyber Risk Services team and has five year's experience as an Information Security Consultant. He has a Masters from Royal Holloway in Information Security, a course which is certified by GCHQ. Will has experience in corporate security and specialises in culture, training and awareness. Before joining Deloitte this year, he developed and ran the security training and awareness programme for a FTSE 100 company for four years. Will has a passion for changing staff behaviours by embedding security sustainably and creating a living, breathing culture of security.