The industry benchmarks for security culture reveal how specific industries stand apart in terms of their security culture maturity and how different measures are needed to address their unique cultural issues if they are to successfully and effectively improve security. Using a standard of measurement for identifying the needs of the different workforce segments makes it possible for organizations to differentiate their communication and training content accordingly.
In a post published last week, I explored how some of our finance-sector customers used the data collected from their security culture measurement to better understand the needs of their employees. They created target audiences, in other words, segmented their workforce, based on what they learned of their different perceptions and understanding of security, to adapt their security culture program. As a result, the Fund Management company was able to document a decrease in risky behaviors of up to 16.7% (from 63 to 73.5) in one year. Other noticeably-felt cultural changes were a 17-point increase in individuals’ sense of responsibility towards security.
Since 2016 CLTRe has measured security culture across of tens of thousands of employees and each year publishes its findings in an annual Security Culture Report. Large sample data collection using the CLTRe Toolkit enables us to study how security-related attitudes, behaviors, and social norms vary within organizations and also across borders and different industry sectors. With the insights gathered from our survey-based tool, an organization is able to take an evidence-based approach and plan measures that directly address the weaknesses identified.
That first measurement creates a baseline from which effectiveness can be measured. Having a starting point metric (a baseline) for each segment enables organizations to track progress and a detailed understanding of what makes that particular segment different from the others and how it should be treated. Subsequent measurements record how the security culture of these segments changes so that progress can be tracked and demonstrated. By taking an evidence-based approach, organizational measures to build security culture are significantly more effective.
This is how organizations learn whether their security culture strategy is effective and can compare their results against their industry benchmark as a measure of their success. Last year’s industry benchmarks (published in CLTRe’s 2018 Security Culture Report) revealed how the Retail and Wholesale Trade sector, for example, stands out in terms of their security culture maturity. Different measures are needed to address their unique cultural issues if they are to successfully and effectively improve security.
With a score 14 points below the global standard (60), this sector scores worse on the Behaviors dimension than all the sectors included in the study. On the other hand, the above-average scores for Attitudes, Cognition and Compliance, indicate that employees within the Trade sector have higher than average understanding of security and how it relates to their own role in their organization, as well as being more positive and adherent to the organizational measures put in place to protect them and the security of information.
A major challenge in the retail sector can be high employee turnover. To improve the security culture transformation, whilst minimizing cost, a clear strategy with a strong focus on segmenting the workforce based on roles and positions and their exposure to cybersecurity risks is needed. The 2018 Trade Industry Benchmark shows why this sector requires dramatic changes to how it assesses, monitors, educates and changes its employees’ behavior.
Using a standard of measurement for identifying the needs of different workforce segments makes it possible for organizations to differentiate their communication and training content accordingly.