I am thrilled to introduce my most recent report, Instill A Security Culture By Elevating Communication. This is an update of my 2011 report How To Market Security To Gain Influence And Secure Budget. A different time called for a completely revamped report. (Read on to see what’s changed.) To me, this always has been and remains a very personal topic and one that I’m very passionate about: People and culture are at the heart of what makes or breaks security.

This report is designed to guide CISOs and their teams as they traverse through the murky and often challenging waters of creating an engaging and binding security culture.

When we speak about security culture, people often jump to discussing traditional and often perfunctory one-off security awareness programs. These are not enough! Let’s up the ante and transform the security culture up, down, and across the organization. Let’s create a hearts-and-minds engagement around the topic of security.

I was really interested to see what has changed during the seven years since my initial report. For those who do not yet have access, I want to share some key takeaways:

  • In 2018, only 19% of global security decision makers said that a lack of visibility and influence within their organization is one of their biggest security challenges, down from 51% in 2010. This led me to ask the question: “Have we nailed security communications?” As one peer kindly responded: “Nailed it? More like we put a nail in our own coffin.” The answer is a firm no!
  • The title of the 2011 report contained the word “market.” This now feels so one-way. This led me to change the title and many of the themes entirely.
  • In 2018, customers expect so much more from security than they did in 2011. We see a big need for us to instill a security culture and engage and influence outside of organizations as well as within. I touched on this in 2010; it has come through as a definite theme in the 2018 research.
  • We still need to move away from instructional compliance. There is growing recognition that we need to engage not only the minds but also the hearts of our constituents; otherwise, we will fail to get true buy-in. To do this, we need to be ridiculously relevant and, at times, lighthearted.

In conclusion: Culture change is a journey, not a miracle, so be patient, and above all, continue to evolve — these are not the times to rest on our laurels.

I would like to add my thanks to my research associate, Seles Sebastin, for coauthoring this blog with me.

As a follow-on to my most recent report, I will be publishing a best practices report to showcase tangible examples security leaders can implement. Watch this space!!