Written and compiled by IRM Cyber Group member, Holly-Jane Grayling.

As a Cyber Security Culture and Awareness Specialist, I’ve seen first hand how crucial a strong security posture is in today’s interconnected world. But building a truly cyber-aware culture—one where every employee feels empowered to act as a first line of defence—is where the real challenge lies.

It’s no longer enough to have policies or deliver an annual training session. Organisations need to foster a proactive and engaged workforce that understands the importance of cybersecurity and actively participates in mitigating risks. And that’s where Culture and Awareness come in—it’s the new front door to cybersecurity. Instead of only interacting with security when they’ve done something wrong, employees need a safe and approachable space to learn, ask questions, and report concerns without fear of blame or wrongdoing.

Getting Executive Buy-In: It Starts at the Top

Before diving into strategies, it’s crucial to have leadership on board. Here’s how to get executive buy-in for your awareness initiatives:

  • Highlight the ROI of Awareness: Quantify the potential cost savings of preventing security incidents through a more aware workforce. To compliment your data, include relevant and recent statistics from reputable sources.
  • Paint a Picture of the Threat Landscape: Present real-world examples of cyberattacks targeting your business and those in your industry, emphasising the potential impact on your organisation.
  • Showcase Success Stories: Share examples of how other organisations have benefited from strong cybersecurity cultures. This not only demonstrates the value of your efforts but can also enhance your organisation’s reputation in the eyes of customers and partners. In today’s risk-conscious environment, demonstrating a commitment to cybersecurity can be a key differentiator.

Building a Cyber Aware Culture: Strategies for Success

Ready to cultivate a culture of security awareness? Here are key strategies for success:

Laying the Foundation:

  • Know Your Audience: Understand your employees’ roles, responsibilities, current knowledge, challenges, and preferred learning styles. Consider time constraints, language barriers, and regional differences to tailor your approach effectively.
  • Define a Clear Purpose, Objectives and Measures of Success: Uncover the “why” driving your training. What specific behaviours or knowledge do you want to cultivate? This focus will keep your messaging on point and enable you to define what success looks like from day one.
  • Prioritise Value, Not Volume: Don’t try to boil the ocean. Focus on the risks that pose the most immediate threat to your organisation. Is phishing your biggest concern? If so, start there! Tailor your training and awareness materials to address the specific tactics and themes you’re seeing. Are you noticing a surge in phishing attempts via social media? Use that insight to make your content hyper-relevant to your employees’ experiences. Remember to cover core topics like password security, safe browsing habits, data protection, and reporting suspicious activity. The more practical and applicable your training is, the more likely it is to resonate and drive real behaviour change.
  • Make it Fun and Engaging: Explore gamification, rewards programmes, and interactive learning experiences to make training enjoyable and memorable.
  • Leverage Existing Tools (and Explore New Ones): Don’t underestimate the power of simplicity. You can achieve a lot with the tools you already have! Platforms like Microsoft 365 offer a wealth of features that can be repurposed for creating engaging security awareness content. Think outside the box and get creative with tools like Teams, Forms, Sway, Stream, and SharePoint – sharing real-world phishing emails (with personal information redacted) and using polls or quizzes can be a highly effective quick win. However, as your programme matures, you might explore the vast array of specialised tools available. The key is to find the right balance between leveraging existing resources and investing in new solutions as your needs evolve.
  • Embrace Data-Driven Insights: Data is the foundation for building and continuously improving an effective awareness programme. Once you know your objectives, you can determine the best ways to measure their impact. The depth of your analysis will depend on the data available within your organisation. Some organisations have a wealth of data at their disposal, allowing them to measure impact across a range of core topics like phishing or password security. Others may be limited to more basic metrics, such as tracking the number of security incidents reported after training on reporting procedures. As your programme matures, you can work on defining new data streams and building your analytical capabilities. But remember, data isn’t just about numbers – gather feedback from your audience about their training experience to ensure your content is engaging and effective. Most importantly, look for evidence of behaviour change – are employees applying what they’ve learned in their day-to-day work?
  • Foster Cross-Functional Collaboration: Break down silos and establish clear communication channels between IT, HR, Legal, Communications, L&D and other key departments to ensure everyone is aligned and working together towards a shared goal of a cyber-aware culture.

Essential Tips for Continuous Improvement:

  • Provide a Central Hub and Open Door: Create a central resource hub with security policies, training materials, FAQs, and contact information. Set up a dedicated cybersecurity mailbox to streamline inquiries and gather valuable insights into employee knowledge gaps and training needs.
  • Personalise the Experience: Enhance generic content and tailor training to specific roles and departments. Incorporate your company’s reporting procedures into scenarios for added relevance. And don’t forget to develop specialised programmes for high-risk roles relevant to your organisation for example developers, executives, HR, legal and finance teams.
  • Go Beyond Traditional Training: Instead of relying solely on awareness campaigns, aim for sustainable behavioural change by creating an environment where secure choices become second nature. Integrate the 70:20:10 learning model, providing opportunities for employees to learn by doing (70%), collaborating with peers (20%), and participating in targeted, formal training (10%). This balanced approach caters to diverse learning styles and embeds security awareness into everyday work practices. Further, enhance this approach by leveraging proven, science-backed principles like Cognitive Load Theory and Nudge Theory to ensure training is engaging, easy to understand, and subtly guides employees towards secure behaviours. For an effective solution to building security awareness and behavioural change, consider SANS Security Awareness Training, which offers a comprehensive suite of resources designed to create a secure culture.
  • Embrace Innovative Delivery and Production Methods: A blended learning approach is key to catering to different learning styles and time constraints. To complement traditional training methods like webinars, explore a mix of engaging formats like microlearning videos, interactive scenarios, gamified activities, and short quizzes or polls. Don’t shy away from emerging technologies like AI to help automate tasks or even create content!
  • Keep the Conversation Going: Building a cyber aware culture is a marathon, not a sprint. It’s essential to maintain engagement and momentum over time. This means being responsive and accessible to your employees. Respond promptly to questions and concerns, whether they come through email, internal platforms like Yammer, or in-person interactions. Even a simple out-of-office message setting expectations for response times can go a long way in demonstrating your commitment to employee engagement.
  • Share Your Successes (and Challenges): Regularly share insights from your culture and awareness activities with key stakeholders. Highlight successes and challenges to demonstrate transparency, solicit feedback, and build support across the organisation.

Measuring Your Progress: The SANS Cyber Culture Maturity Model

The SANS Institute’s Cyber Culture Maturity Model provides a helpful framework for assessing your organisation’s progress in building a cyber aware culture.

The model uses a scale, with each level representing a different stage of maturity:

LevelDescription
1Non-Existent: No formal awareness programme in place.
2Compliance Focused: The program is designed primarily to meet specific compliance or audit requirements. Training is limited to being offered on an annual or ad-hoc basis. Employees are unsure of organisational policies and/or their role in protecting their organisation’s information assets.
3Promoting Awareness & Behaviour Change: The program identifies the target groups and training topics that have the greatest impact in managing human risk and ultimately supporting the organisation’s mission. The program goes beyond just annual training and includes continual reinforcement throughout the year. Content is communicated in an engaging and positive manner that encourages behaviour change. As a result, people understand and follow organisation policies and actively recognise, prevent, and report incidents.
4Long-Term Sustainment & Culture Change: The program has the processes, resources, and leadership support in place for a long-term life cycle, including (at a minimum) an annual review and update of the program. As a result, the program is an established part of the organisation’s culture and is current and engaging. The program has gone beyond changing behaviour and is changing people’s beliefs, attitudes, and perceptions of security.
5Metrics Framework: The program has a robust metrics framework aligned with the organisation’s mission to track progress and measure impact. As a result, the program is continuously improving and able to demonstrate return on investment. Metrics are an important part of every stage, and this level simply reinforces that to truly have a mature program, you must be able to demonstrate value to the organisation.

By using the SANS model as a guide, you can assess your organisation’s current maturity level and identify areas for growth. Remember, building a cyber aware culture is an ongoing journey, and there’s always room for improvement.

Building a Secure Future, Together

Creating a cyber-aware culture demands a sustained commitment from leadership, continuous improvement, and the active participation of every employee. By embracing these strategies and fostering a culture of shared responsibility, organisations can create a more secure future for themselves, their employees, and their stakeholders.