Last year’s industry benchmarks (published in CLTRe’s 2018 Security Culture Report) reveal how specific industry sectors stand apart in terms of their security culture maturity and how different measures are needed to address their unique cultural issues if they are to successfully and effectively improve security. Let’s take the Retail and Wholesale Trade sector as an example.
With a score 14 points below the global standard (60), this sector scores worse on the Behaviors dimension than all the sectors included in the study. On the other hand, the above-average scores for Attitudes, Cognition and Compliance, indicate that employees within the Trade sector have higher than average understanding of security and how it relates to their own role in their organization, as well as being more positive and adherent to the organizational measures put in place to protect them and the security of information.
A major challenge when adequately educating the workforce on cybersecurity in the retail sector is high employee turnover. To improve the security culture transformation, whilst minimizing cost, a clear strategy with a strong focus on segmenting the workforce based on roles and positions and their exposure to cybersecurity risks is needed.
Using a standard of measurement for identifying the needs of different workforce segments makes it possible for organizations to differentiate their communication and training content accordingly. The 2018 Trade Industry Benchmark shows why this sector requires dramatic changes to how it assesses, monitors, educates and changes its employees’ behavior.
Organizational measures to build security culture are significantly more effective when organizations take an evidence-based approach. In a similar-themed post, published last week, I explained how finance-sector customers used the data collected from their security culture measurement to better understand the needs of their employees, create “campaign audiences” (i.e. segment their workforce based on their different perceptions and understanding of security) to adapt their security culture program.
As a result, finance-sector customers within Fund Management were able to document a decrease in risky behaviors of up to 16.7% (from 63 to 73.5 points) in one year. Other noticeably felt cultural changes were a 17-point increase in individuals’ sense of responsibility towards security.
With the insights gathered, an organization is able to take an evidence-based approach and plan measures that directly address the weaknesses identified by the insights gathered in the first measurement. That first measurement creates a baseline from which effectiveness can be measured.
Having a starting point metric (a baseline) for each segment enables organizations to track progress and a detailed understanding of what makes that particular segment different from the others and how it should be treated. Subsequent measurements record how the security culture of these segments changes so that progress can be tracked and demonstrated.
Organizational measures to build security culture are significantly more successful when organizations take an evidence-based approach. This is how organizations learn whether their security culture strategy is effective and can compare their results against their industry benchmark as a measure of their success.
Contact CLTRe directly to learn more: https://get.clt.re/demo
- Are your employees the weakest link or a firewall? - 26/03/2019
- An evidence-based approach is the key to security culture success - 04/02/2019
- Security Culture Report 2018 – Measure to Improve - 25/09/2018