Cybersecurity Awareness Month isn’t just a reminder for you to change a few passwords or brush up on security best practices. It’s a time for reflection, growth, and education—even for security experts like me.
We know strong security policies and processes are the best defense against breaches, but they’re most effective in companies with strong cultures of security awareness—where employees feel confident and empowered to take action against security issues.
How do you build a company culture like that? Start by measuring. We developed a survey to understand how SurveyMonkey employees view our security culture, and we’ve used the data to improve and to prioritize the next key initiatives we embark upon.
Where do you start with measuring “culture”?
As you can imagine, measuring something as intangible as culture isn’t always straightforward so we aimed to build our survey in a way that would allow us (and others) to do just that. When it comes to assessing the security culture we’ve built, we focused on several key factors, including:
- How do employees view security and the security team?
- Do they feel empowered to take action for security issues?
- Do employees feel the leadership team prioritizes security?
To ensure our survey would be rigorous and comprehensive, we partnered with our own survey research team and looked to others in the field for inspiration. Our final result, the Security Awareness Template, builds off of the work of Lance Hayden and his Security FORCE survey. We’ve made the template available to anyone who wants to measure their own security program.
What did we learn?
In order to build a healthy security culture, you have to ensure that your security policies and processes are integrated into employees’ everyday workflows. If they’re too cumbersome, employees might be frustrated following them.
When we surveyed our own employees, 81% said they felt security was integrated into their daily routine at work, and 88% said security policies help them do their job better. These were encouraging results that showed there is still some room for improvement.
We also learned that our team is hungry for even more security training. More than 85% strongly agreed or agreed that they’re interested in increasing their own security knowledge and skills beyond our existing training. We also learned that about half (49%) are taking their security learnings from work and also applying them at home. This is real opportunity for us to make sure that resources available to the team are also applicable to their everyday lives.
Ultimately, we wanted our employees to be comfortable sharing their thoughts openly and honestly so we launched this survey anonymously and would encourage you to do the same.
We were happy to see that our team is equally comfortable reporting potential security problems even when they’re unsure, and they know that potential problems they report will be taken seriously and will get fixed. This affirms the culture that we’ve built where everyone at SurveyMonkey is empowered to raise the alarm if needed, and we’ll continue to emphasize these practices with every member of our team.
How could others use this template?
At SurveyMonkey, we know that we don’t have all the answers but we are always questioning. We encourage people to start by asking questions and diving into what is working well and what could be improved. When it comes to something as important as your team’s security awareness, don’t hesitate to ask the important questions.