A culture of building organizational security has lots of dimensions and takes continuing effort,j David Bisson on The State of Security website advises.
Referencing the KnowBe4 site: these are the component makings of a security culture:
Attitudes: How employees feel towards the organization’s security protocols and issues.
Behaviors: Employees’ activities and actions that affect an organization’s security.
Cognition: The knowledge that employees have of security issues and activities.
Communication: The types of channels that the workforce can use to discuss and share support for security-related issues.
Compliance: The awareness that employees have of their organization’s security policies and how they follow them.
Norms: The extent to which employees are knowledgeable of and adhere to the organization’s unwritten codes of security conduct.
Responsibilities: How employees view their role in either supporting or undermining their organization’s security.”
KnowBe4 found that Banking and Financial Services are the best performers with a score of 76, while Education organizations “were still in the process of accepting their exposure to digital threats”, scoring 68.
The scoring process KnowBe4 used takes some scrutiny, but the results weren’t that far apart. Security is a continuing organizational challenge for all.