Security Culture Design and Planning for a more secure Organisation
As greater flexible working in the “new normal” working world has augmented the threat of cyberattacks and security incidents, this global bank sought to change the way their colleagues viewed and practiced security.
The bank understood that by arming employees with first class security knowledge and reflexes, they can assume greater responsibility and accountability for the security of the bank, for themselves and their families. This was critical given that a significant portion of the workforce now operate sporadically outside of the office. One of the defining pillars of this change was to embed a stronger security culture and mindset globally throughout the organisation.
Solutions & approaches – Chosen for our deep expertise in Cybersecurity and Operational Resilience
The bank selected Wavestone to design a Security Culture Framework and steer the launch of a Security Culture programme spanning three years due to their profound and proven cybersecurity and operational resilience expertise.
During a two-phase project spanning six months, Wavestone established a view on the bank’s vision for security culture and developed a framework to indicate how this vision could be achieved. To develop this, the team hosted workshops with key stakeholders in the bank to ascertain which security risks were most pressing to address and thus which desirable security behaviours to cultivate.
Next, the Wavestone team ideated a suite of potential initiatives to deploy over a one-year period to educate and promote the prioritised desirable security behaviours across various populations in the bank. Alongside, the team developed an MI Model detailing key measures to acquire security behaviour data, initiative attendance data and feedback on the initiatives.
The Results – A durable framework and plan of action
Wavestone’s work equipped the bank with a durable Security Culture Framework to be used over the next three years to guide successful future Security Culture campaigns. In addition, the team proposed a plan for the delivery of centrally and locally created Security Culture initiatives to a global audience of over 85,000. Once collected, the data sourced via the recommended measures will provide a monthly view of the utility of the initiatives and the inferred impact on business risk as a result of changes in security behaviour.