In today's digital landscape, fostering a security-aware culture is paramount for organisations in Asia. CIOs and CISOs play a crucial role in embedding cybersecurity into the organisational ethos. This involves not only implementing robust security measures but also promoting continuous education and awareness among employees.
By cultivating an environment where security is a shared responsibility, organisations can better mitigate risks and respond effectively to threats. Encouraging open communication about security practices and integrating them into daily operations enhances resilience.
Ultimately, a proactive security culture empowers employees to act as the first line of defence against cyber threats.
Ben King, Okta’s VP of cybersecurity trust & culture, says enterprises in Asia consistently demonstrate security awareness on par with, or even surpassing their global peers. He adds that employees typically show a strong understanding of their risk profiles and adhere to policies more rigorously than their global counterparts. In North America and parts of Europe, many employees tend to view such policies as optional, a mindset that is far less common in Asia.
He recalls a Knowbe4 study showed Asia’s phishing susceptibility rate at 28.4%, lower than the global average of 34.3%, reflecting significant investments in security awareness across the region. Continued investment in security awareness, however, is still essential to maintain this lead.
A security aware culture is…
The SANS 2024 Security Awareness Report describes a security awareness program as a structured effort to engage, train, and secure your workforce and build a strong security culture.
“Many organisations refer to such efforts using different terms, including security behaviour and culture, security engagement and influence, security training and education, security communications, or human risk management.” The SANS Institute
King says a security-aware culture is essential to any organisation; it serves as the lifeblood or DNA that shapes how employees view their role in safeguarding information. He stressed that cultivating this culture requires clear expectations, well-defined policies, and effective communication.
“It’s crucial to be aware of your organisation’s risk profile and the evolving threat landscape. It's not just about the systems and tools we implement; it's about the collective mindset of the people within the organisation, and how they perceive their roles in security,” he continues.
Role leadership plays in promoting a security-aware culture
King acknowledges that leadership plays an essential role in driving change, but at the same time concedes that creating a security-aware culture requires more than just top-down leadership.
“Success is more likely when champions exist at all levels, fostering accountability through peer-to-peer communication and collaboration across teams,” he begins. “Grassroots communication, especially sideways peer-to-peer dialogue, plays a crucial role in holding everyone accountable.”
For King, having peers and champions within the organisation who drive change is essential, involving collaboration across teams like security, HR, and physical security. “This effort cannot be led by a single individual; it demands a collective, organisation-wide approach to be truly effective,” he stresses.
Measuring effectiveness
Asked how organisations measure the effectiveness of their cybersecurity training programs, he starts any effort to measure begins with setting clear expectations about company policies and communicating them through educational campaigns and training tailored to employees' roles.
He acknowledges that incentives such as recognising and rewarding good security behaviour are as important as ensuring accountability for poor practices.
“Employees should face consequences for lapses, whether held accountable by management or peers,” says King. “At Okta, one of our core values is security, which sets the expectation that every employee, regardless of role, is responsible for upholding the company's security culture. We even reward employees with public recognition and cash incentives for demonstrating security consciousness at work.”
Recognising what works and what doesn’t
King concedes that employees come from diverse backgrounds and have different learning styles.
“It is important to assess the specific cyber risks each (employee) may encounter and set appropriate expectations to cultivate security awareness,” he adds warning that that without well-defined policies and guidance from leadership, it becomes challenging to effectively incentivise or hold employees accountable for their actions.
“Clear direction from the top ensures that everyone understands what is expected of them, allowing for both recognition of good behaviour and appropriate consequences for poor security practices,” he went on.
Integrating security awareness into the boarding process
King also concedes that driving a security culture is a continuous process throughout an employee's lifecycle in an organisation. “Different roles face varying risks, making onboarding training crucial for new hires to understand baseline expectations,” he adds. “This is the best time to embed a security-conscious culture.
“Collaboration with HR is vital, as they oversee training, education, and onboarding, but security teams must also be involved to ensure strong outcomes. Whether driven by HR or Security, collaboration between both is necessary. Security leadership should be engaged from day one to manage risks and plan for the desired outcomes effectively.” Ben King
The challenges ahead
King reminds us that security is driven by risk, and a security awareness and education program should be tailored to address specific risks associated with a diverse, hybrid, or remote workforce. He points out that if staff diversity or remote work presents unique risks, the program must adapt to those challenges.
In conceding that building a security-conscious culture in a hybrid environment is difficult, he suggests that over-communication and flexible online learning experiences are crucial. “Programs should be available across time zones and designed for employees to access at their convenience,” insists King.
When prodded to offer some best practices, King suggests organisations should assess their specific threat landscape and analyse data to address their unique risks.
"Each organisation has a different risk profile, and training should be tailored by role, location, and work style. For instance, the risks faced by finance are different from those encountered in HR or software engineering," he adds.
"Cross-team collaboration is key and requires inputs from all levels across the organisation. Security awareness must be embedded throughout the employee lifecycle, from recruitment to regular touchpoints like annual training or Security Awareness Month. Ultimately, security is a continuous, evolving process that requires sustained investment as risks change over time," he continues.
Developing security-aware cultures in 2025
"As we approach 2025, the rapid proliferation of AI tools, large language models, and AI assistance in the workplace is dramatically altering the threat landscape and risk profiles for organisations." Ben King
He believes that security controls, awareness training and cultural shifts must evolve just as quickly. "The old approach of setting a policy and reviewing it annually is no longer sufficient. Organisations need to adopt faster, more dynamic methods for educating employees about evolving risks — whether at home or in the office — and communicate these updates more frequently. The pace of change will only accelerate as we move further into 2025," he continues.
Click on the PodChats player and listen to King elaborate on how organisations can foster a sustained security-aware culture.
- Where are enterprises today in Asia-Pacific, when it comes to creating and maintaining an acceptable level of security awareness among staff?
- What, for you, is a security-aware culture?
- Does it make sense to have a one-person and what role should leadership play in promoting a security-aware culture?
- How do organisations measure the effectiveness of their current cybersecurity training programs?
- What strategies have worked (or not worked) to engage employees in cybersecurity awareness initiatives?
- How can organisations integrate security awareness into onboarding for new employees? Is this a job for HR? How and at what point should CIOs and CISOs get involved?
- What are the challenges organisations will face in fostering a security-aware culture in a diverse workforce and where a hybrid workplace is the norm?
- What best practices can we adopt from organisations that excel in security culture?
- What metrics should organisations use to track and evaluate improvements in security-aware culture?
- Do carrots work better than sticks when it comes to fostering a sustained security-aware culture?
- Coming into 2025, we can security continue to take importance for all organisations and functions. What is your expectation in the development of security-aware cultures?
