How Prudential measures its security culture to identify risk
Security education and awareness programs are an important component of any organization’s security posture. However, quantifying the effectiveness of such initiatives can be difficult. Measuring content engagement metrics, test results and phishing simulation success tells only so much about an enterprise’s security culture — the degree to which everyone has internalized security risks and best practices.
Speaking at Tessian’s recent Human Layer Security Summit in London, Mark Logsdon, head of governance and assurance at Prudential Financial, discussed a new way the insurance company is trying to quantify cybersecurity culture internally. The goal is to create a reliable indicator of the company’s future risk.
Security awareness and behavior program shortcomings
Logsdon sees three fundamental problems with most security awareness campaigns: They are irrelevant and not personalized to the user, dull, and take people away from their main responsibilities. “It takes a big chunk of money out of the business,” he said. “You're asking people typically to take 30 minutes, times 30,000 people globally. That's a big number. I have to do 12 or 13 individual modules a year, so it mounts up. Is it any wonder they don't work?”
Prudential set about working on a new method of quantifying security understanding and behaviors. “We felt that understanding the culture helps us, at least in some way, to reduce the risk and align security better to the business,” Logsdon said.
Gloss