Part three of a four-part series covering Ivanti’s latest research. Get the full series:

An organization’s culture and training programs have a significant influence on security preparedness, but our research shows both are inconsistent at the country-to-country level.

As we’ve seen in the previous posts in this series, employee demographics and their willingness to report security risks are hidden threats to your cybersecurity posture.

But new research from Ivanti shows us there are notable variations between countries in employee beliefs and behaviors regarding cybersecurity. This poses a unique hidden threat to organizations operating in multiple regions.

Get the report: Hidden Threats: How workforce demographics impact your security posture

Security cultures by country

Our research shows important differences in security culture at the country level — both in terms of training provided by the organization and employee-level attitudes. Some examples:

  • In Germany, 83% said they would feel safe reporting their mistake to the security team, compared to 61% of employees in Japan.
  • In India, 55% said they believe they have an impact on the company’s cybersecurity efforts, while just 7% said the same in China and 16% said so in France.

“These country-level differences are an interesting lens through which to study preparedness. It’s easy — and common — for a security team to judge security based on what’s taking place in their largest or nearest office. Our latest research shows how important it is to explore more granular data and uncover security procedures at every location — whether at headquarters, R&D facilities, supply chain outposts or manufacturing locations.”

Daren Goesen, SVP, Product Management, Ivanti

How local culture interacts with global security programs

Culture can influence how organizations defend their assets and people, as well as how they respond to an attack. These challenges include:

  • Employee discomfort with training that was developed at the global level (e.g., poor translation of teaching materials into local language and culture).
  • Employee unease with new standards or rules that have not been “socialized” at the local level.
  • A top-down local office culture that leaves little room for individuals to report errors or concerns.
  • Substandard security support for local offices; for example, employees with questions or concerns must contact a security team member in a different country — and endure language and cultural barriers.

All these issues can make it easier for malicious actors to disrupt day-to-day operations.

Why it matters

Many organizations have a top-down approach to training and security culture, but the research shows it’s critical to understand local security culture — and even local culture — to put together a coherent plan.

No matter where they're from, every new hire introduces their own unique vulnerabilities to the organization, intentionally or not. Undertrained employees risk diluting the strength of the overall organization's preparedness.

To minimize this risk, organizations must invest in strong onboarding and ongoing security training programs at global and regional levels.

In our next post in this series, we’ll detail this and other effective measures an organization can take to address the hidden threats we’ve explored.