The first engagement I always choose to use to validate a security lead's claim of "We have a strong security culture" is to walk the halls of the revenue generators (Advisors in finance, lawyers in legal consulting, operations in supply chain, etc.,) and ask two simple questions:
The answer will always tell me two things as a security awareness practitioner:
If the answers are mumbled, unclear, or less than confident, this means that employees are not even aware of what constitutes as a monitored secure behavior violation, simply meaning there really is no expectation to act accordingly.
An overlooked culture strength, employees who consistently keep a workspace free of operational documents, locked computer screens, and blank whiteboards. While this may seem like a cutesy engagement, these policies exist for a reason, and ensuring compliance is not only important, but also promotes a strong culture by demonstrating accountability. Too many organizations insist on clean desk policies, yet rarely if ever test for it, further demonstrating to staff that security policies are suggestions, not expectations. This will literally foster a culture of convenience over security, promoted by lazy security leadership.
At least annually, preferably twice a year, simply walk work areas after hours and inspect areas for:
Outside of these inspections, additionally ensure all work areas have reasonably accessible access to secure shredding bins. If they don’t, put in a formal request to change that.