Developing a Cybersecurity Culture

Mission

AXA is one of the largest insurance companies in the world and – as such – a top target for cybercriminals. As the company embarked on a profound transformation of its security capabilities, the group’s chief security officer approached Adviso with a question: how to change the company’s culture and make the 130,000 employees a strong line of defense against cybercrime?

Solution

The client first needed a clear concept to rally around and a solid culture change strategy. We arrived at « Care, Protect, Alert », a clear, powerful and versatile security mindset that sticks and translates into all work situations.

Yet, the true efficacy of a culture is determined by the depth of its adoption. Therefore, we devised an awareness and behavior change plan, along with resources to encourage everyone to understand, act and advocate for security. Collaborating across entities, we provided the necessary tools to implement the change plan, resulting in a unified experience around the globe.

We started with a period of extensive research and consultation, interviewing international stakeholders to understand when and why employees are taking risks from an information security perspective. It was the beginning of a closely collaborative process with the entities.

We developed a comprehensive set of culture change tools created with a unique team composed of changemakers, certified security experts, neuroscientists, digital learning specialists, creatives and filmmakers:

• • An anti-phishing learning journey, resulting in the company sending over 1 million phishing emails to its employees annually to assess their ability to detect fraudulent activities; this is complemented by concise e-learning modules for individuals who happen to click on the malicious links.

• • A security certification training curriculum for all employees, tailored to specific populations, that ultimately achieved the highest participation score within the Group and garnered several international awards.

• • Communication materials comprising articles, cartoons, on-site and online games, events, conferences, infographics, and films. One particular film campaign received the prestigious honor of ‘Best Internal Communication Campaign of the Year’ at the international Cannes Corporate Film Festival.

This multiyear effort leaded to position the security team as internal best practice in the field of culture change and the company itself as a leading benchmark amongst their peers in the field of security awareness maturity. And of course, this effort highly contributes to keep security level high.