Protecting your company requires a robust security program with documented policies and processes; but without consistent, thorough execution of those policies, your company isn’t actually any more secure. Program documentation, no matter how detailed or organized, doesn’t harden any targets on its own. That's why building a company culture of security is a vital part of your security program. Lack of an active security culture throughout your organization undermines its security readiness.
Security for many small businesses and start-ups may be lax because they have no program at all. Getting started building a security program is step one, but the focus can't be only on securing devices and assets. Humans remain the weakest link in cyber defense yet often receive the least attention in most security programs.
When a documented IT security policy fails, you'll often find a human element behind it. Perhaps someone was careless with a company laptop. Did an employee fall for a phishing scam? Maybe even an IT team member forgot to deactivate the credentials of a separated employee.
Acknowledging the human risk to company security isn't about blaming any individual. Instead, it's about highlighting the failure of leadership to create and reinforce a security culture that prepares its people to manage security issues. A security culture sets up an understanding of risks, norms, and expectations of behavior, reinforcing itself through action. It provides employees with knowledge and the tools to make smart security decisions in compliance with the organization's security program. And ultimately, a security culture makes critical actions and behaviors second nature to everyone in the business.
The fundamental obstacle to creating a security culture? It’s the failure to invest the resources necessary to build up security-savvy employees who understand where the risks are and make security hygiene a part of their daily responsibilities.
There are five key aspects to creating a security culture. Each has its own set of challenges, but each is necessary to create a genuine culture that becomes embedded within the organization.
Security culture must permeate an organization from top to bottom. It can't take root if employees don't see executive leaders and middle managers taking security seriously.
Senior leadership must create and support a security program with clear lines of responsibility for executing the program. It requires investing in the resources needed to educate and communicate security policies, risks, and resources to employees. It also requires setting up systems that measure compliance and encourage security behaviors.
Last, leadership must personally demonstrate the security behaviors they want to see in others. If direct managers or senior executive teams are lax, it undermines efforts to create a genuine security culture.
Limiting your efforts to passive awareness campaigns won't create a security culture. A training video for new employees who answer some questions at the end? Anyone can pass a 10-question quiz on the material they've just seen. Making security policy documentation available online? Nobody's going to read through IT security documentation even if they do sign an attestation. When was the last time you read the Terms of Service before clicking “accept”?
Employees should regularly receive security communications that educate them about
All security communications should be written in “plain English,” free from IT jargon. They should also explain risks, and potential threats in contexts employees recognize.
One challenge to creating security-minded employees is that the threat and its consequences can feel too remote. Instead of talking about abstractions like vectors and endpoints, a security communication could convey real-world scenarios. It might show how bad actors can easily trick people into sharing sensitive information, which they can then use to gain access to the company network. Design scenarios that clearly illustrate the difference between a poor security choice and a strong one, making it easy for employees to understand what's expected of them.
Don't limit yourself only to written security communications. For example, we built a series of short podcasts on security culture for IT teams. At less than five minutes each, it's content anyone can consume quickly.
Short videos, podcasts, recorded messages, and even memes can all deliver security education in ways that achieve higher engagement and retention than a written email or policy memo. When you have a library of multimedia security communications, it's easy to share a constant stream of easily digestible security awareness material.
Ongoing security training is the more formal, interactive side of communication that helps build a security culture. Some training can be self-directed through security communication materials, but it doesn't replace regular live training.
We always recommend that organizations role play a security incident to test their response plan. Employee role plays are great training opportunities without having to simulate a full-scale event, and they also focus on building confidence in employee decision-making. Role plays cover how to identify a potential security risk and how team members should respond. Using an active role play training approach sparks the "muscle memory" that helps employees recognize shades of the scenario in real life.
Cybersecurity risks can be costly and need to be taken seriously. But creating a culture of fear or blame around security isn't going to yield positive results. Similarly, teasing employees with the promise of bogus bonuses to teach them the risks of phishing doesn't create an open, positive security culture.
A negative security culture leaves employees afraid to speak up. If they make a security mistake or see something suspicious, they may feel the personal risk of raising the issue is greater than the cyber risk to the organization. Employees using an unauthorized device or application for work won't let anyone know—they'll just continue to use it. All these behaviors open vulnerabilities that your security team may never see until it's too late.
Instead, create programs that reward and recognize employees for being attentive to security. One of the benefits of creating a digital library of your security communications is that you can measure which team members engage with the content and how often. These metrics allow you to reward and recognize people for
Teach employees to think of workplace cybersecurity the same way they do about workplace safety. The workplace safety framework is a valuable model for embedding security into all areas of the company:
One of the biggest challenges here is bridging the gap between IT staff and other employees. An IT team that uses too much jargon or shows impatience with non-tech savvy employees makes it harder to bridge that gap.
If you're a small or new company without an IT department, your challenge is tasking people who can take on the role of security advisor or act as the conduit to outside resources.
The point is that each employee needs to understand that performing their duties in compliance with company security policy is their responsibility.
Security culture is the component of your security program that can maximize compliance. A positive security culture yields employees who are mindful of their role in maintaining company security and confident in their ability to mitigate risk. The combination of acting on your security policies and security culture will position your company to take on bigger, more lucrative clients who expect you to have a comprehensive security program