Build a strong security culture to guard against risks
A strong, positive culture will reward and celebrate actions in support of company goals and objectives and in alignment with core values.
“Corporate culture” is a phrase that has been tossed around in business circles for decades, and most business leaders would agree that culture is important.
But what is it? It’s hard to say. It’s one of those constructs that lends itself to “you’ll know it when you see it” definitions. That’s not sufficient, of course.
Culture is what underpins how organizations do their work. It’s embedded in their mission, vision and values. Culture is exhibited through the behaviors and actions of everyone in the organization — from leadership on down through the front lines. It’s how new employees are welcomed into the organization. How they celebrate successes. How they respond to failures. How they treat employees, customers and partners.
And, as we learned during the pandemic, it is how we act when we don’t think anyone is watching. Companies with strong cultures during the pandemic were able to continue their work successfully regardless of where workers were deployed.
A strong, positive culture will reward and celebrate actions in support of company goals and objectives and in alignment with core values. In a toxic culture supporting “bad behavior” and “bad actors,” where harassment is widespread, for example, may create a place where people don’t want to come to work, or do their work.
Defining a security culture
A security culture is a subset of overall corporate culture. Just as a corporate culture supports the values and objectives of the organization, a security culture supports the objectives and values related to security — protecting the data and technology the company uses to do its work while protecting employees, customers, vendors and others. Security culture can be defined as the ideas, customs and social behaviors of a group that influence its security.
Having a good security culture means security is embedded in the organization. Clearly, that’s important to provide the broadest level of protection for organizational data and systems.
Weak vs. strong security culture
Just as with corporate culture, all organizations have a security culture — whether they know it or not. The question is, “Is that culture a good one?”
In organizations with a good security culture, employees will make the right decisions when it comes to security considerations; they’re aware of potential threats and know what red flags to be alert to, and they report all suspicious activity. They understand that, as the human endpoint — where most breaches occur — they play a critical role in supporting the security culture and making it strong.
These beliefs are exhibited and illustrated through their behaviors.
In an organization with a weak security culture:
- An employee who becomes the victim of a phishing attack (e.g., receiving a malicious email), will think: “This is odd; I’d better take a look to see if it’s legit.”
- An employee who comes across a USB labeled “Payroll 2022” will think: “Wow, this will be interesting; I’ll find out where I stand compared to my peers.”
In an organization with a strong security culture:
- An employee who becomes the victim of a phishing attack (e.g., receiving a malicious email), will think: “This looks suspicious. I need to report this to the cyber team so they can investigate it.
- An employee who comes across a USB labeled “Payroll 2022” will think: “Hmmm, interesting, but very suspicious. I’m going to take this to the cyber team.”
These are the kinds of situations that employees face continually — not all respond appropriately, especially those in organizations that don’t have a strong security culture.
Building a strong security culture
We’ve already addressed the reality that every organization has a security culture — it just may not be the one that they want.
A first step in strengthening security culture is identifying its current state and then defining what you want the culture to be and where improvements need to be made.
This starts with asking some important questions to assess the current state:
- Do employees understand the impact of a potential breach?
- Are they aware of the cyber threat landscape?
- Do they take steps like locking devices when they’re away from their workstations?
- Do they follow existing policies on internet usage, incident reporting, etc.?
- How do they respond to phishing attempts and other forms of social engineering?
With this baseline, you can begin to explicitly define the security culture you would like to have:
- What is your employees’ current understanding, knowledge and sense of awareness?
- What attitudes do you want employees to have toward security?
- What behaviors do you want to see or change?
- How will you communicate with employees so they feel part of the security solution?
- How will you include employees in your policies and ensure they know what is expected of them?
- When you consider your company’s “unwritten rules,” what security considerations are part of these rules?
- Do employees understand that cybersecurity is everyone’s responsibility and that they each play a critical role?
Organizations without a strong security culture are at risk. Organizations that work to build and continually monitor their security culture to make it stronger minimize those risks, protecting employees, customers, partners and the business.
Perry Carpenter is co-author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” He is chief evangelist and security officer for KnowBe4, the world’s largest security awareness training and simulated phishing platform. Contact him via LinkedIn.
Related: