Build a strong security culture to guard against risks

A strong, positive culture will reward and celebrate actions in support of company goals and objectives and in alignment with core values.

A security culture supports the objectives and values related to security — protecting the data and technology the company uses to do its work while protecting employees, customers, vendors and others. (Photo: Mikolette Moller/peopleimages.com/Adobe Stock)

“Corporate culture” is a phrase that has been tossed around in business circles for decades, and most business leaders would agree that culture is important.

But what is it? It’s hard to say. It’s one of those constructs that lends itself to “you’ll know it when you see it” definitions. That’s not sufficient, of course.

Culture is what underpins how organizations do their work. It’s embedded in their mission, vision and values. Culture is exhibited through the behaviors and actions of everyone in the organization — from leadership on down through the front lines. It’s how new employees are welcomed into the organization. How they celebrate successes. How they respond to failures. How they treat employees, customers and partners.

And, as we learned during the pandemic, it is how we act when we don’t think anyone is watching. Companies with strong cultures during the pandemic were able to continue their work successfully regardless of where workers were deployed.

A strong, positive culture will reward and celebrate actions in support of company goals and objectives and in alignment with core values. In a toxic culture supporting “bad behavior” and “bad actors,” where harassment is widespread, for example, may create a place where people don’t want to come to work, or do their work.

Defining a security culture

A security culture is a subset of overall corporate culture. Just as a corporate culture supports the values and objectives of the organization, a security culture supports the objectives and values related to security — protecting the data and technology the company uses to do its work while protecting employees, customers, vendors and others. Security culture can be defined as the ideas, customs and social behaviors of a group that influence its security.

Having a good security culture means security is embedded in the organization. Clearly, that’s important to provide the broadest level of protection for organizational data and systems.

Weak vs. strong security culture

Just as with corporate culture, all organizations have a security culture — whether they know it or not. The question is, “Is that culture a good one?”

In organizations with a good security culture, employees will make the right decisions when it comes to security considerations; they’re aware of potential threats and know what red flags to be alert to, and they report all suspicious activity. They understand that, as the human endpoint — where most breaches occur — they play a critical role in supporting the security culture and making it strong.

These beliefs are exhibited and illustrated through their behaviors.

In an organization with a weak security culture:

In an organization with a strong security culture:

These are the kinds of situations that employees face continually — not all respond appropriately, especially those in organizations that don’t have a strong security culture.

Building a strong security culture

We’ve already addressed the reality that every organization has a security culture — it just may not be the one that they want.

A first step in strengthening security culture is identifying its current state and then defining what you want the culture to be and where improvements need to be made.

This starts with asking some important questions to assess the current state:

With this baseline, you can begin to explicitly define the security culture you would like to have:

Organizations without a strong security culture are at risk. Organizations that work to build and continually monitor their security culture to make it stronger minimize those risks, protecting employees, customers, partners and the business.

Perry Carpenter is co-author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” He is chief evangelist and security officer for KnowBe4, the world’s largest security awareness training and simulated phishing platform. Contact him via LinkedIn.

Related: