Building a security-first culture is as important for cybersecurity as investing in the right tech or creating and enforcing the right policies. 

Defense systems cannot provide 100% of the security organizations need as long as individual employees are making decisions about what to click on, who to trust and, at the leadership levels, where and how much to invest in security. This is especially true with the rise in remote work

How to Make Security Important to Everyone

What is security culture?

It’s a set of ideas, habits and social behaviors that lead people to make choices in their everyday work that enhances, rather than threatens, the company’s cybersecurity. While “culture” sounds vague and soft, it’s really the best trainable guide for action. It’s a framework for making security important to everyone in the group.

The importance of security consciousness cannot be overstated. The benefits of a solid security culture mean employees will report, rather than click on, suspicious links sent via email or text. They’ll embrace, rather than circumvent, secure systems and safety protocols. They’ll engage freely with IT staff when unsure, confused or needing help, rather than stay silent.

Senior leaders will bring security teams in on projects early out of a spirit of mutual benefit, rather than at the last minute out of a spirit of suspicion or distrust. And, business leaders will make decisions based on clearheaded intent to protect the organization’s assets, rather than mistaken notions that cutting security will improve the organization’s finances. 

Unfortunately, nine out of 10 organizations do not have the security culture they want in their organizations, according to an ISACA/CMMI Institute Cybersecurity Culture Report conducted two years ago. 

What is a Cybersecurity Mindset? 

Security is part of every employee’s job description in fact or in spirit. But, how do you make sure every person keeps that in mind?

The answer, in a nutshell, is smart messaging, training and leadership. Here are the 10 elements of a new and effective culture of security in your organization. 

Security Culture Framework: Goals

Forget about awareness training. The first step is to set specific goals. Goals are qualitative and high level (as opposed to objectives, which are quantitative and measurable). These goals should be publicized, and will serve not only as guides for creating objectives, but also as inspiration and talking points for the conversion to come.


The business adage ‘if you can’t measure it, you can’t improve it’ holds in the creation of a security-first culture as much as any other aspect of business. Objectives should be measured in both quantity and in time. They need a deadline, or a point, each year when an assessment can be made.

These objectives may include compliance with specific rules, a reduction in financial losses, specific metrics around employees passing tests, reduction in data loss incidents and others. In addition, they take into account any and all practical objectives with deadlines that support the group’s goals.


Cybersecurity awareness training is often either put off until a tomorrow that never comes or is scheduled too infrequently, like annually. Make it more frequent, with different sessions focusing on different dimensions of awareness to create a lasting mindset.


Attack simulations in particular and gamification in general are great ways to really drive home the realities of cybersecurity. It’s the next best thing to really suffering a major attack for raising awareness. You can also create healthy competition between different teams to engage people.


Formal training sessions are just the “big events” of security awareness. Messages from leadership and management should also carry updates and reminders about the need for all-day, everyday vigilance. Keep it simple, basic and devoid of technical jargon.


A security-first culture demands open communication. And conveying concepts well requires the right words. Security awareness training should emphasize the language of security, especially the language of phishing attack types. By learning the words, employees become aware of the techniques.


Security awareness should also be a core part of new-employee onboarding. New employees should understand from the start that part of their job will be to work in an active culture of cybersecurity. 


A sense of empowerment for every employee is part of a culture of security awareness, too. The knowledge that every employee can help make or break the organization’s security posture should be foremost in everyone’s mind. On the flip side, a lack of it makes people complacent. Empower employees to take action. 

Error Avoidance

Some problems are created by errors by everyday employees that may seem like they have no connection to digital risk. So, it’s important that a culture of security recognizes this and develops training for avoiding or catching errors in general

Leaders Model Putting Security First

A culture of security means C-level executives understand that digital safety is a business challenge and a business opportunity, not a technical problem for the nerds to solve. 

Leaders can signal the importance of everyday cybersecurity as a strategic goal. All aspects of leadership come into play in creating a security-first culture. Expressing concepts clearly, leading by example, rewarding and promoting the right behaviors are what leadership is all about. Leaders can drive culture change in cybersecurity just like in other aspects of business. 

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…