Building a security-first culture is as important for cybersecurity as investing in the right tech or creating and enforcing the right policies. 

Defense systems cannot provide 100% of the security organizations need as long as individual employees are making decisions about what to click on, who to trust and, at the leadership levels, where and how much to invest in security. This is especially true with the rise in remote work

How to Make Security Important to Everyone

What is security culture?

It’s a set of ideas, habits and social behaviors that lead people to make choices in their everyday work that enhances, rather than threatens, the company’s cybersecurity. While “culture” sounds vague and soft, it’s really the best trainable guide for action. It’s a framework for making security important to everyone in the group.

The importance of security consciousness cannot be overstated. The benefits of a solid security culture mean employees will report, rather than click on, suspicious links sent via email or text. They’ll embrace, rather than circumvent, secure systems and safety protocols. They’ll engage freely with IT staff when unsure, confused or needing help, rather than stay silent.

Senior leaders will bring security teams in on projects early out of a spirit of mutual benefit, rather than at the last minute out of a spirit of suspicion or distrust. And, business leaders will make decisions based on clearheaded intent to protect the organization’s assets, rather than mistaken notions that cutting security will improve the organization’s finances. 

Unfortunately, nine out of 10 organizations do not have the security culture they want in their organizations, according to an ISACA/CMMI Institute Cybersecurity Culture Report conducted two years ago. 

What is a Cybersecurity Mindset? 

Security is part of every employee’s job description in fact or in spirit. But, how do you make sure every person keeps that in mind?

The answer, in a nutshell, is smart messaging, training and leadership. Here are the 10 elements of a new and effective culture of security in your organization. 

Security Culture Framework: Goals

Forget about awareness training. The first step is to set specific goals. Goals are qualitative and high level (as opposed to objectives, which are quantitative and measurable). These goals should be publicized, and will serve not only as guides for creating objectives, but also as inspiration and talking points for the conversion to come.


The business adage ‘if you can’t measure it, you can’t improve it’ holds in the creation of a security-first culture as much as any other aspect of business. Objectives should be measured in both quantity and in time. They need a deadline, or a point, each year when an assessment can be made.

These objectives may include compliance with specific rules, a reduction in financial losses, specific metrics around employees passing tests, reduction in data loss incidents and others. In addition, they take into account any and all practical objectives with deadlines that support the group’s goals.


Cybersecurity awareness training is often either put off until a tomorrow that never comes or is scheduled too infrequently, like annually. Make it more frequent, with different sessions focusing on different dimensions of awareness to create a lasting mindset.


Attack simulations in particular and gamification in general are great ways to really drive home the realities of cybersecurity. It’s the next best thing to really suffering a major attack for raising awareness. You can also create healthy competition between different teams to engage people.


Formal training sessions are just the “big events” of security awareness. Messages from leadership and management should also carry updates and reminders about the need for all-day, everyday vigilance. Keep it simple, basic and devoid of technical jargon.


A security-first culture demands open communication. And conveying concepts well requires the right words. Security awareness training should emphasize the language of security, especially the language of phishing attack types. By learning the words, employees become aware of the techniques.


Security awareness should also be a core part of new-employee onboarding. New employees should understand from the start that part of their job will be to work in an active culture of cybersecurity. 


A sense of empowerment for every employee is part of a culture of security awareness, too. The knowledge that every employee can help make or break the organization’s security posture should be foremost in everyone’s mind. On the flip side, a lack of it makes people complacent. Empower employees to take action. 

Error Avoidance

Some problems are created by errors by everyday employees that may seem like they have no connection to digital risk. So, it’s important that a culture of security recognizes this and develops training for avoiding or catching errors in general

Leaders Model Putting Security First

A culture of security means C-level executives understand that digital safety is a business challenge and a business opportunity, not a technical problem for the nerds to solve. 

Leaders can signal the importance of everyday cybersecurity as a strategic goal. All aspects of leadership come into play in creating a security-first culture. Expressing concepts clearly, leading by example, rewarding and promoting the right behaviors are what leadership is all about. Leaders can drive culture change in cybersecurity just like in other aspects of business. 

More from CISO

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read