May 6, 2019 By Mike Elgan 5 min read

You’ve worked hard to get the right security policies and best practices in place, yet more than half of your employees fail to take even the most basic security precautions in their everyday work.

Your organization’s future is at unnecessary risk because senior decision-makers don’t understand the need to pay for the tools and services necessary to prevent a financially devastating breach.

You struggle to hire top talent because the best candidates won’t join your organization, feeling they can be more effective elsewhere.

What do all these challenges have in common? They all point to a failure of company security culture. Here’s what you need to know about organizational security culture — and how to plan for and inspire a better one.

What Is Security Culture?

What does it mean to have a strong security culture, anyway?

According to ISACA, organizational security requires “a pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things” around information security. It’s really part of the broader company knowledge base and attitudes, which exist to inform individual decisions by each employee in the course of their work in alignment with the organization’s goals.

What do employees do when left to their own devices — and in this world of bring-your-own-device (BYOD), I mean literally left to their own devices? Do they know how to help secure the company’s critical assets? Do they care? Or do they believe it’s somebody else’s job? Security culture is what determines the answers to these questions.

It’s not that a strong security culture improves security in the face of existing threats, it’s that evolving threats demand this shift. Only culture — mindset, attitudes and habits — can help the organization identify and stop unexpected methods for compromising security.

What Are Some Barriers to Better Security Culture?

Senior management, entry-level employees, middle management, rank-and-file employees, IT professionals and even security specialists all have their separate barriers preventing them from fully contributing to company security. But all these barriers fall under the category of cognitive biases — or, if you will, human nature.

Let’s start at the top. Organizational leadership tends to think in terms of efficiency — maximize revenue while minimizing costs. Investments that bring in more revenue, such as the investment in additional retail stores or sales personnel, seem to make good business sense. Investments in cybersecurity usually won’t impact revenue, so it’s a harder sell within the organization.

But that mindset is misguided. It’s better to shift the thinking about cost minimization from trying to spend less in the short term to trying to lose less overall in the long term. Constantly remind decision-makers that cyberattacks are a certainty; there will be a breach. In “Game of Thrones” parlance: “Winter is coming.” And it’s safe to assume that not only will the nature of threats evolve, but the pace of that evolution will continue to accelerate.

The damage and cost of those inevitable attacks depends in very large part on the investment made in security. Shift the conversation from, “How much can we afford to spend?” to, “How much can we afford to lose?” It’s also important to emphasize that security affects all parts of the business. A strong security culture benefits customers, for example, who need to trust you and your organization.

Complacency Is the Enemy of Better Security

Among employees, complacency is the enemy of better security. Employees often feel that cybersecurity is somebody else’s responsibility. Far too often, non-expert employees assume that when a threat actor tries to breach the organization, it’s someone in IT’s responsibility to stop them. It’s a common mindset, and it’s both a wrong and, more importantly, disempowering way to think about it.

Malicious actors from all over the world and possibly even inside the company are constantly cooking up schemes to steal the organization’s money and data. They’re aggressively and constantly seeking out the weakest link to gain entry. Therefore, it’s everyone’s responsibility to stop them. The weakest link they’re looking for is most likely a careless employee.

Another barrier to stronger security culture is ignorance and misunderstanding. According to research by ISACA and CMMI Institute, just 34 percent of organizations surveyed said their employees understand their role in the company’s security culture.

There’s also the common wall between information security specialists and everybody else. There are all kinds of reasons for this “us versus them” mentality. One big reason is a lack of diversity: Only 11 percent of cybersecurity professionals are women, according to a 2017 report from the Center for Cyber Safety and Education and the Executive Women’s Forum, and security departments also tend to lack diversity in background and experience, all of which may contribute to the limitations of cooperation and communication.

Start by Shifting Your Mindset and Constantly Training Employees

Changing an organization’s culture around security is like any cultural change: It’s not just about scheduling meetings or conducting cybersecurity training exercises. It’s a long-term, never-ending, multifaceted effort that needs to be part of the job going forward.

The first step is to change your own mindset, starting with employees, or users. Instead of being viewed as a liability, employees must be treated as partners and assets — in fact, they are the first line of defense. Strive for top-down leadership and get all the company executives and managers to lead by example. Focus on the company’s shared beliefs, values and actions. Plan for regular meetings between information security staff and C-level executives. Work on breaking down silos. The sense of data ownership needs to extend companywide, not end at the department level.

Next, annual cybersecurity training isn’t going to cut it. For real cultural change, you’ll need constant conversations about security and how it affects the company and employees. Work to build security-related goals into performance reviews and bonuses and make core security practices mandatory. Part of ongoing training should be explaining why two-factor authentication (2FA), strong passwords and other mandatory practices are necessary. It’s not enough to train or require — both are called for. The new mantra must be: Security is everybody’s responsibility.

Other security training best practices include:

  • Make training interesting, vivid and memorable.
  • Learn to communicate without jargon.
  • Move the emphasis from knowledge to practice and habit.
  • Emphasize real-world, real-life threats and attacks over theory.
  • Use positive rather than negative reinforcement.
  • Use interactive simulations and drills.
  • Conduct mock phishing tests, mock cyber emergency drills and test your contingency plans repeatedly.
  • Give employees actions they can take in their everyday work.

The trouble with recognizing possible threats and breaches is that it’s often not clear what’s happening. It’s vital that employees feel encouraged to report even their suspicions and to understand that such events don’t need to be clear-cut, confirmed or certain to be worth reporting. Develop trust between security specialists and other employees within the organization. Reporting possible security risks or incidents needs to happen in a sacred safe zone where there are no wrong answers and no stupid questions. Publicly reward and praise employees when their actions or decisions result in potentially better security.

Lastly, turn your organization’s cybersecurity policies into a living document that’s always front and center in security conversations throughout the business. Security culture must extend beyond the organization to partners, so include those parties in security discussions as well.

Cultivate Culture Every Day

Strong companywide security culture is a necessary ingredient in an overall system to safeguard your organization’s data, financial health and reputation. Cultivate culture every day, from the top of the organization to the bottom, and get everyone working together on this necessary part of making the company successful.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today