May 6, 2019 By Mike Elgan 5 min read

You’ve worked hard to get the right security policies and best practices in place, yet more than half of your employees fail to take even the most basic security precautions in their everyday work.

Your organization’s future is at unnecessary risk because senior decision-makers don’t understand the need to pay for the tools and services necessary to prevent a financially devastating breach.

You struggle to hire top talent because the best candidates won’t join your organization, feeling they can be more effective elsewhere.

What do all these challenges have in common? They all point to a failure of company security culture. Here’s what you need to know about organizational security culture — and how to plan for and inspire a better one.

What Is Security Culture?

What does it mean to have a strong security culture, anyway?

According to ISACA, organizational security requires “a pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things” around information security. It’s really part of the broader company knowledge base and attitudes, which exist to inform individual decisions by each employee in the course of their work in alignment with the organization’s goals.

What do employees do when left to their own devices — and in this world of bring-your-own-device (BYOD), I mean literally left to their own devices? Do they know how to help secure the company’s critical assets? Do they care? Or do they believe it’s somebody else’s job? Security culture is what determines the answers to these questions.

It’s not that a strong security culture improves security in the face of existing threats, it’s that evolving threats demand this shift. Only culture — mindset, attitudes and habits — can help the organization identify and stop unexpected methods for compromising security.

What Are Some Barriers to Better Security Culture?

Senior management, entry-level employees, middle management, rank-and-file employees, IT professionals and even security specialists all have their separate barriers preventing them from fully contributing to company security. But all these barriers fall under the category of cognitive biases — or, if you will, human nature.

Let’s start at the top. Organizational leadership tends to think in terms of efficiency — maximize revenue while minimizing costs. Investments that bring in more revenue, such as the investment in additional retail stores or sales personnel, seem to make good business sense. Investments in cybersecurity usually won’t impact revenue, so it’s a harder sell within the organization.

But that mindset is misguided. It’s better to shift the thinking about cost minimization from trying to spend less in the short term to trying to lose less overall in the long term. Constantly remind decision-makers that cyberattacks are a certainty; there will be a breach. In “Game of Thrones” parlance: “Winter is coming.” And it’s safe to assume that not only will the nature of threats evolve, but the pace of that evolution will continue to accelerate.

The damage and cost of those inevitable attacks depends in very large part on the investment made in security. Shift the conversation from, “How much can we afford to spend?” to, “How much can we afford to lose?” It’s also important to emphasize that security affects all parts of the business. A strong security culture benefits customers, for example, who need to trust you and your organization.

Complacency Is the Enemy of Better Security

Among employees, complacency is the enemy of better security. Employees often feel that cybersecurity is somebody else’s responsibility. Far too often, non-expert employees assume that when a threat actor tries to breach the organization, it’s someone in IT’s responsibility to stop them. It’s a common mindset, and it’s both a wrong and, more importantly, disempowering way to think about it.

Malicious actors from all over the world and possibly even inside the company are constantly cooking up schemes to steal the organization’s money and data. They’re aggressively and constantly seeking out the weakest link to gain entry. Therefore, it’s everyone’s responsibility to stop them. The weakest link they’re looking for is most likely a careless employee.

Another barrier to stronger security culture is ignorance and misunderstanding. According to research by ISACA and CMMI Institute, just 34 percent of organizations surveyed said their employees understand their role in the company’s security culture.

There’s also the common wall between information security specialists and everybody else. There are all kinds of reasons for this “us versus them” mentality. One big reason is a lack of diversity: Only 11 percent of cybersecurity professionals are women, according to a 2017 report from the Center for Cyber Safety and Education and the Executive Women’s Forum, and security departments also tend to lack diversity in background and experience, all of which may contribute to the limitations of cooperation and communication.

Start by Shifting Your Mindset and Constantly Training Employees

Changing an organization’s culture around security is like any cultural change: It’s not just about scheduling meetings or conducting cybersecurity training exercises. It’s a long-term, never-ending, multifaceted effort that needs to be part of the job going forward.

The first step is to change your own mindset, starting with employees, or users. Instead of being viewed as a liability, employees must be treated as partners and assets — in fact, they are the first line of defense. Strive for top-down leadership and get all the company executives and managers to lead by example. Focus on the company’s shared beliefs, values and actions. Plan for regular meetings between information security staff and C-level executives. Work on breaking down silos. The sense of data ownership needs to extend companywide, not end at the department level.

Next, annual cybersecurity training isn’t going to cut it. For real cultural change, you’ll need constant conversations about security and how it affects the company and employees. Work to build security-related goals into performance reviews and bonuses and make core security practices mandatory. Part of ongoing training should be explaining why two-factor authentication (2FA), strong passwords and other mandatory practices are necessary. It’s not enough to train or require — both are called for. The new mantra must be: Security is everybody’s responsibility.

Other security training best practices include:

  • Make training interesting, vivid and memorable.
  • Learn to communicate without jargon.
  • Move the emphasis from knowledge to practice and habit.
  • Emphasize real-world, real-life threats and attacks over theory.
  • Use positive rather than negative reinforcement.
  • Use interactive simulations and drills.
  • Conduct mock phishing tests, mock cyber emergency drills and test your contingency plans repeatedly.
  • Give employees actions they can take in their everyday work.

The trouble with recognizing possible threats and breaches is that it’s often not clear what’s happening. It’s vital that employees feel encouraged to report even their suspicions and to understand that such events don’t need to be clear-cut, confirmed or certain to be worth reporting. Develop trust between security specialists and other employees within the organization. Reporting possible security risks or incidents needs to happen in a sacred safe zone where there are no wrong answers and no stupid questions. Publicly reward and praise employees when their actions or decisions result in potentially better security.

Lastly, turn your organization’s cybersecurity policies into a living document that’s always front and center in security conversations throughout the business. Security culture must extend beyond the organization to partners, so include those parties in security discussions as well.

Cultivate Culture Every Day

Strong companywide security culture is a necessary ingredient in an overall system to safeguard your organization’s data, financial health and reputation. Cultivate culture every day, from the top of the organization to the bottom, and get everyone working together on this necessary part of making the company successful.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today