CISO May 6, 2019
By Mike Elgan 5 min read

You’ve worked hard to get the right security policies and best practices in place, yet more than half of your employees fail to take even the most basic security precautions in their everyday work.

Your organization’s future is at unnecessary risk because senior decision-makers don’t understand the need to pay for the tools and services necessary to prevent a financially devastating breach.

You struggle to hire top talent because the best candidates won’t join your organization, feeling they can be more effective elsewhere.

What do all these challenges have in common? They all point to a failure of company security culture. Here’s what you need to know about organizational security culture — and how to plan for and inspire a better one.

What Is Security Culture?

What does it mean to have a strong security culture, anyway?

According to ISACA, organizational security requires “a pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things” around information security. It’s really part of the broader company knowledge base and attitudes, which exist to inform individual decisions by each employee in the course of their work in alignment with the organization’s goals.

What do employees do when left to their own devices — and in this world of bring-your-own-device (BYOD), I mean literally left to their own devices? Do they know how to help secure the company’s critical assets? Do they care? Or do they believe it’s somebody else’s job? Security culture is what determines the answers to these questions.

It’s not that a strong security culture improves security in the face of existing threats, it’s that evolving threats demand this shift. Only culture — mindset, attitudes and habits — can help the organization identify and stop unexpected methods for compromising security.

What Are Some Barriers to Better Security Culture?

Senior management, entry-level employees, middle management, rank-and-file employees, IT professionals and even security specialists all have their separate barriers preventing them from fully contributing to company security. But all these barriers fall under the category of cognitive biases — or, if you will, human nature.

Let’s start at the top. Organizational leadership tends to think in terms of efficiency — maximize revenue while minimizing costs. Investments that bring in more revenue, such as the investment in additional retail stores or sales personnel, seem to make good business sense. Investments in cybersecurity usually won’t impact revenue, so it’s a harder sell within the organization.

But that mindset is misguided. It’s better to shift the thinking about cost minimization from trying to spend less in the short term to trying to lose less overall in the long term. Constantly remind decision-makers that cyberattacks are a certainty; there will be a breach. In “Game of Thrones” parlance: “Winter is coming.” And it’s safe to assume that not only will the nature of threats evolve, but the pace of that evolution will continue to accelerate.

The damage and cost of those inevitable attacks depends in very large part on the investment made in security. Shift the conversation from, “How much can we afford to spend?” to, “How much can we afford to lose?” It’s also important to emphasize that security affects all parts of the business. A strong security culture benefits customers, for example, who need to trust you and your organization.

Complacency Is the Enemy of Better Security

Among employees, complacency is the enemy of better security. Employees often feel that cybersecurity is somebody else’s responsibility. Far too often, non-expert employees assume that when a threat actor tries to breach the organization, it’s someone in IT’s responsibility to stop them. It’s a common mindset, and it’s both a wrong and, more importantly, disempowering way to think about it.

Malicious actors from all over the world and possibly even inside the company are constantly cooking up schemes to steal the organization’s money and data. They’re aggressively and constantly seeking out the weakest link to gain entry. Therefore, it’s everyone’s responsibility to stop them. The weakest link they’re looking for is most likely a careless employee.

Another barrier to stronger security culture is ignorance and misunderstanding. According to research by ISACA and CMMI Institute, just 34 percent of organizations surveyed said their employees understand their role in the company’s security culture.

There’s also the common wall between information security specialists and everybody else. There are all kinds of reasons for this “us versus them” mentality. One big reason is a lack of diversity: Only 11 percent of cybersecurity professionals are women, according to a 2017 report from the Center for Cyber Safety and Education and the Executive Women’s Forum, and security departments also tend to lack diversity in background and experience, all of which may contribute to the limitations of cooperation and communication.

Start by Shifting Your Mindset and Constantly Training Employees

Changing an organization’s culture around security is like any cultural change: It’s not just about scheduling meetings or conducting cybersecurity training exercises. It’s a long-term, never-ending, multifaceted effort that needs to be part of the job going forward.

The first step is to change your own mindset, starting with employees, or users. Instead of being viewed as a liability, employees must be treated as partners and assets — in fact, they are the first line of defense. Strive for top-down leadership and get all the company executives and managers to lead by example. Focus on the company’s shared beliefs, values and actions. Plan for regular meetings between information security staff and C-level executives. Work on breaking down silos. The sense of data ownership needs to extend companywide, not end at the department level.

Next, annual cybersecurity training isn’t going to cut it. For real cultural change, you’ll need constant conversations about security and how it affects the company and employees. Work to build security-related goals into performance reviews and bonuses and make core security practices mandatory. Part of ongoing training should be explaining why two-factor authentication (2FA), strong passwords and other mandatory practices are necessary. It’s not enough to train or require — both are called for. The new mantra must be: Security is everybody’s responsibility.

Other security training best practices include:

  • Make training interesting, vivid and memorable.
  • Learn to communicate without jargon.
  • Move the emphasis from knowledge to practice and habit.
  • Emphasize real-world, real-life threats and attacks over theory.
  • Use positive rather than negative reinforcement.
  • Use interactive simulations and drills.
  • Conduct mock phishing tests, mock cyber emergency drills and test your contingency plans repeatedly.
  • Give employees actions they can take in their everyday work.

The trouble with recognizing possible threats and breaches is that it’s often not clear what’s happening. It’s vital that employees feel encouraged to report even their suspicions and to understand that such events don’t need to be clear-cut, confirmed or certain to be worth reporting. Develop trust between security specialists and other employees within the organization. Reporting possible security risks or incidents needs to happen in a sacred safe zone where there are no wrong answers and no stupid questions. Publicly reward and praise employees when their actions or decisions result in potentially better security.

Lastly, turn your organization’s cybersecurity policies into a living document that’s always front and center in security conversations throughout the business. Security culture must extend beyond the organization to partners, so include those parties in security discussions as well.

Cultivate Culture Every Day

Strong companywide security culture is a necessary ingredient in an overall system to safeguard your organization’s data, financial health and reputation. Cultivate culture every day, from the top of the organization to the bottom, and get everyone working together on this necessary part of making the company successful.

 |  |  |  |  |  |  | 
Mike Elgan

More from CISO
CISO   June 2, 2023

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read
CISO   June 1, 2023

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read
CISO   May 16, 2023

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read
CISO   May 4, 2023

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature