How to create a security-focused culture in your company

Cyber security is a technical challenge for any business, but a more comprehensive view of cyber security involves considering the human factor.

 

According to one authoritative study, 82% of data breaches involve people and the choices they make.¹ Another found that while 36% of people surveyed had made a mistake that compromised their company’s cyber security, 21% of employees say they didn’t tell their IT team about a mistake they had made.²

 

Making security an essential part of company culture can have a positive impact on these statistics and on a business’s overall success. However, encouraging every employee to think about security means that in certain circumstances technology is de-emphasized, and the human component is acknowledged through open discussion.

 

While a cultural shift requires leadership support, a top-down approach isn’t enough. Employees at every level, job description and degree of technical expertise need to think about cyber security as a business objective — one that requires their cooperation and focus. All employees need to think of their essential responsibilities, processes and tasks in terms of security — and understand that security needs to adapt as both cyber threats and business objectives evolve.

 

Whether a company is trying to bring a higher level of cyber security awareness into its culture or establishing a foundational objective of adaptive security — that is, security that evolves dynamically as threat vectors and business needs change — there are several key areas of opportunity. These areas often overlap with each other; however, defining them can help any employee think about their role in a new way, or help them become a security advocate among their colleagues.

Every company should talk about cyber security in a way that reflects its evolving business needs, goals and culture. For this reason, a framework based on the following five tenets can provide a good starting point no matter how mature a company’s cyber awareness may be:

 

Capabilities. For a company culture to be truly adaptable and responsive, it will require tools that are chosen not only for their ability to help employees do their jobs in a secure manner, but also for their adaptability to how and where employees are currently working.

 

For instance, if a company allows hybrid or fully remote work schedules, employees need tools and processes that aid secure sign-on, up-to-date device management and effective tracking and protection of data. If the culture is collaborative and security-conscious, it will be easier for workers to communicate how well these capabilities are serving them, and for leaders and experts to gauge how familiar the workers are with available protections.

Importantly, the capabilities should always be developed in line with business objectives. There is little to be gained by investing in tools or processes that do not protect the data that the company depends on or that don’t align with normal activities.

 

Collaboration. Businesses rely on repeatable processes, but sound processes often originate in informal brainstorming sessions. Employees who work together should be given the opportunity to discuss what they need to securely perform their jobs and support each other’s roles.

 

In part, this can mean more transparency and openness about mistakes with security implications, and certainly should include sharing up-to-date information about industry cyber news. If security processes are already in place, colleagues could arrange regular lunches or create internal messaging threads where the benefits and limitations of the processes can be discussed candidly.

Collaboration can also help remove barriers that keep security experts in the company siloed from other employees. Rather than one-way communication focused on experts telling employees what not to do, companies of all sizes can encourage dialogue where non-experts can ask questions and discuss the limitations of current processes.

 

Communication. As with any business objective, security must be discussed in language that is consistent to the organization, its priorities and the industry in which it operates. It also must be a regular topic of communication for company leaders, who should take every opportunity in their messaging to pair security with overall company health and success.

 

Leadership can emphasize the cultural importance of security by making progress in training courses and test exercises a regular part of performance reviews. But employees should also be reassured that they will be valued for speaking up, even if it means confessing to mistakes or giving constructive feedback about security oversights or flawed processes.

 

Education. There are few areas that afford companies a better opportunity to emphasize cultural shifts and security priorities than education and training exercises. Changes in workforce composition — e.g., with tenured employee retirements and additions of new hires — contribute to greater demands on education and training to get back to equilibrium. But training must be highly specific to the company’s workforce and business function to be effective. It should be tailored to employees’ savviness about technology and security and reflective of how the majority makes decisions — and it must be updated regularly to reflect emerging threats.

 

Businesses can also consider tabletop exercises or simulated events that help employees visualize how a genuine cyber event might occur and think through the steps of their specific response. Leadership can reinforce trainings with regular updates about security practices and industry-specific threats, or through surveys that gauge the extent of employees’ knowledge of cyber security without the pressure that comes from a formalized test.

 

Empowerment. When employees believe security is a secondary consideration, or someone else’s responsibility, they are not well-positioned to be responsible participants. Since any employee has the potential to unknowingly precipitate a cyber incident, each needs to understand the importance of their role and how they contribute to a secure work and business environment.

 

Because distraction and fatigue are often cited as causes of cyber incidents, employees should feel that slowing down is justified and valuable when they receive suspicious emails or requests. For example, employees who must authorize payments should feel they have discretion to act — or delay action — until they can confirm the legitimacy of a request. If this employee works in a security-focused culture, they will be conditioned to think beyond simply completing the task.

 

Employees should be encouraged to ask security-focused questions, or to reach out to a security expert with their concerns. Most of all, they should feel empowered to report an incident, even if it involves a mistake they’ve made, such as responding to a phishing email.

¹ Verizon, “2022 Data Breach Investigation Report,” May 2022.

² Tessian, “The Psychology of Human Error 2022,” March 2022.

³ NIST, “Zero Trust Architecture,” August 2020.