A security culture is the foundation to an organization’s entire security program. But what is it? A formal definition might tell you that it is the ideas, customs and social behaviors of an organization that influence its security. A more casual explanation is that it is the choices employees make when no one is around. For example, do they immediately open attachments in their email, or do they take time to look for signs of phishing? Do they feel comfortable reporting a potential security problem they may have caused, or do they feel intimidated by IT staff? Do employee’s attitudes and behaviors reflect the important role security plays in the organization, or do they generally seem to find security policies a nuisance?
Unfortunately, security culture has not been keeping pace with the ever-growing threat landscape. So maybe it’s time to take a look at yours and see if it measures up.
Breaking it down
Perry Carpenter, the Chief Evangelist and Strategy Officer of our security partner KnowBe4, describes 7 dimensions to any security culture that should to be addressed:
- Attitudes: Employee feelings and beliefs about security protocols and issues.
- Behaviors: Employee actions that impact security directly or indirectly.
- Cognition: Employee understanding, knowledge and awareness of security issues and activities.
- Communication: How well communication channels promote a sense of belonging and offer support related to security issues and incident reporting.
- Compliance: Employee knowledge and support of security policies.
- Norms: Employee knowledge and adherence to unwritten rules of conduct related to security.
- Responsibilities: How employees perceive their role as a critical factor in helping or harming security.
You can measure these dimensions with a security culture benchmark survey. (You can find examples of these online. Here is just one template I found, from SurveyMonkey.) The results will provide a jumping off point for changes and improvements you want to make.
How to know if your security culture is strong
Your survey, as well as an overall examination of your organization, can give you an idea if you culture is already robust or needs improvement. You may feel that you “just know”, at a gut level, what your security culture is like. But anonymous questionnaires can reveal issues you weren’t aware of. Some questions you might ask:
- Do people feel comfortable reporting incidents they were the cause of it? Or do they hold back out of fear of getting in trouble?
- Do staff feel comfortable coming to the IT team with questions? And if not, why not?
- Do employees help their coworkers understand and follow security policies? Is there general communication among staff about what to do and what not to do?
- Does your staff reflect a shared belief that security plays a strong role in your organization’s success? Or do most think that security is all about tedious training and policies that are excessive and complicated?
Your assessment of the items above is the first step to developing a plan to fortify your security culture.
How to develop a sustainable security culture
The word “culture” implies an ethos that is persistent, well understood and accepted. “That is our culture. That is just what we do.” Developing this level of acceptance and understanding requires a strategic, long-term approach. Your goal is a security culture that feels sustainable because it is accepted as the way things are and the way they should stay. So, here’s how you get there.
Build up a security community from the top down
The plan must incorporate a sense that everyone is in it together, for the better of the organization. Until that mindset is achieved, your security culture will not be sustainable.
We all know that humans are the weakest link when it comes to security breaches. And keeping an organization’s data safe is not just the responsibility of the IT department. Each and every employee must feel that they are part of the security team. The “we’re all in this together” mentality makes everyone feel they have an important role to play in protecting the organization. And this attitude needs to be evident at the highest levels in your organization. After all, anyone from the CEO to a part-time intern can make a costly mistake.
Focus on awareness
People don’t know what they don’t know. And in general, most people want to do the right thing; they just need to know how to do it. For that reason, regular security awareness training programs (with refreshers every 4-6 months) are the answer. Use your creativity and get people engaged by making the training fun. (Not particularly creative yourself? I’ve written posts in the past with links to training games and quizzes; take a look here.) And during training, be sure to use real-life examples of security issues that have gone awry at your organization. These are teachable moments – with known consequences – that can help prevent future catastrophe.
Reward employees for “good behavior”
It is human nature to enjoy being celebrated and given credit for your work. Look for opportunities to celebrate success. When someone completes a mandatory security awareness program, find a way to reward them. Send “Great job!” message to them and copy their boss or entire department. Or do something more substantial: A small gift certificate or even money (if your organization allows you to do that) can go a long way. Showing appreciation further enhances that feeling of community and that everyone is part of the security solution.
Keep it simple; communicate it well
How well the security team communicates and enforces policies is a huge factor in a security culture. If policies are less complex and more common sense, and are communicated clearly by a supportive security team, you will have a strong security culture. On the other hand, complicated policies communicated poorly and enforced by a team prone more to punishment than education, will leave you with a weak – or even toxic – culture. You team needs to encourage people’s questions and good behavior, instead of appearing bothered by questions, and then waiting to admonish.
Feed it well and it will grow
Even once firmly embedded in your organization, a sustainable security culture requires constant nourishment to continue to flourish. It is not something that can grow in a positive way without help. And it will certainly become weak if neglected. But your investment in its care will provide your organization with security returns forever.