Building a Security Minded Culture

Building a Security Minded Culture

Cybersecurity is no longer a question about whether an employee should have access to Facebook. Information security teams are dealing with phishing attacks, access to business cloud applications, mobility and zero-second malware on a minute-by-minute basis. We live in a cyber world where we cannot control systems nor the people accessing them, nor can we lock down the same tools that make employees more efficient.

You can have the greatest security tools in the world, but if the people in your company aren’t speaking the same cyber-security language, your organization is vulnerable.

Think about it; if you have a great lock on your door but no one in your house knows how to use it, what good does it do? You have to build a mindset and culture in your house so everyone understands how vital it is to use the lock. It’s the same in the virtual world. Let’s use the word “SECURE” to help us understand how to create a security-centric culture.

#1 Simplify: Organizations should work together to simplify what it means to be security savvy. One great way to do this is by correlating physical security to cyber security. Would you give your keys or your money to a stranger on the street? Of course not, but then why are we so willing to do these things in the cyber world? A secure culture shouldn’t be complicated, but easily understood and adopted.

#2 Educate: When building any culture, education is a major key to the foundation. Look for articles in mainstream media or websites like and Krebs on Security for news of major security breaches, such as Target and Sony. There are even some good tools out there for user awareness to help people understand the risks that are out there.

#3 Comply: It’s very rare today for an organization not to be tied to some sort of regulatory compliance, such as HIPPA, PCI, SOX, etc. As an organization, you should understand these regulations and how a breach or incident can negatively affect the company as a whole. In 2014, a healthcare organization agreed to a $4.8 million settlement after 6,800 pieces of personal, identifiable information were leaked. That is real money leaving an organization, which could put profitability, and ultimately jobs, at risk. Even if you aren’t under a compliance obligation, intellectual property, customer sales lists and salary descriptions are all information that, if leaked or compromised, could cause qualitative damage.

#4 Understand: There is a definite schism between information security teams and user communities. It’s really important that both parties understand that the goal is to make the organization as successful as possible. I have seen organizations build an internal cyber-security task force, whose security representative works with stakeholders from various departments to discuss how each is dealing with cyber-security. This approach helps ease tension and build a culture of camaraderie and a common goal among departments to work efficiently and securely.

#5 Respect: Not everyone is going to be on board with your organization’s cyber-security stance. One way to build culture is to disagree, but not be disagreeable.

#6 Evolve: Security is an ever-changing environment. In my early years, I would call on organizations that said anti-virus software was all they needed to be secure. As cyber threats become more dangerous, it’s important for organizations to change, too.

This is a Guest post by Paul Robinson

Tags: , , ,