In this day and age, companies great and small are vulnerable to potential attacks that they are exposed to every day. From insider threats to simple phishing, one is always left guessing if they know enough to handle them or are well prepared to face the risks. Educating your staff about basic computing hygiene is one thing, but ingraining in them security practices that they do almost naturally, even beyond the confines of the office, is another. The latter involves being part of a culture where people think, act, and behave the same way. And we're not just talking about an organic culture, but one that was created with intentionality at the core.
Before going further, let's first find out why it's important that we create and cultivate an intentional culture of security. We'll also name a few misconceptions surrounding security culture and attempt to clear up each one.
Why a culture of security is neededA culture of security in the workplace had always existed, pre-computing era, although it's mainly been about physical security. A large area of the office is off-limits to the public, and only those with an access card or proper company identification can go in and out. Not everyone has the key to the HR filing cabinets. And when computers were introduced in the business world, confidential files shared among managers and executives were (and still are) for their eyes only.
Things have changed dramatically since then. Businesses maintain the physical defenses of their assets but are hard-pressed to stave off threats from the digital realm. There is now a need for organizations to secure their online assets, but criminals have become adept at circumventing basic protections. Regardless of this, the negative perception people have about security—it's reactionary, it hinders one from conveniently doing their job—persists today. This negativity is a dominant hindrance to further establishing and sustaining a culture of security.
It's important to have a strong security culture because security is a strategic necessity, whether it's protecting the data of customers or building relationships and offering services to other business clients. As such, trust is essential. Without sufficient security present in an organization, those doing business with companies would be doubtful and uncertain that their assets are treated with importance and utmost confidentiality as they should. (Note how Equifax stock dropped dramatically after their massive breach was discovered.)
On the other hand, a company with sufficient security has the advantage over competitors that do not have one. When data and assets are protected, trust increases.
Finally, having a security culture in place makes compliance with laws and regulations easier. As regulators start imposing security practices that, frankly, should have been present in companies, to begin with, organizations with a security mindset are more receptive to adopting these practices and imbibing them into the current culture.
Misconceptions about a security cultureA culture of security could mean different things to different people. And just like any concept we strive to understand, there are misconceptions about them along the way. If left alone, these misunderstandings could persist, be passed on, or (worse) be treated as facts in the long run. We've identified and debunked some of them below.
- The culture aims to maximize security. A majority of us assume that to improve on security, a company must make use of all security tools at their disposal. Again, this might work with organizations that handle information that is deemed sensitive and valuable, but it doesn't apply to all companies. A culture aims to optimize security. This means making the most efficient use of resources that are available to them.
- Having a culture of security in place will stop breaches dead. Unfortunately, this is not a guarantee. People, even well-meaning ones, make mistakes. And often, those errors can cost companies big. A culture of security does not create perfect security; however, it paves the way towards achieving best-possible security. This cannot be accomplished without people in the workplace supporting the concept.
- A culture of security is IT's responsibility. On the contrary, every member of the organization is responsible for its security, including the assets it uses, processes, and shares. Everyone plays a part, and no one is exempted. IT can put in place all the technological checks and balances to ward off attacks, but if a user mindlessly clicks on a phishing email, it's game over. Although some may still choose to ignore culture and policy, this point doesn't make it more valid.
- A culture of security must start from the top. It's a brilliant idea for senior management to not just talk the talk but also walk the walk, but culture doesn't necessarily have to start with the higher-ups. What it needs are people committed enough to continue to nurture good security practices that are aligned with the organization's objectives and well integrated with other cultures. This is why these committed people are dubbed champions.
Practical steps to foster a culture of cybersecurity1. Recognize that security is seen in a negative light; thus, there is a need to help others realize that it's actually a positive enabler of the company's initiatives. This is especially true for companies in industries that handle a lot of sensitive personally identifiable information (e.g., banks, hospitals, and intelligence agencies). It's true that when one thinks of security (or the lack thereof), we often think of preventing fraud, breaches, and hacking. However, trust, consistency, reliability, productivity, and predictability are also terms that we can associate with security. Champions should frame it as such.
2. Assess the current state of the organization's security culture. Like we said earlier, a culture of security has always existed. But whether the culture is good or bad is another question entirely. Security champions within the company must discover the gaps, and then figure out how to bridge them.
3. Create a positive brand for the security culture. Champions can enlist the help of marketing in this. Think of one thing employees might gravitate to (Cat videos? Outdoor activities? Battlestar Galactica?), and use it to convey a unified message to the organization. Then, to further develop the brand, tailor the message according to the benefits of security for each department. Branding can be broadcast via internal memos and newsletters, screensavers, and even posters that employees can see wherever they go.
4. Hold awareness campaigns to educate would-be champions. Here's the twist: Don't start on the wrong foot by, say, introducing statistics about hacking and phishing. Instead, the champion should educate their peers on what security is, what their specific roles in it are, and how accountable they are to the company's resources (e.g., information) that they handle. If one doesn't know how to fulfill his/her responsibility, further education may be needed.
5. Reward those who support a culture of security. This should also include decision-makers who make it a point to consider the security of information and other valuable enterprise assets before giving a plan the go signal. Although some seek monetary incentive, many do not. At the very least, the champion (and the company) must recognize and attribute a good outcome based on security mindfulness when they see one.
Oh, and one more thingWe believe and often parrot the adage "People are the weakest link." That the security problem exists between the chair and the monitor. Sadly, this negative notion has affected how we continue to perceive and respond to our peers at work who clicked that link, to clients who are asking for support on a simple matter, even to our younger and older family members who aren't as technologically savvy as we are. One purpose of fostering a culture of security is not to address them as the weakest link, but instead, make people realize that they are our only link to security. A collective understanding that security is supposed to work for people and for the organization, not the other way around, is something that we should all aim and strive to achieve.
Other related post(s):