- New AI-Driven Semantic Search and Summarization
- This is the only indoor security camera you'll ever need - and it's only $50 now
- Nvidia Blackwell chips face serious heating issues
- Driving Success Together: Key Takeaways from WebexOne and Partner Summit
- My favorite tablet for watching movies is not an iPad or Samsung Galaxy Tab
How to Create a Strong Security Culture – IT Governance UK Blog
Getting a greater return on investment on your security measures
We all have a responsibility for security.
Regardless of role or rank, everyone has their part to play:
- Practising good cyber hygiene
- Knowing how to spot a phishing attack
- Reporting phishing emails and (possible) breaches
Contrary to popular belief, cyber and information security aren’t just matters for IT.
But to ensure that all staff truly take note of security and apply the knowledge gained from any staff awareness training, security should be embedded in your organisation’s culture.
In other words, you should aim to build a ‘security culture’.
In this blog
What is a security culture?
Security is about being free from danger or threat, while a culture is the collected ideas, behaviours and customs of a group of people.
You could therefore define a ‘security culture’ as:
The ideas, behaviours and customs of a group of people that protects them from danger or threat.
This can work both positively and negatively.
For example, if most employees leave their unattended computer unlocked, the few not yet in that habit – and newcomers – may quickly follow suit.
On the other hand, if current employees challenge any unfamiliar faces, new joiners will likely observe this and feel more comfortable to do the same.
What is the difference between security culture and security awareness?
Every organisation has a security culture – good or bad – but not every organisation has security awareness.
Security awareness is always a positive. It refers to understanding cyber security risks and best practices, which is usually acquired through training, but can be supplemented through other types of communication.
One example is to mention information security in job descriptions: explicitly stating that the head of development will define and maintain an SDLC (secure development life cycle), for example, and that individual developers must adhere to the SDLC and security coding guidelines.
Widespread security awareness – driven by management – is key to a strong security culture.
Benefits of a strong security culture
To get the best return on investment, you want your security measures to be maximally effective to minimise your risks.
In particular, you’d want to reduce the most common risk: the insider threat.
A strong security culture helps you achieve precisely that:
- People will follow policies and procedures
- Awareness training will have greater impact
- Staff proactively make suggestions for improving security
Better still, getting those benefits doesn’t take much financial investment.
Plus, this type of culture will help you meet legal obligations, like accountability under the GDPR (General Data Protection Regulation). It’ll also make your ISO 27001 ISMS (information security management system) more effective.
Finding this blog useful? To get notified of future
expert insight like this, subscribe to our free
weekly newsletter: the Security Spotlight.
What does a good security culture look like?
Besides seeing widespread good security practices by all staff, at all levels of the organisation, you also want to ensure a healthy culture:
- Don’t punish people for causing an accidental breach.
- Actively encourage staff to report anything suspicious as quickly as possible.
- Praise employees for speaking up (or otherwise acknowledge they’ve done the right thing).
Ideally, you want to get your security culture to the point where anyone who thinks they’ve spotted a risk – something that can negatively affect your security – will say to the information security manager: “I’ve found this – we need to do something about it.”
But getting to that stage requires the board and senior management to visibly take security seriously. Culture is driven from the top – as is long-term success.
How do you build a strong security culture?
A top-down approach is essential: leadership must show they’re taking security seriously for the same mindset to trickle down to staff.
You can also improve your security culture through various activities like:
- Conducting regular staff awareness training;
- Documenting security responsibilities in job descriptions; and
- Creating and enforcing security policies – like an AUP (acceptable use policy), clear desk/screen policies, access control policies, etc. To make sure people are following them, have office managers check:
- Confidential information is put out of sight overnight
- Access-controlled doors aren’t wedged open
Test the strength of your security culture
Looking for an effective way to change end-user behaviour?
Our Meet the Hacker: Simulated Phishing Programme assesses your staff’s awareness of phishing threats. We combine:
- Interacting training;
- Simulated phishing attacks; and
- A session with an ethical hacker…
…to significantly improve your organisation’s overall resilience to phishing attacks.
Help your staff understand how to protect your organisation better:
We first published a version of this blog in November 2017.
