For an information security professional, one of the most important areas for an organization is building a corporate security culture. Building a security culture begins with the IS professional: being transparent and passionate about security, speaking about security initiatives at company meetings, and providing recurring security awareness talks.

This grass-roots, bottom-up approach should be coupled with an increased focus on executives. Getting their support and buy-in is absolutely critical. If the CEO does not have to have a strong password, why should anyone else in the company? If the CEO does not take time to do security awareness training, why should anyone else?

Show me a company with a CEO who takes information security seriously and I’ll show you a company with a strong security culture.

Break the Security Stereotype

To accomplish this you need to break the stereotype of the security staffer as a negative cynic that people go out of their way to avoid (and security people keep complaining about not being invited to the discussion table). The key takeaway is that if you keep acting like a stereotype, your security culture will get ugly fast.

When one of your colleagues clicks on a phishing link you need to be positive and humble. How many of you have been condescending to employees or muttered under your breath that they were stupid for clicking a link? Treat employee mistakes as educational moments and your security culture will improve for the better.

Awareness Pays Dividends

Using awareness as a foundational block of your company’s security culture will help develop a more resilient workforce with a strong collective awareness. By taking the time to explain and educate rather than admonish or send out blanket email reminders, your message will resonate with employees.

For example, taking time to explain the “why” in your security policies and developing policies collectively helps foster a shared sense of ownership. Your colleagues are more likely to abide by rules they helped to create rather than rammed down their throats. This lends itself to a self-realization that security is the responsibility of the many, not the few.

Barely 1 percent of security budgets are allocated to awareness, yet 94 percent of breaches involve some sort of incidental/accidental human interaction. Even incrementally investing in your people would pay dividends.

If you don’t think that culture is important, a recent report about the watershed data breach at the U.S. Office of Performance Management (OPM) should change your mind:

The longstanding failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the Inspector General, represents a failure of culture and leadership, not technology.

It was breakdowns in the people and process aspects of security that led to this breach, NOT the technology. The report also mentioned that:

As OPM discovered in April 2015, tools were available that could have prevented the breaches, but OPM failed to leverage those tools to mitigate the agency’s extensive vulnerabilities.

The headline of the article that posted the report read as “Insufficient Investment in Culture Yields Inconsistent Results.” That has to be the understatement of the century.

Remember culture trumps everything.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access