Building a Culture of Security

team works on security culture
By Andrea DiGiacomo

4 minutes

3 important—and inexpensive—steps to take

We all hear about cybersecurity a lot. It’s constantly in the news; one company after another becomes victim to an attack, recently some of the biggest names in business included—Under Armour’s MyFitnessPal app, Panera Bread, Boeing and the City of Atlanta. If these companies are susceptible, how are the rest of us supposed to ensure we are secure? To me, one of the big ways we can protect ourselves is to build a culture of security within our organizations.

What does this mean?

Building a culture of security starts with finding a way to communicate security and the existing threats between the IT and executive teams, and the rest of the employees. This can pose a big challenge. To many people, technology and cybersecurity are intimidating. People are afraid of and uncomfortable branching into things that are unknown or new to them.

1. Get staff buy-in.

One of the easiest ways to simplify that communication is to put yourself in your employees’ shoes and answer the following questions:

  • How does cybersecurity affect me personally?
  • How does cybersecurity affect my company?

If you can brainstorm around these two questions, you can start figuring out ways to communicate on the employees’ level.

Try some role plays or real-life examples—who was impacted by the Target, or Home Depot or Equifax breaches? How did this make you feel? How do you think our customers would feel if we, as an organization, had this happen? What are our company core values? Do they include trust, communication, or transparency (or any number of synonyms)? How can we build our customers’ trust when they hand over their personal data to us?

2. Be consistent.

Another method I have found very successful in creating a culture of security and building good security habits is consistency. Security must not be something we talk about just once a year, or (even worse) only during new employee orientation. Security must stay front of mind.

Can you send out a monthly quiz? Can you send out a recent article or blog post of either great security examples or terrible security examples? Can you send out videos or a challenge every month to all users?

Ask your employees where they see opportunities for improvement. Your front-line employees are the eyes and ears for your credit union. These are the people interacting with members on a daily basis, and they often have great ideas that those above them can’t see from their vantage point.

To have the most impact, use appropriate internal examples as learning opportunities. If someone accidentally sends out an unencrypted email, or falls for one of your phishing email tests, share this as a growth and learning opportunity for everyone. These instances can happen to any of us—reminding the rest of the team how this happened and what they can do to prevent it in the future is going to make everyone more aware and keep security front of mind. Who knows, maybe your team will hold a brainstorming session and come up with better security processes for your credit union.

3. Lead by example.

My final method for achieving a culture of security leading by example. Ensure you have a united front from the leadership team. If they are following the policies the organization has put in place, it will make the overall company buy-in and culture of security even stronger.

These actions could include encrypting sensitive emails, and following the web content filtering policies (and not having executives asking for special exceptions so they can access their personal Gmail, for example, even though it’s been blocked for everyone else in order to protect your network).

Yes, it is sometimes easy for an executive to plead his or her case to the IT team or demand access to some of these things, but if the example of a security first mindset is exhibited by leadership, it is much more likely everyone else will adopt and follow.

Another layer to this is that we’re all responsible for doing our part. A security threat, many times, comes from someone making an innocent mistake, clicking on an email link, going to an infected website or sending out an unencrypted email. Developing a “see something, say something” mindset within your organization puts the responsibility on everyone to do their part. This also reinforces the consistency and the cultural idea that cybersecurity is of utmost importance.

I’ve seen organizations hold each other accountable lightheartedly. For example, they might have the security officer or another IT manager walk around and see whose computer is unlocked and play a trick on that user by changing his or her desktop background as a gentle reminder.

Cybersecurity is a complex topic. If you can ultimately find a way to communicate with your employees in language they really understand and can get behind, it will be easier to develop a culture of security in your shop. If you can do that, you can significantly mitigate cybersecurity risk. Notably, unlike some of the other cybersecurity remediations out there, the three steps to building a successful cybersecurity culture do not require a large monetary investment.

Andrea DiGiacomo is COO of Think|Stack.

Also listen to this CUES Podcast on cybersecurity and read "Sharing the Cybersecurity Burden."

CUES Learning Portal

Subscribe to Skybox

Get two to four blogs delivered via email each week!