Why a culture of security matters


By Adam Caudill, Principal Security Engineer

Effective security (as opposed to checkbox security) requires that everyone in an organization understand their security responsibilities; from the top to the bottom, everyone has a role to play in ensuring that security controls are enforced and policies followed. Effective security requires that it be part of the culture and the very DNA of an organization — without this, there will be trouble.

But what is a culture of security?

To get an idea, start by asking yourself these questions about your organization:

  • Do employees receive useful and effective training?
  • Do they have tools that support them in complying with policy and being secure?
  • Are they empowered to raise concerns when they see something that doesn't look right?
  • Does leadership advocate for constantly improving security?
  • Is there a Security team that is adequately staffed, funded, and trained?
  • Is the Security team an ally instead of an adversary?
  • Is security represented in the C-suite?

If the answers are "no," it's likely that cybersecurity has not been adequately ingrained into the culture. And you may be more vulnerable to an attack than you think, even with other measures in place.

Developing a culture of security isn't a trivial task, and requires buy-in and active participation from all levels of the organization. It starts with education and training, ensuring that everyone understands threats, attacks, what to look out for, and how to respond. It requires that the Security team be supportive, both in technology that makes it easier for people to work securely, and by being a partner and ally; optimal security isn't possible when the Security team is seen as an adversary.

Security must be represented throughout the organization, from the board to project planning; this ensures that issues are found and resolved quickly, before they grow into serious problems. Security teams need to be staffed properly for the work they do, and receive training to ensure they are fully equipped to handle the challenges they face.

A culture of security isn't about a Security team imposing its will on the organization. Rather, it's about the entire organization acknowledging its duty and responsibility to follow secure practices, from strong passwords to mindful online habits. It's about everyone stepping up and owning their responsibilities, and working together to do their jobs as safely as possible. It's about protecting not just the organization, but everyone the organization has been entrusted to protect.

It's easy for one to commit to better security, and build a security program that checks the right boxes. However, truly effective security takes more than that. It requires building and fostering a culture that is deeply committed to safety and a security-first mentality.

Developing this kind of culture takes time and investment, but once implemented, the results are clear. Organizations that take the time, effort, and expense to do this right are rewarded with better productivity and engagement, fewer issues, and less stress. When everyone does their small part — consistently — the company and its customers will stay protected as a natural result.

Sustaining Partners