arthead - stock.adobe.com

Guest Post

4 ways to build a thoughtful security culture

It's time companies paid more attention to their security culture, working toward building an effective security awareness program that everyone can understand and get behind.

Security awareness training gets a bad rap. Not only do employees usually dread it, but executives do, too, because nothing is more boring than IT staff droning on about the importance of good security hygiene.

When companies save security awareness training for an annual or quarterly meeting, users and business leaders are bound to get frustrated -- and, subsequently, slip up.

The cost of security slip-ups is significant. Cybercriminals target businesses with poor security postures, and uneducated users could be the catalyst for a detrimental cyber attack. Initial attacks often start with a user clicking on a suspicious link or attachment -- and often escalate into a major breach.

Instead, integrating security awareness into your company culture will build overall security maturity and reap positive results. Just like a healthy company culture will promote employee productivity, growth and retention, a well-formed security culture improves a company's overall security posture. Most importantly, it encourages IT and end users to work together to detect malicious activity that leads up to a security incident.

What is security culture?

A security culture is a set of beliefs and values ingrained in an organization that result in all employees behaving and operating in a way that promotes cybersecurity. A strong security culture recognizes that security is everyone's job -- not just IT's.

Organizations with good security cultures:

  • align overall business goals with security;
  • promote the importance of security, rather than viewing it as a burden or obligation;
  • enact security best practices from the top down; and
  • encourage critical thought, not blame and punishments, when issues arise.

Building a strong culture of security takes effort, and it's not something that leadership can quickly spin up and forget about. A good security culture isn't created from a single event; it's deeply rooted in an organization and, therefore, requires long-term commitment and maintenance.

Here are four ways to take a thoughtful, positive approach to security culture and build security maturity within your organization.

1. Avoid complacency and optimize for success

Unfortunately, a lot of companies view security as a curse and take the approach of "let's just get through it." That never results in a company that is secure or happy and usually indicates there are some cultural problems outside of IT and security, too. If you can't agree or make a plan on how it will prevent ransomware, for example, it usually means that your company is disjointed in other ways.

When you take a complacent approach to security, it usually means that you're not focused on making continuous improvements; you're just existing. And, generally speaking, a company that simply exists means that it will likely be breached at some point.

Good cybersecurity requires being proactive and forming continuous feedback loops in which security teams measure data, effectively communicate the data and find a solution that takes that information into account.

2. Educate and encourage users

Human error is the starting point for many cyber attacks. Of course, users don't want to be the reason for a security incident -- they usually make mistakes due to a lack of education. Users click suspicious links and attachments, they connect to public Wi-Fi without a VPN, or they choose weak passwords or store their passwords in unsafe ways, usually because the company hasn't given them actionable advice on what to do differently.

Give users clear guidelines on what to do -- and what not to do -- and why it's important to follow those guidelines. Being nebulous about cybersecurity or failing to support users with the education and IT or security tools they need won't promote maturity in a security program. Users should know the consequences of certain actions. You should help users understand the how and why of security, rather than just giving them directives without context.

An effective user security training program ensures that employees have the resources and knowledge to recognize suspicious behavior from attackers. Training can take the form of whatever fits best into your company culture, whether it's a weekly newsletter, team meetings or interactive quizzes -- the more fun and engaging, the better.

3. Reward good security behavior

A security culture isn't built overnight -- and, similarly, you shouldn't take the "set it and forget it" approach to training, either. Bake awareness into company culture, and go beyond a traditional awareness training program to truly make an impression.

One important aspect of this is recognizing and rewarding users that practice good security behavior. For example, what happens when a user clicks on a phishing link? Are they punished or rewarded for noticing it? People take note of these nuances, and these factors contribute to security maturity and success in a major way.

Blaming or shaming bad security behavior is bound to promote a culture of secrecy, which furthers the expansion of shadow IT. That isn't to say that users shouldn't be held responsible for their actions. But, instead of blaming users, you should highlight moments of success and use them as a model to others.

Those moments of success will be rare, however, if you don't make it easy for your users to do the right thing. Make security accessible by deploying security tools that are easy for users to use -- for example, multifactor authentication that relies on security keys or biometric authentication.

4. Evaluate security tools with maturity in mind

Most security software vendors won't tell you this, but deploying security products won't automatically build maturity into your organization. Security tools are often just that -- tools.

Blindly implementing security products in the hope that more alerts equal more protection against cyber attacks will rarely result in a successful security culture. When evaluating security tools, ask yourself, "Is this just a tool that works, or will it improve my security across the board?"

Noisy alerts or executive reports typically don't solve security programs; they often give you a limited view of your overall security infrastructure. Instead, guided remediations that you can act upon and then learn from will move the needle forward.

About the author
Matt Warner is CTO and co-founder of
Blumira, where he leads the security and engineering efforts to provide actionable insights into cybersecurity risks at scale. He has over 10 years of experience in IT and development, focusing on business strategy, development, compliance, threat detection and penetration testing. Previously, he was director of security services, development and security at NetWorks Group, responsible for defensive information security and services.

Dig Deeper on Risk management