While a strong companywide security culture is crucial, it isn’t always easy to develop or maintain. However, with circumstances such as the recent pandemic and an increasingly stressed economy creating more complex challenges, it becomes more vital than ever to bolster organizational security culture.

“Culture is more than training and awareness. It needs to sit at the heart of strategic priorities and have the focus of executive management,” says Nina Bryant, Senior Managing Director and Head of UK Information Governance, Privacy and Security Practice at FTI Technology. “The behaviors that are encouraged — and, conversely, those that are tolerated — and the way an organization communicates about security, privacy and compliance are characteristics at the heart of culture. These carry significant influence on the success of embedding a culture of awareness and proactive action.”

To build and sustain a thriving companywide security culture, security leaders offer recommendations on where to start:

1. Thoroughly understand the corporate culture.

Wesley Bull, CEO of Sentinel Resource Group, believes this is the most critical piece. “If you want to be most effective and strategic, make sure you really understand the corporate culture before engaging in security culture,” Bull advises, especially because there can be career implications.

He gives the example of a company with a welcoming culture that doesn’t want to be rigid about security and allows employees to hold doors for others. As the new security leader, you’re told to put an access control policy in place, so you implement a strict policy where everyone must present a badge at the door or suffer the consequences.

“Now the rest of the C-suite sees you as someone who doesn’t understand their business because you don’t understand their culture,” Bull continues. “You’re trying to push a strategy that isn’t congruent with the corporate culture and the security culture you want to implement doesn’t align to the corporate environment. Suddenly, you may be viewed as not being a good fit, and you’ve lost a critical opportunity to engage the C-suite in a risk-based discussion around corporate culture in advance of developing your security strategy.”

Bryant agrees that organizational culture and security culture must be aligned first and foremost. “Organizations must understand what defines their culture today — not on paper, but in the day-to-day decisions and behavior of their people. They also need to know the source of any pressure to ignore compliance requirements or take risks. Culture is the cornerstone of effective and successful security and compliance — even more so in today’s world of hybrid working.”

2. Perform a cultural assessment.

Bull advises beginning with a cultural assessment to examine the congruence — or lack thereof — between the corporate culture and the security culture. The next thing Bull recommends is look at the culture compared to the actual practices. “Most of the time, there’s a huge disconnect between those two,” he says. “Security practices rarely meet the espoused policies; rather, they default to an operating environment for what’s tolerated.”

Bryant also advocates conducting a cultural assessment to pinpoint the gaps between needs and cultural norms within the organization. A detailed assessment should include research, workshops, and one-on-one interviews with people across all levels and functions of the organization. This enables security teams to understand perceptions, such as “whether employees view compliance as a valued component of the strategy or a barrier to advancement,” she says.

Nina Bryant

Nina Bryant, Senior Managing Director and Head of UK Information Governance, Privacy and Security Practice, FTI Technology. Image courtesy of Bryant

3. Be creative.

The next step is to be creative with training and implementation. Duncan Turner, Head of Physical Security Operations at Amazon Studios, says it’s time to move away from mandatory online security training. “Everywhere I’ve gone, the uptake for this is poor, compliance is poor, the training isn’t engaging or memorable, and people click through it only after they’ve received their third reminder,” he says. “You’ve got to get creative with your training if you want to build culture.”

For example, Turner’s team hosted a one-hour self-defense training over lunch with a local trainer in a conference room. “It was hugely successful,” says Turner. “Your culture will be strengthened if your employees feel the company is taking their safety and security seriously.”

In his last position, Turner built the security culture from scratch. His team created engaging animated characters and made humorous eight- to 10-second videos that popped up on message boards in communal areas and employee log-in screens.

“We really created a buzz in the workplace because the animations were fun and engaging. People wanted to know when the next video was coming out,” Turner says. “Yes, it’s a serious message, but you can’t make it too serious or people will just ignore it.”

4. Consider the regulatory environment.

It’s also important to consider the legal and regulatory environment when aiming to implement a security culture. Understanding the discrepancies between the corporate culture and the security culture “creates an interesting interchange between the security executive and corporate executives to have a more intelligent risk-based discussion because you’re having a different conversation,” Bull says.

It’s no longer about what the security team wants to implement, but about what the company is required to implement and what material risks the corporation enjoins themselves to base upon those decisions.

5. Use a variety of strategies.

“Don’t focus on one strategy or activity to build culture and awareness,” advises Turner. Instead, focus on engaging people’s interest with approaches such as short, strategically placed videos, creating a security landing page, speaking at all-hands meetings and coffee chats, doing desk drops, and putting on raffles and pop-ups with nice company swag. “As soon as people see free stuff, they’re going to come and check it out,” Turner says.

Be sure to tailor your training to fit both the organizational culture and the staff, Bryant says. Digital communications such as podcasts and internal social media channels might be a good option for some, while others may respond better to leaflets, town halls, team meetings or desk literature.

6. Develop relationships with key stakeholders.

Not only can cultivating these connections give security leaders insights, but they can also help them properly understand the corporate culture and build a coalition, Bull says. Getting buy-in from key stakeholders shows unity as well. “Having a message from a senior executive to reiterate awareness and training campaigns can be incredibly beneficial,” Bryant says. “If the CEO, CDO or CIO contributes to a video or written communication, it will demonstrate top-down support.”

7. Partner with the communications and marketing team.

It’s important not to saturate employees or they’ll ignore the message. “You’ve got to find that regular drumbeat,” Turner says. This is why teaming up with the company’s internal communications and marketing department is essential. They can provide guidance, do surveys to measure the security program’s success, analyze metrics, and make sure that security strategies fit within the overall brand of the organization, he adds.

8. Align team efforts.

“Overlooking change management at the cultural level can potentially become the biggest barrier to an organization achieving success in compliance and business growth,” says Bryant. She suggests making sure that all teams involved with security culture coordinate their strategies and communications about the program to reflect how the organization sees itself (e.g., entrepreneurial, conservative, tech-driven, dispersed, traditional, etc.).

9. Don’t inconvenience employees.

“We want to be the supportive team, not the pestering team that stops employees from going about their business, sends nasty email reminders about mandatory training, and ambushes them in the corridor on their way to a meeting,” says Turner. “We want to attract them on their own time.” This is why he has found pop-ups in communal areas to be so successful. “We advertise what we’re doing and draw people to us through prizes and swag giveaways for having a chat with us.”

10. Work cross-functionally.

“Sometimes organizational structure and culture can create gaps in responsibilities or a ‘that’s-outside-my-job-description’ approach,” Bryant notes. By working with colleagues in areas such as risk, compliance or privacy, she says security programs can encourage employee behaviors that strengthen the security culture and create solid business champions.

11. Get in on new hire orientations.

Turner believes trainings for new hires are advantageous. “It gives you the opportunity to make an impression on new employees from day one,” he says. In previous roles, Turner insisted on doing these orientations himself. “I took them through what it is we were trying to achieve, how to get a hold of us, what they could expect to see from us, where to find resources, and how much of a priority security was for us.”

12. Prepare for upcoming challenges.

“Both from a physical and cyber standpoint, the security environment has some very unique challenges ahead,” says Bull. For instance, he has clients in environments where crime risk is high, resulting in a significant increase in companies reaching out to Bull’s firm for help because their employees are being physically assaulted in transit to their workplace.

“The difficulty becomes where does that boundary line begin and end? These people aren’t in the workplace, but what’s the obligation to keep them safe in transit to work?” Bull says. “These are the cultural nuances that get very challenging, and it’s a very real-life problem right now for a number of companies.”