The phrase “Security Culture” gets thrown around a lot these days both in the media and within organizations. But what does it really mean and how can organizations achieve a positive security culture? 

Behind every security system in place is a workforce of people, some of whom may not understand why it’s important to lock their computers when they leave their desk, never leave their keys unattended or why they should never click a link in an unsolicited email. For some organizations, there could be up to thousands of employees encountering threats daily.

Security culture is defined as “the ideas, customs and social behaviors of a group that influence its security.” If the employees who make up an organization are careful to maintain good \security hygiene, then a resolute security culture is formed. If they do not, then the organization is at a much higher risk. 

Security culture can be broken down into seven dimensions:

1. Employee attitudes to security and policy
2. Behaviors
3. Cognitive processes surrounding security
4. Quality of communication
5. Compliance to security policies
6. Organizational unwritten rules or norms
7. Individual responsibilities

There are likewise seven steps in implementing a quality security culture. Keep in mind that something like this does not change overnight. A plan may span many business cycles or years.

The first step is to choose one or two dimensions of security culture to initially focus on. Don’t attempt to change every aspect of the culture at once as this will be difficult to achieve. It is important to note, however, that improving one dimension will often result in an indirect positive effect on the rest.

Narrowing down the organization’s top security risks is a good place to start. Say that employees lack understanding of common industry threats or they commonly fall for social engineering attacks. These would be two areas that should be addressed first.

Make a plan to address these issues on an organizational scale. This plan could consist of formal policy changes or a more casually organized effort. If there are already employees who have good security hygiene, choose them as representatives to model appropriate security behaviors. It is more likely that employees will adopt certain practices if they see that their peers are doing the same.

The next step is to take this plan to executive leadership. It is likely that they won’t want all the nitty-gritty details yet but be sure to explain to them how the current security culture is lacking and how changing it will benefit the organization overall. 

Once leadership buy-in is secured, communicate these changes to the wider workforce. The most important thing is to communicate the “why” of it. Why the current practices are unsafe, why these changes are necessary, and why such changes will benefit every member of the organization. Most individuals want to know why they should spend the extra time on a new policy when they could otherwise be accomplishing something else. Emphasize that a well-functioning and profitable business, will protect every member of the organization.

Consider taking a survey at this point to gauge employee attitudes and behaviors prior to the plan’s roll-out. Then, execute the plan for the first business cycle. A three-to-six-month period is reasonable for testing the waters. Be prepared to face resistance and to deal with any unforeseen issues that arise. Make note for the next cycle.

Once the plan has been executed and the first cycle has come to a close, take another survey and create a report to share with leadership. It’s also a good idea to share the results with the wider organization so that employees may see the fruits of their efforts. If all goes well, there will be an improvement in attitudes, security practices, and overall risk.

Using the report, analyze where the plan succeeded and where it struggled and why. Likewise, take a look at some of the other dimensions of security culture and see where the organization can improve in some new areas. From there, decide how to move forward for the next business cycle(s). Remember, don’t try to accomplish everything at once. Instead, slowly trickle in new best practices and continue to encourage quality behaviors and reinforce the same messaging from prior cycles. 

The key point here is that a poor security culture will not be fixed overnight. It is perhaps a daunting task to take on such a large-scale behavioral shift in an organization, however the importance in doing so cannot be overstated. 

Security safety in an organization starts and ends with its employees. Having a strong security culture will set an organization apart and will protect it from the many consequences that plague businesses in this day and age. Most importantly, in having fostered a quality security culture, an organization may rest easy and instead focus its energies on succeeding in its goals.

This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.