Security Culture: Your Strongest Defense Against Cyber Threats
Estimated reading time: 7 minutes
Key Takeaways
- A strong Security Culture is essential to any strong cybersecurity program
- Security champions can learn from safety cultures in other industries
- Effective security culture must be built from the top down with executive commitment.
- Strong Security Cultures make everyone responsible, reward speaking up, and empower raising concerns without creating paranoia
Executives often ask me “if you could do one thing to secure my organization against hackers, what would it be?”. I think they expect me to say “XDR”, “Zero Trust”, or that “Next Generation whoozy whatsit” they just read about online.
Instead, my answer is to focus on creating a Security Culture. “Culture eats Strategy for breakfast”, is a quote often attributed to Peter Drucker and this is especially true for cybersecurity. A Security Culture should permeate the organization. Security should not be added as an afterthought or strictly be an IT responsibility, as if IT can control everything.
What is a “Security Culture?”
A strong Security culture is one where:
- Security is everyone’s responsibility
- You will not be shamed for making mistakes – speaking up is always rewarded
- You are empowered to speak up when you think something is risky, even when it’s the pet project of the CEO
Such a culture does not happen overnight, and it does not happen on its own. It requires careful intentional efforts. It starts at the top.
Learn from a Culture of Safety
In Aviation, Healthcare, Manufacturing, and other sectors, you often hear about building a strong “Culture of Safety.” This is one of the highest priorities for organizations whose operations can impact human life. Building a culture of safety is foundational. Without it, human lives will be lost.
This is nothing new. Much has been written about “just culture” and “safety culture,” and there is no shortage of blogs, books, and leadership courses covering the topic.
But what exactly is a “just culture” and a “safety culture?”
“Just Culture” in Healthcare
A “Just Culture” is an important system that many Healthcare organizations strive to create. As noted in this article from Mass General Brigham, Paul LeSage, an advisor from SG Collaborative Solutions, LLC, noted:
“Working in a Just Culture means more security around the decisions you make. It means recognizing that humans aren’t perfect and that when you make a mistake you are going to be embraced in the process of trying to understand why the error was made rather than be punished for your mistake,” says LeSage. “For frontline staff that boils down to more security in reporting and being open about errors.”
“Safety Culture” in Aviation
A culture of safety incorporates more than a “just culture.” According to the article “Air Safety Support International” by Dr. James Reason, a safety culture consists of five elements:
- An informed culture
- A reporting culture
- A learning culture
- A just culture
- A flexible culture
In addition, it is important that those who flout safety standards repeatedly are dealt with appropriately.
Transport Canada – a Department in the Government of Canada responsible for transportation safety – stated in a 2008 report “Guidance on Safety Management Systems Development”:
“The ideal safety culture embodies a spirit of openness and demonstrates support for staff and the systems of work. Senior management should be accessible and dedicated to making the changes necessary to enhance safety. They should be available to discuss emerging trends and safety issues identified through the System. A positive safety culture reinforces the entire safety achievement of the organization and is critical to its success.”
Safety Culture is a combination of psychology, behavioral science, leadership, risk management, education, sociology, leadership studies, and more!
The Weakest Link or Your Greatest Ally?
How many times have you heard “people are the weakest link” in a cybersecurity presentation? The numbers seem to bear out the truth of this statement (for example, see the 2023 Firewall Times article “30 Social Engineering Statistics”) as most cyber-attacks start with a human mistake. However, this doesn’t paint the whole picture.
Lior Div, who was a member of Israel’s Unit 8200, stated that they were always able to break into any organization’s systems but the times when they were unable to achieve their objectives were because some person noticed something odd. The person would continue to investigate, pulling on the thread, until they discovered the infiltration and closed it down.
Yes – people are our greatest asset in the fight against hackers!
Cybersecurity is a team sport – all the way from the intern on up to the executives. But a team is effective only when they
- Have a clear purpose and goals
- Communicate openly
- Respect and trust one another
- Adapt!
Clearly, it takes time and effort to unite an organization, and it goes beyond security.
Build your Security Culture!
Building a security culture does not mean creating paranoia. When you raise security awareness without properly educating people, suddenly every email is being reported as suspicious — even the legitimate ones. Activity slows in an organization where no one trusts anything.
An organization with a strong security culture is one where people are not afraid to speak up when they see something that represents a security risk. Instead of fear, people are looking to continually improve. They continue to learn and hone their skills so that they can make the right decisions confidently.
But how do I go about building such a culture in my organization?
It Starts at the Top
The tone of an organization is set from the top. When executives prioritize security and continually reinforce that message, people will follow.
Boeing – with a long and proud history of Safety – apparently lost its safety culture when executives focus on speed to market and containing costs rather than on safety. As noted in this 2024 article in Forbes:
He pointed to a shift that began in the 1990s when Boeing, in an effort to be more competitive, underwent several reorganizations and purchased its domestic competitor McDonald Douglas. That acquisition in 1997 prompted Boeing to move its headquarters twice and change CEOs several times. Saporito writes, “What Boeing missed, as it tried to dump costs and speed production, was the chance to ensure that safety was a cultural core and a competitive advantage.”
Charles Scharf, former CEO of Visa, stated the following in the forward of “Navigating the Digital Age”:
“Don’t leave the details to others. Active, hands-on engagement by the executive team and the board is required. The risk is existential. Nothing is more important. Your involvement will produce better results as well as make sure the whole organization understands just how important the issue is.”
Besides setting the tone, Executives also need education — they have questions about cybersecurity! They may be the foremost experts in their field, but they probably don’t understand security as well as someone who eats, sleeps, and breathes security. They may also have questions about the latest regulatory changes, such as the new SEC rules around cybersecurity reporting.
Your Mission…Should You Choose to Accept It
When you look at your organization, you probably don’t focus on technology. You see the people! Perhaps you are proud of the organization you have built. Professional people, working together through thick and thin to achieve your mission. It’s satisfying when your people have internalized your values and applied them – even when you’re not looking.
Building a security culture is invaluable and will take your organization to the next level. It is a competitive advantage! Security is not a cost – it is the foundation of trust and resilience that your organization is built upon. It protects your brand, your reputation, and your bottom line.
It begins at the top with intentional effort. It will benefit your organization more than anything else you can do. Do you accept the challenge? Will you lead the way?
Here are some steps you can take right now.
- Work with Leadership to voice their commitment to Security and create a cultural statement:
- Security is everyone’s responsibility
- You will never be berated for coming forward…even when you made a mistake
- Everyone is empowered to speak up against security risks
- Work with leadership on how to promote Security while aligning it with business objectives. This may involve some brainstorming sessions, or you may even offer to ghost write some statements.
- Standardize Reporting: Provide ways for people to easily report security concerns, including anonymously. Respond to each message. Thank them.
- Create a Lightning Rod! Have one or more Security staff become the public face of Security. You want them to act as lightning rods. They should be personable and good listeners. You want everyone to feel comfortable coming forward and speaking with them about concerns they may have.
- Provide Training: The training should go beyond identifying phishing. Help your people understand how to secure themselves in their personal life, and they will also apply those lessons at work. While “canned training” has its place, focus on live interactive sessions where asking questions is encouraged.
- Create a “Security Champions” program: Throughout this process you will identify people who really love Security and are passionate about protecting the organization. Provide extra perks for these people. Provide training on applicable areas, whether that be application security, selecting business partners, or handling sensitive data.
- Recognize People: Publicly recognize all those who are especially supportive – your security champions, those who report the most phishing emails, those who have identified a risk in corporate processes, etc.
- Present at Division Meetings: Learn about the various divisions – what they do, their top goals and concerns, and how they communicate. Offer to present at one of their division meetings with a focus on addressing their concerns and questions.
- Conduct Tabletop Exercises: Once you get to know the various groups, you can introduce the idea of running a tabletop with a focus on them. For example:
- Customer Service: How do you provide great service while ensuring that the person on the other line really is who they say they are?
- Sales: How will you respond if someone’s email is compromised and used to send phishing emails to dozens of your contacts?
- Marketing: How would you respond if a data breach or cyber-attack became public?
- Finance: Walk through scenarios where targeted phishing emails are used to trick someone into wiring money to a criminal.
Don’t be overwhelmed, and don’t get discouraged if one of these efforts doesn’t take root immediately. It will take some time. You will need to keep beating the security drum – but not in a “sky is falling manner.” Simply be there for people. Help them. Listen. Engage.
