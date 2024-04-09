Developing a culture is an ongoing process, but one that should be intentional.

Building a strong security culture isn’t tactical–although many organizations treat it that way. A strong security culture is built on a strategy designed to ensure that security awareness, behaviors, and mindsets are part of the fabric of the larger organizational culture. This results in employees who know and understand the important role they play in protecting company data and privacy.

Let’s face it, that’s not something that happens overnight, and nor can it be done in a “set it and forget it” manner. Security culture isn’t just about awareness and training, but about a broader spectrum of human behaviors (many of them unconscious), shared beliefs, and adaptive practices that define how employees act when they’re not being observed.

But let’s start with a very foundational question: “What is culture?” The definition of culture

Culture is a word we hear bounced around a lot in business circles–we talk about customer culture, quality culture, safety culture, and–of course–security culture. But what is culture? We like to define culture as a group’s ideas, customs, and social behaviors. From a security standpoint, we’re talking about the protection of important and proprietary data and systems related to company, customer, and employee data. The elements of a strong security culture are:

Attitudes and behaviors: Employees’ feelings and beliefs about security protocols and issues and the behaviors they exhibit, often influenced by what they observe others doing.

Employees’ feelings and beliefs about security protocols and issues and the behaviors they exhibit, often influenced by what they observe others doing. Cognition and communication: The knowledge and understanding that employees have about security, how security information is communicated throughout the organization, and the role that leadership plays in this process.

The knowledge and understanding that employees have about security, how security information is communicated throughout the organization, and the role that leadership plays in this process. Compliance: The extent to which employees adhere to security policies and procedures.

The extent to which employees adhere to security policies and procedures. Norms: The information rules or “the way things are done” that influence security practices.

The information rules or “the way things are done” that influence security practices. Responsibilities: The level of empowerment that employees feel in ensuring the security of the organization’s data and systems. Developing these critical elements of a security culture requires a strong plan and ongoing communication, measurement, and improvements.

Here we share a seven-step approach for sustaining a strong security culture. 1. Identify the behaviors that need to change

What behaviors should change to help your organization meet its security goals and minimize risk? A good starting point is identifying the top risks your organization faces and then determining the employee behaviors that could impact, in a positive or negative way, those risks. 2. Develop a plan

After identifying the behaviors and their priorities, the next step is to create a comprehensive plan to help drive strategies and associated tactics to build a strong security culture. The plan should include policies, procedures, and informal social norms that can influence behaviors on an organizational scale. 3. Get leadership buy-in

Organizational leaders set the stage for a strong culture that can be maintained and strengthened over time. Their actions–or inactions–send strong messages to employees about what is expected, what is tolerated, and what will not be tolerated when it comes to protecting assets. Support from senior leadership–from the board to the executive team to frontline managers and supervisors–is critical for ensuring the success of a security culture. 4. Communicate–and communicate some more

As we’ve already noted, a strong security culture isn’t built on a “one and done” model. It’s not an event, it’s a process. Ongoing communication is a big part of that. Effective communication is done through multiple channels and communication methods over time. Be sure to explain why the security measures you’re taking are important and make information both relatable and understandable. 5. Execute the plan

Your plan should include clear and specific goals and deadlines that can be monitored and adjusted as needed. The plan should be fluid, allowing for changes as opportunities for improvement and best practices are identified. The results of the plan–both positive and constructive–should be shared broadly as part of the communication process. Senior leaders can play an important role in sharing this information, trickling the messages down through the organization.

6. Measure results In addition to monitoring metrics that you establish to demonstrate the success of your security culture efforts, measure results by seeking input from employees directly or through surveys, polls, and assessments. Employees often have great ideas about ways to strength the culture and improve communications.

7. Determine the go-forward strategy As you move forward with your plan and monitor the implementation’s impacts, refine your approaches and identify the behaviors to address given what you learn. Maintaining a continuous improvement cycle with multiple inputs will support an iterative process that becomes embedded in your organization and its operations.

Once you cultivate a good and strong culture, it’s a lot easier to maintain. It becomes part of the organization’s social dynamic. An effective security culture is the sum of all the subconscious human behaviors that people repeat because of prior experiences and collectively held beliefs. It’s prescriptive and it’s composed of the rules, patterns, assumptions, beliefs, and behaviors that exist in the organization.