Ultimate Guide to Develop a Security Culture from Top to Bottom

Security Culture
Security Culture


Culture is an integral part of society and we cannot touch or feel culture but can definitely experience it. The term culture has different meanings according to the context it has been used in. The term culture in personal and religious context refers to shared attitudes, values, and beliefs that a group of people shares. The same term culture in a corporate world refers to the practice of formal etiquette at the workplace and it defines how one should operate.

Security is a subset of workplace culture and it shouldn’t be ignored. It is crucial to develop a security culture from top to bottom. There should be proper authorities taking care of complete security like BPSS clearance to make sure that nothing goes wrong.

What is Security Culture?

The terms security and culture might sound too vague but they go hand in hand. It is hard to develop a security culture in firms and IT industries because we often see employees writing their passwords on post-it notes and sticking them beside their computers. These might be common habits for employees but it is important to get rid of old habits to bring about the new change. Cybersecurity has a huge scope and it can be learned, shaped, transformed, and sustained.

Developing and following a culture can steer the company in the right direction and work for the betterment of the employees and the organization.

6 ways to develop a security culture from top to bottom –

  • Instill the concept that security belongs to everyone –

It is a common belief that the security department is responsible for security but it must be understood that sustainable security culture requires that everyone in the organization is all in. The people in the organization should treat security as a person and try to understand it. When trying to establish a security culture, the workforce should treat security like it belongs to everyone, from the executive staff to the lobby ambassadors. Everyone owns a piece of the company’s security solution and security culture.

To understand more about security we can look into the statements said by Samantha Davison, security program manager at Uber. She says, “At Uber, we are trying to change our employees’ security stories. By creating programs catered to region, department, and role, our people understand that security is part of their story and our culture.” This is a perfect example of a company that truly believes that security belongs to everyone and bakes security into everything they do.

It becomes easy to develop a security culture from the top to the bottom when security is instilled at the highest levels of the vision and mission of a company. When the top levels of an organization take security seriously, it will automatically follow into the bottom level and everyone will start considering security and will take it seriously. This means that all the workforce right from the CISO, CSO, and also employees from C-level execs down to individual managers should follow security culture.

You may also like – How Technological advancements changing the social care industry

  • Focus on awareness and beyond –

The first part of instilling a security culture is to teach the workforce about security awareness. This is the process of teaching your entire team the basic lessons about security. Every individual in the firm has a different approach towards a particular threat so it is important to understand their approach towards different threats.

Security awareness is considered boring and no-one pays attention to it because of the outdated and old mechanisms that are used to deliver it. Posters and in-person reviews can be boring, but they do not have to be. It is important to add a creative element and make the learning process engaging.

Every company works in a dynamic environment and it is not possible to predict all types of risks but once the damage is done these risks can be easily linked to cybersecurity and having proper security could have helped to save the organization.

This is why it is important to grow the security culture with these teachable moments. Do not try to hide them under the rug, but instead use them as an example of how the team can get better.

  • If you do not have a secure development lifecycle, get one now –

Following a Secure development lifecycle (SDL) is the key to building a security culture from top to bottom. An SDL is a detailed guide and has all the processes and activities that an organization agrees to perform for each software or system release. Following the SDL perfectly will help in establishing a strong cybersecurity culture and this helps to teach things like security requirements, threat modeling, and security testing activities.

This process of following SDL and developing a security culture is not seen in many organizations but the demand is slowly rising. Companies are realizing the importance of security culture and customers across industries are starting to demand the crazy idea that organizations have an SDL and follow it. SDL is not a common term and information about this was not available in the market. This is why Microsoft released all the information about SDL and how it helps firms and this information can be accessed for free.

Having a product security office is also an essential part of establishing a security culture. Most of the new and established companies have a product security office and if some companies don’t have it, they should think seriously about investing in one. This office sits within engineering and provides central resources to deploy the pieces of your security culture. This office can also help in teaching employees about the various aspects of security and its importance.

  • Reward and recognize those people that do the right thing for security –

Top-level management has a major role in establishing a security culture. These managers should look into the work of their employees and look for opportunities to celebrate success. If these managers find any employee following all the mandatory security awareness processes and completes it successfully, then the managers should recognize it and reward the employee for going all the way and ensuring the maintenance of security. This reward can be anything but it should be motivating enough for the employee and for other employees to follow the same process. A simple cash reward of $50 can be a huge motivator for people and will cause them to remember the security lesson that provided the money.

This rewarding technique is so efficient because the rewarded employee will now tell other coworkers about the reward and others too will work hard to get rewarded. The managers on the other hand should not think about spending $50 per employee. This is an investment in their employees because they will follow the same procedure every time which can later save the company thousands of dollars. The return on investment can prevent a single data breach greatly as this easily outweighs the $50spent.

The other unparalleled benefits of maintaining security and establishing a security culture are the option to boast about it among the customers. The public will choose a company that is secure and the public will put their money only where they think it will be safe. The top-level management can also work to make security a career choice within the organization. Once a company releases a statement saying security is important, it becomes essential to prove it by providing growth potential for those with a passion for security.

  • Build security community –

Building a security community is essential because it acts as the backbone of sustainable security culture. Having these communities helps as it establishes connections between people across different organizations. It is common to see a “us versus them” mentality in organizations and this mentality doesn’t usually go away. It is very hard to clear up this mentality naturally but when there is a security community, it helps to bring everyone together.

These security communities have professionals who can guide the members and they can also conduct one-on-one mentoring sessions. These sessions can be organized according to the convenience of the employees. Having these meetings once a week twice a month can help in covering all solutions and tips for the security issues. There can also be a yearly conference, where the best and brightest from the organization have a chance to share their knowledge and skills on a big stage.

  • Make security fun and engaging –

It is impossible to develop a security culture if everyone is not interested and engaged in all the sessions. At the current time, seminars and classes about security are termed to be boring and this should be the first thing that should change. The employees should have this time to blow off some steam and also learn something in this process. 

Having a basic PowerPoint presentation and having the HR or some employee talk about the information is boring and inefficient. There should be some fun activities planned and competitive games where employees can express their skills and knowledge. When all the employees are engaged in these activities they learn the important stuff easier and faster.

One of the best ways to have a successful monthly security community event is by starting off the event with a full-on competitive game of security trivia with a different security category each month. The workforce can be divided into groups and this will help in team bonding too. Once all the games are done, the winning team can be announced and the winning team can get a proper reward. This will motivate the workforce to do better in the next security community event.

You may also like – The Pivotal Role of Technology in Changing the Future of Education

Conclusion –

Building a security culture is a continuous process and it is not like following a few steps and hoping to develop the culture. This culture should be developed naturally and forcing this on the employees can have a negative effect too. Soon, having a security culture will become a common scene that will be seen in each and every organization. 

Training the workforce about cybersecurity and enrolling them in cybersecurity-related courses can also help in establishing the security culture. Security is very much in demand now and many popular universities are now offering a master’s degree or at least an online certificate course on cybersecurity. If you can’t find one nearby, create your own. Enrolling employees in these courses will also help them improve their knowledge and also boost their morale.

These simple tips can be followed to successfully develop a security culture from top to bottom.

Author Bio –

Mark is an active cybersecurity enthusiast and he had a keen interest in coding from a very young age. He learned how to code and started to learn how to hack and that is when he understood the vulnerabilities in the digital world and how easy it is to disrupt almost any device. This was the reason that drove him to write this whole article about the development of security culture.