How to Build a Security Culture in Your Organization

1. Instill the Notion that Security is Everyone’s Responsibility

Many people still have this idea in their heads that data security is the sole responsibility of the IT department. However, given that employees are generally considered to be the weakest link, this is clearly not the case. In fact, in today’s technological paradigm of distributed multi-cloud and hybrid IT environments, it would be simply impossible for even the most experienced IT security professionals to effectively keep their data secure without the cooperation of all members of staff, including C-level employees and executives. This must be made clear to everyone, and all security policies must be designed with this notion in mind. We must also do what we can to eliminate the “us versus them” mentality, which requires uniting people under a common goal.

2. Develop a Comprehensive Security Awareness Training Program

This is the most obvious part of creating a security culture. All employees and relevant stakeholders must be given clear, concise and comprehensive security awareness training. Record and upload the training sessions as well so that employees can watch the video at a later date if they need to refresh their memory on a given subject.

For the sake of context, provide real-life examples of data breaches, including information about the causes and consequences of the examples provided. As mentioned previously, the training should be fun and engaging – something that I will cover in more detail later in this article. A common technique that is used to ensure that security is always at the forefront of employee’s minds is to put up relevant posters, which might include cartoons, catchy phrases and acronyms, in areas that are visible to all members of staff.

In addition to educating regular employees, all software developers and testers must be trained extensively on application security best practices. Remember, security awareness training is an ongoing activity.

3. Make Sure That You Have a Secure Development Lifecycle (SDL)

An SDL referrers to the processes and practices that need to be performed before rolling out any software or system releases, and includes threat modeling, security testing and other relevant activities. Many organizations base their SDL on the Microsoft SDL, which you can find here.

4. Reward Success More Than You Punish Failure

In order to maintain the enthusiasm of your employees, look for opportunities to celebrate their success. At the end of every training session, thank your employees for their participation. Consider offering them a reward of some sort – even if it’s just a piece of cake. You may even want to consider offering them a cash bonus – at least until you are satisfied that your core objectives have been achieved.

Do what you can to turn security awareness into competition. If you’re carrying out mock phishing attacks, be sure to reward those who were able to identify the phishing emails in a timely manner. While it is important to raise awareness to those who failed the test (assuming anyone did), try to keep the criticisms as constructive as possible. It’s important to bare in mind that we all have our off-days.

Given the shortage of cyber security professionals, it makes sense to provide opportunities to those who show an interest in data security. Perhaps offer them additional training and encourage them to consider moving into a data security role within your organization. If you haven’t already developed a suitable training course for them to participate in, consider enrolling them on a training course provided by a third-party. Sure, it all costs money, but it will likely pay-off it in the long run.

5. Make Security Fun and Engaging

Let’s face it, data security a dry subject. In order to ensure that employees are willing to show interest and actively participate in your data security program, subjecting them to lengthy and tedious presentations is perhaps not the best way of achieving your goals. Of course, making security fun and engaging is not an easy task.

You will need to think carefully about who should be appointed to carry out the training sessions. The appointed member of staff should be someone who is extroverted and likes to crack jokes. Give them permission to goof around deliver a training session that is fast-paced and energetic.

Try to ensure that the training sessions are interactive and relevant, and include games and quizzes to ensure that the participants are paying attention. As mentioned previously, organizations may choose to put up posters that remind employees of security best practices.

A quick Google and you will find hundreds of data security memes, with mildly humorous pictures and captions such as “Yeah, if we could just stop clicking on phishing emails, that’d be great!”, or “Passwords are like underwear, they shouldn’t stick to the wall!”. Granted, they’re not exactly rib-ticklers, but as long as they stick in people’s minds, that’s all that matters.