9 Key Steps to Creating a Company Culture of Security

By Aby David Weinberg
image March 12, 2023 image 6 MIN READ

In 2022, experts estimated that 85% of data breaches involved a human element. That includes exposure of confidential data, misconfigurations, or mistakenly enabling malicious actors to gain access to the network. 

Unfortunately, humans today are considered the weakest link in your organization’s security. If employees feel there is a lack of shared context on cybersecurity threats and why they need to follow specific policies, it’s less likely they’ll stick to the requirements. This is highly likely to lead to security gaps. There are steps you can take to defend yourself against the persistent threats faced while keeping employees engaged.

This article explains how you can create a strong culture of security so that employees can instead be your greatest source of strength. 

What is a security culture? 

What action will your employees take when faced with a decision that could expose your organization to risk? Do they know the correct steps to take? 

The answer to these questions gives you insight into the culture of security of your organization and how security plays an integral role in it. 

The table below illustrates how employees act differently when the security culture is deeply embedded within an organization versus when it’s not. 

Scenario Employees without a security culture  Employees with a security culture
An employee receives a suspicious email in their inbox.  The employee deletes it, clicks on the link, or doesn’t do anything but mention it casually to other employees “Did you get a weird email too from Bank1234?” Employees receiving a suspicious email report it directly through a report to the cyber team or the person responsible for dealing with these issues. 
An employee finds a piece of paper with a list of passwords and accounts they’re linked to. The employee throws the paper in the trash.  The employee reports the incident to the security team, who educate the organization about the importance of secure passwords, incorporating MFA (multi-factor authentication), and password managers. 

Benefits of having a strong security culture

When a strong security culture is in place, and your organization communicates the process and procedures to everyone, employees are more confident and proactively engage in making the right decisions. 

As a result, the risk of security incidents decreases while the time security teams spend fighting threats and dealing with incidents should reduce. The company may also achieve higher levels of compliance than before, lowering the risk of financial damage, which can come if compliance requirements are not met. 

9 key steps to create a company culture of security

Instead of blaming employees for being lazy or finding workarounds that expose your organization to risk, organizations need to lay the proper foundation for a culture that encourages collaboration between employees to find a more secure solution. You’ll need to build a strong culture of security by opening the doors of communication so everyone within the organization can explore and improve on best practices together. 

Here are a few practical tips for achieving this:

1. Survey your current situation honestly

Team Meeting

Before you can suggest how to improve the company culture of security, you’ll first need to thoroughly evaluate the current security situation. 

That means you’ll need to get answers to questions such as:

Only after surveying managers, the C-suite, and employees will you have a better picture of the current situation and be able to create a roadmap with goals for improvement in the future. 

Create a security Plan

2. Create a solid cybersecurity plan

You cannot have a culture of security without a strategy in place for detecting, measuring, and responding to security risks. While threat intelligence technology can help minimize the damage a malicious threat actor inflicts on your organization, they don’t eliminate the threats that employees bring to your organization through workarounds, insecure passwords, and misconfigurations. 

To help you get started, incorporate these elements into your cybersecurity plan:

3. Create simple, clear security policies

Organizations often make the mistake of having security policies that are too technical for most employees to understand. Or they fail to communicate the process or system required for employees to report security issues. 

In contrast, Yahoo built a strong security culture by giving its employees clear instructions regarding their best practices. 

When generating a new single sign-on password, we want all employees to generate and store the password within our corporate-approved password manager.”

4. Lead with transparency on expectations

In the past, security education translated to awareness. But awareness doesn’t communicate the actions you want your employees to take. 

Your security culture should set specific goals: 

5. Employ accountability

Team Discussion

When a breach occurs, you should be able to trace it back to a specific individual or department. Explain what happened and how the employees or department is accountable. For example, you may realize that the entire department is sharing the same password or they have set up an account through an unauthorized website. Use the incident to reinforce the need for better security practices. 

6. Implement engaging security awareness training

Focus on high-quality, efficient training that includes interactive learning, quizzes, and short quizzes to reinforce learning. CybeReady’s fully managed cybersecurity awareness platform incorporates this type of training while decreasing the high-risk employee group by 82% and increasing employee resilience score by 5x, all within 12 months of training.

7. Ensure executive priority and support

Support for a culture of security must start with management explaining its importance and how it will help the organization achieve its business goals. Management can demonstrate its support by actively participating in the training. Department heads can also lead in installing a good culture of security within their team. 

8. Reward employees for their security efforts

How can you blame employees that receive negative feedback for reporting security incidents for being uneager or motivated to report incidents again? 

Create a culture that rewards employees and recognizes their contribution to security. This could include verbal praise of employees who complete cybersecurity training, offering cash rewards, or sending a message that says: “Thank you so much for helping us improve our security together!” 

9. Instill the message that good security culture is up to everyone

The CISOs and security team cannot be solely responsible for creating the security culture in your organization. Executive leadership must show a visible role in cybersecurity to demonstrate its importance to the entire organization.

Addressing resistance to security culture

People hate change. Don’t expect employees to embrace a new security culture immediately. Instead, spend time educating employees on why a good security culture is essential and make it engaging for them. For example, most employees find multi-factor authentication (MFA) cumbersome. However, when you educate them by explaining that compromised credentials caused 62% of security attacks, they may be more open to accepting new security policies. Encourage greater flexibility and collaboration within the organization. You might consider adopting an employee’s workaround temporarily, for example, until the proper integration of new security policies takes place.

Virtual Demo

A gradual yet more efficient approach to a culture of security

Your organization’s security culture isn’t static. It needs to be a continuous and open discussion within the organization about the latest security procedures, best practices, and ideas to improve its security. Cybeready’s security awareness platform helps teams build a strong culture of security in your organization by teaching your employees how to proactively manage threats intelligently and identify and respond to potential threats. Its platform is also engaging and interactive, with measurable KPIs for security teams to ensure efficiency. 

Want to deploy an engaging security awareness training program that builds your security culture? Request a demo today.