“Corporate culture” is a term that has been around in the business world for decades, and most business leaders would agree that culture is important.
But what is it? Hard to say. This is one of the constructs that helps define “what you see is what you get”. Of course, that’s not enough.
Culture underpins the way an organization works. It is embedded in their mission, vision and values. Culture is demonstrated through the actions and behaviors of everyone in the organization, from leadership to the front lines. It’s how new hires are welcomed into the organization. how to celebrate success How do you react to failure? How you treat your employees, customers, and partners.
And, as we learned during the pandemic, it’s behavior when you think no one is watching. During the pandemic, companies with strong cultures were able to keep their jobs going no matter where their employees were located.
A strong, positive culture supports the company’s goals and objectives and rewards and celebrates behavior in line with its core values. For example, a toxic culture that supports “bad behavior” and “bad actors” where harassment is prevalent can create a place where people don’t want to come to work or work.
Defining Security Culture
Security culture is a subset of overall corporate culture. Just as corporate culture supports organizational values and objectives, security culture supports security-related objectives and values. This means protecting the data and technology your company uses to run its business, while protecting your employees, customers, vendors, and more. Security culture can be defined as: Group ideas, habits, and social behaviors that affect group security.
Having a good security culture means that security is built into your organization. Clearly, it’s important to provide a broad level of protection for your organization’s data and systems.
Weak Security Culture and Strong Security Culture
Like corporate culture, every organization should Have Security culture — whether they know it or not. The question is, “Is that culture good?”
In an organization with a good security culture, employees make the right decisions regarding security considerations. They are aware of potential threats, recognize red flags to watch out for, and report all suspicious activity. They understand that as the human endpoint where most breaches occur, they play a vital role in supporting and strengthening your security culture.
These beliefs are demonstrated and explained through action.
Organizations with weak security cultures:
- An employee who has been the victim of a phishing attack (such as receiving a malicious email) may think: Better check if it’s legal. ”
- An employee who finds a USB labeled “Payroll 2022” might think: You will know where you are compared to your classmates. ”
In organizations with strong security cultures:
- An employee who has been the victim of a phishing attack (such as receiving a malicious email) may think: You should report to Cyber-her team so they can investigate.
- An employee who finds a USB labeled “Payroll 2022” might think: I will take this to the cyber team. ”
These are the kinds of situations that employees face on an ongoing basis. Not all employees are able to respond appropriately. please do not We have a strong security culture.
Building a Strong Security Culture
We’ve already discussed the reality that every organization has a security culture, which may not be what your organization wants.
The first step in strengthening your security culture is identifying where you are now and defining what to do next. I want The culture it should be and where it needs improvement.
This starts with asking a few key questions to assess your current state.
- Do employees understand the impact of potential violations?
- Are they aware of the cyber threat landscape?
- Have you taken steps such as locking your device when you are away from your workstation?
- Do they follow existing policies regarding Internet usage, incident reporting, etc.?
- How do they respond to phishing attacks and other forms of social engineering?
With this baseline, you can begin to explicitly define the security culture you want.
- What is the current understanding, knowledge and awareness of employees?
- What attitude would you like your employees to have towards security?
- What behavior would you like to see or change?
- How will you communicate with your employees so they feel part of your security solution?
- How do you include employees in your policies to ensure they understand what is expected of them?
- When you think about your company’s “unwritten rules,” what security considerations do these rules have?
- Do your employees understand that cybersecurity is everyone’s responsibility and that each one has an important role to play?
Organizations without a strong security culture are at risk. Organizations that build, continuously monitor and strengthen a security culture minimize those risks and protect their employees, customers, partners and business.
Perry Carpenter recently published “Security Culture Playbook: An Executive Guide to Mitigating Risk and Developing Human Defense Layers.” He, KnowBe4, The world’s largest security awareness training and simulated phishing platform. contact him LinkedIn.