Culture of Security

Culture of Security 150 150 Sharon Smith

After a decade as an information security (a.k.a. cybersecurity) consultant, I had seen too many people who were just hanging in there or counting down the days till Friday. I started to take a great interest in company culture and employee engagement and I wanted to figure out how to solve this problem, especially as it related to the security professional.

Just like company culture and employee engagement can make or break an organization, as in, are employees happy to come to work and engaged or are looking for their next opportunity, the culture of security or lack thereof can make or break an organization in terms of whether they stay in business or lose everything to a hacker, security breach, or internal error.

One unpatched desktop or one phishing email is all it takes for the hacker to get started in successfully breaching an organization. How easy or difficult this is has to do with the culture of security. The intent of this article is not a scare tactic, it is purely a reminder or maybe a new way to think about the importance of having a culture of security.

There is an old Chinese proverb that I believe really says a lot about culture (of any kind), “the fish rots from the head.” If the top leaders in an organization are not serious about security or do not understand its importance, how can anyone else in the organization take it seriously?

Here are three questions you can start with to determine whether you have a culture of security, if you can answer yes you have started the process towards creating a culture of security and if you say no, well then you know where to start if you want to create this culture.

  1. Have you set and regularly communicate clear expectations that security is a priority and non-negotiable?
  2. Do you expect your executives to stop projects, even the important ones, if security is not implemented?
  3. Do your employees at all levels, know what to do in different scenarios, such as how to recognize a possible breach, attack, or error and how to report it?

I have seen projects implemented without security because the project was a high priority initiative from the C-Suite or the board. I’ve seen the business side win over the security side again and again where the security side had to compromise because the business was not going to budge. The fact that I’m even putting these two groups on sides shows that in many organizations there is no culture of security, because if there were, they would be working together to ensure that the business had what it needed while at the same time doing it in a way that is secure.

Part of a culture of security is having the best team possible, showing the organization that this is important by bringing in the best and not understaffing the department. It is also having a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) that reports to the CEO and not to the Chief Information Officer (CIO).  Too many organizations still have the CISO reporting to the CIO, and if the CISO does not have the same importance as the CIO, what message is that sending? Plus, if the CIO does not like what the CISO is saying because it could negatively impact a project, how easy is it to stop the security concern from going further up the chain of command?

The culture also includes a way to report security incidents or suspicions without repercussion. If someone thinks there is an insider threat, they need to have a way to communicate that for follow-up. If someone clicked on the wrong link and thinks they are the victim of a Phishing attack they need to be able to report that without fear of reprisal.

Does the CISO have the team he or she needs to offensively and defensively protect the network? How about the team outside of security; are the developers trained in secure coding and do project managers have enough information to know when to get help from security and who to talk to? Are there enough resources for the security team to do their job properly? This is an ever changing landscape and the hackers have unlimited resources while organizations do not. However, there has to be some budget for the security team to stay sharp and up on the latest trends.

Hiring great security people is a challenge because there are more security positions than qualified people right now and it is a field filled with adversity. Security professionals only get recognized when there is a problem; and that recognition is not positive. When the Security team does its job well, which means there has been no security violation or breach no one notices, it seems like “business as usual”  to everyone else. As a result, Security professionals often don’t get any praise or recognition for what they are doing well and only get the spotlight when something has gone wrong.

That is not a great frame of mind for most people to work in, and after time, after putting out fires, racing against the clock, and doing everything to protect the network, there is no recognition. Security professionals are getting burned out and they are ready to move on when they do not feel that there is a strong culture of security. That combined with the current gap in qualified professionals and number of positions available makes it even harder to maintain security for organizations.

Culture, any type of culture, starts at the top. If you are responsible at any level for the success of your organization and have not given the culture of security much thought before that’s OK, it’s not too late. And if you need help or want to discuss your specific situation or you are looking for additional resources email


Share This