Building upon Part 1 of the Security Culture Series, which focused on expanding IT’s responsibility, we wanted to dive deeper into the paradox of digital transformation. Namely, the security challenges presented to almost every sector that can no longer be ignored as digital transformation continues to introduce new and exciting innovations. Organizations need to place paramount importance on creating a culture determined to tackle these security threats above all else.
The term “security culture” refers to a cultural expectation that is instilled by the leadership of an organization to maintain a security-focused mindset – where every decision and strategy is viewed through the lens of the highest protocols vs. internal preferences. With mobile devices becoming the primary mode of communication between consumers and businesses, the need for a security culture is quickly moving to the top of many organizations’ priority list.
In Part 1, we discussed the need for IT teams to expand their responsibility when it comes to security. Although this is key, organizations also need to improve employee education and training around the topic. After all, building a security-first culture takes more than just an IT team that’s cognizant of security risks — it means all staff must be engaged and participating, regardless of department.
Though many organizations today offer education on security matters, there is still much room for improvement when it comes to training. While it’s common to offer an annual hour-long security training for all non-IT employees, businesses that only focus on it once a year expose themselves to greater risk for breaches. Evident of this, 55 percent of companies that were surveyed in a recent Ponemon Institute report have already experienced a security incident due to a malicious or negligent employee.
It’s time to polish up the much-too-common, lackluster approach to employee education and training on security.
Be Specific and Relevant
When addressing staff on security topics, be specific about what these topics mean to different employee roles, and the influence those roles have on the overall security of the organization. A traditional generic approach is a one-size-fits-all mentality to security. This strategy makes topics seem irrelevant to individuals whose roles aren’t directly connected to security.
However, in order to create a culture where security truly is the foundation of all decision-making, security topics must be made relevant to each individual employee so they carry that mindset with them into their daily tasks.
Lather, Rinse and Repeat
Keeping security front-and-center for all employees can be achieved by holding consistent discussions around the topic. Here, it’s best to tailor the information a way that sparks reflection from employees and causes them to ask themselves: “How can I address the importance of security in my role?”
The leadership of any organization must consistently reinforce the importance of security in order to instill it within the culture — and scheduling frequent discussions that engage employees to participate is one of the best ways to do so.
Recognize and Reward
It’s easy to fear what you don’t understand, but the more you discuss security within your organization, the more comfortable your employees will become with best practices and the topic in general.
As you begin to see the culture take hold, it’s a good idea to recognize and reward the advocates, innovators and success stories leading the charge within your organization. If people feel appreciated, they’ll be more likely to buy in — not to mention bringing a little fun into your security program will help make the topic less scary overall.
As mobile devices and digital technology continue to take over consumer communications, fostering a security culture needs to become (and remain) a priority for businesses around the world.
Recently in InfoSecurity Magazine, I discussed why the cultural mindset of healthcare organizations in particular needs to change as digital transformation continues to alter consumer communication – and outlined three tips to achieve this shift. This blog is Part 2 of three in a series to dive deeper into each one of those tips.