There’s an old business saying that goes: “Culture eats strategy for breakfast,” that’s often attributed to Peter Drucker. While it is debatable whether he said it or not, the sentiment is clear—without a strong culture, organizations will be unable to execute on their strategies.
Culture underpins everything an organization does—and how it gets things done. While culture is a term often referred to the organization as a whole, there are also cultures (or subcultures) within organizations related to business practices—like security. At my company, we define a security culture as the ideas, customs, and social behaviors of a group that influence its security.
The Hallmarks of a Security Culture
Culture shifts over time. A positive security culture will grow from basic compliance to a sustainable and well-integrated one that drives secure behaviors and prevents breaches.
But cultures can also become toxic or dysfunctional, working at cross purposes with the desired values and goals of the organization.
From a security standpoint, a dysfunctional culture might exhibit such signs as failing to follow the organization’s policies and procedures related to data management; failing to properly protect sensitive customer, employee, or company data; lack of employee security awareness training; failure to adequately protect against breaches—or to appropriately report when a breach occurs.
Broader signs and signals may also be observed: things like high turnover, employee dissatisfaction, low productivity, or lack of engagement.
A dysfunctional security culture lacks the necessary focus, programs, metrics, integration, and sustainability to positively influence employees’ security mindsets. The result can be detrimental not only to the organization’s systems and data—but also to its reputation and brand.
It is important for companies to be continuously vigilant, always alert to signs of a dysfunctional culture; always taking proactive steps to ward off apathy and move towards engagement where employees feel supported and valued.
Fixing a Dysfunctional Culture
Organizations can take steps to fix a dysfunctional company culture—and a dysfunctional security culture.
- Focus on the “big rocks” first. Overall cultural signals like turnover and dissatisfaction often provide early warning signs of potential impacts on other areas or aspects of the company—like security. It is important to be continually monitoring and responding to these signals before they become more invasive.
- Identify and catalogue the signs. What are the aspects of your company’s security culture that have you most concerned? Employee attitudes? Lack of adherence to policies and processes? Breaches? Use assessments, surveys, and diagnostic tools to help identify and quantify issues. This will provide a benchmark to measure progress as you move forward.
- Assess the impact of your leadership team. Your leadership team sets the stage for the actions and behaviors of everyone within the organization. If they are dismissive of security policies, fail to take part in or support training efforts, or turn a blind eye to employees who defy security rules, a dysfunctional culture will take root (or is already at play).
- Don’t try to boil the ocean. Pick one or two behaviors you would like to change because of the impact these behaviors have and focus on fixing those.
- Be clear about your vision. What would a strong culture look like? What signs would be in place to indicate that a sustainable, positive culture of security exists? Then put that vision at the forefront for employees so they know exactly what success should look like.
- Design a plan to influence behaviors broadly. Use project management principles and gain buy-in from individuals who can serve as advocates.
- Engage employees. While a strong security culture is determined from the top down, it takes the entire organization to sustain that culture. Solicit input from employees, involve them in identifying necessary protective measures, gathering ideas for implementation, and obtaining feedback on the effectiveness of training programs. Share feedback and progress; provide a steady drumbeat of information and education, helping support your security culture vision.
- Recognize and reward. Maybe it is rewarding people who proactively report suspected phishing and other security incidents. Maybe it is the number of employees who successfully completed a security training module. Maybe it is an improved outcome in email phishing simulations. Maybe it is an improvement in scores on an assessment of employee support for a security culture. When gains are realized, share results with employees and celebrate.
Mending a dysfunctional security culture is a gradual process, something not achieved overnight but certainly attainable. It is a non-linear process that involves gains and setbacks along the way. But intentional focus pays off over time – improvements can be made and measured, positively impacting the protection of vital systems and data. With sustained effort, a positive security culture can be accomplished, eventually moving beyond dysfunction to proactive employee engagement, relationship building, and risk reduction.
