An effective security culture ensures corporate attitudes, activities, and policies are influencing corporate behavior. All aspects of the corporation are affected - be it physical, operational, or cybersecurity.
While organizations may have excellent security policies, without an “attitude” that supports compliance with those policies an organization remains at risk. The “attitude” of every employee towards the company’s policies is often referred to as the company’s security culture. It is this culture that prevents social engineering from successfully preying on employee’s altruism.
Clearly a security culture is for the employees, not for the computers. The computers do exactly what we tell them to do. Employees, however, make the daily choices of whether-or-not to click on links they receive in email, provide confidential information to an individual during an unsolicited phone call, or to take the time to implement security requirements into their software application.
Ultimately a security culture affects the bottom line. If every employee aligns with the security culture, software gets developed with the right amount of acceptable risk. It’s the balance of slow and safe and fast and risky. The dilemma here is that humans want to do the right thing for security, they just need to be taught to do the “right thing at the right time”.
So, what does that mean for any organization? It's about balance – ensuring the culture and actions of all employees support your security policies. How do you get there?
- Provide your employees with training that ensures that everyone is on the same page with respect to what having a secure culture means.
- Security training should be provided at regular intervals or at the “time of need”. Repetition is key.
- Periodic testing of policies and effectiveness of training, including sending phishing emails to employees and tailgating attempts into secure parts of the office.
- On top of general awareness is a need for application security knowledge for the developers and testers within your company.
- Ensure that your systems and policies are up to date. Regulations are constantly being developed and changed and it is important that employees are aware of all changes or that you have a system that notifies them of changes – as poorly developed software is a lot easier to cyber-attack.
Every company has a security culture – it just may not be the one desired! The good news is that any security culture can positively change. Remember, culture change takes time but with effort from everyone with the organization, it is absolutely achievable.
Remember, not only does a positive security culture lower organizational risk but it positively affects the time to market for secure software – it’s a win-win for the business!