Although a company-wide security culture is vital, it can be difficult to maintain or develop. It is more important than ever to strengthen organizational security culture, especially in light of recent events like the pandemic or the stressful economy that has created more complex problems.
“Culture goes beyond awareness and training. It must be at the center of strategic priorities and the focus of executive managers,” Nina Bryant, Senior Manager and Head of UK Information Governance, Privacy, and Security Practice, FTI Technology, says. Culture is defined by the behaviors that are accepted and those that are not. It also determines how an organization communicates about compliance, security, privacy, and compliance. These factors have a significant impact on how successful it is to embed a culture that encourages awareness and takes proactive action.
Top Ways to Create a Companywide Security Culture
Security leaders have some suggestions for where to begin when building and maintaining a strong companywide security culture.
1. Understanding the corporate culture.
Wesley Bull, CEO of Sentinel Resource Group believes this is the most important piece. Bull says, “If you want your company culture to be strategic and effective, you must first understand it.” This is especially important because of the potential career implications.
He gives an example of a company that has a welcoming culture and doesn’t insist on security but allows employees to open doors for others. You are the security chief and must establish an access control policy. Everyone must have a badge to enter the building.
Bull says, “Now the rest of the C-suite views you as someone who doesn’t understand their business because they don’t understand their culture.” Bull continues, “You are trying to push a strategy that isn’t compatible with the corporate culture. The security culture that you want to implement doesn’t align with the corporate environment.” You may suddenly be seen as unfit and you have lost an opportunity to engage the C-suite with a risk-based conversation about the corporate culture before you develop your security strategy.
Bryant agrees with Bryant that security culture and organizational culture should be aligned. “Organizations need to understand their current culture. Not just on paper but in the daily decisions and behavior of their employees. They must also understand the sources of pressure to disregard compliance requirements or take risks. Effective and successful security and compliance are built on culture, especially in today’s hybrid world.
Bryant recommends that an organization conduct a cultural assessment in order to identify the differences between cultural norms and needs. This assessment should include workshops, research, interviews, and one-on-1 interviews with all levels and functions within the organization. This allows security teams to understand perceptions, She says that employees may view compliance as either a valuable component of the strategy or as a barrier to their advancement.
2. Perform a cultural assessment.
Bull recommends that you start with a culture assessment to determine the compatibility — or lack thereof– between security culture and corporate culture. Bull suggests that you compare the culture to the actual practices. He says that there is often a big disconnect between the two. “Security practices seldom meet the policies espoused; instead, they default to an environment that’s acceptable.”
Bryant recommends that an organization conduct a cultural assessment in order to identify the differences between cultural norms and needs. This assessment should include workshops, research, interviews, and one-on-1 interviews with all levels and functions within the organization. This allows security teams to gain insight into employees’ perceptions.
3. Be creative.
Next, you need to be creative in training and implementation. Duncan Turner, Head, of Physical Security Operations, at Amazon Studios, believes it is time to end the mandatory online security training. He says, “Everywhere I have been, the uptake is poor, compliance has poor, the training doesn’t engage or be remembered, and people only click through it after they’ve received their third reminder.” If you want to build culture, you have to be creative in your training.
For example, Turner’s team hosted a self-defense training session over lunch with a local trainer in a conference room. Turner says that the event was a huge success. Your culture will be stronger if employees feel that the company takes their safety and security seriously.
Turner was the last person to hold this position. He created the security culture from scratch. His team developed animated characters that were engaging and humorous and produced eight- to ten-second videos. These videos appeared on message boards in communal areas as well as on employee log-in screens.
The animations created excitement at work and made people smile. Turner says that people wanted to know when Turner’s next video would be out. “Yes, it is a serious message. But you can’t make the message too serious, or people will ignore it.”
4. Consider the regulatory environment.
When implementing a security culture, it is important to take into account the legal and regulatory context.
Understanding the differences between security culture and corporate culture creates interesting interactions between corporate executives and security executives can have a more intelligent, risk-based conversation because they’re having a new conversation ” Bull says.
It is no longer about what security personnel wants to do, but what the company must do and what risks they are required to take based on those decisions.
5. Use a variety of strategies.
Turner advises that you should not focus on one strategy or activity in order to build culture and awareness. Instead, you should focus on engaging people with strategies such as creating a security landing site, creating short videos, talking at all-hands coffee chats, desk drops, and holding raffles. Turner states, “As soon people see free stuff they’re going and check it out.”
Bryant advises that training should be tailored to the culture of the organization and the needs of the employees. Some people might consider digital communications like podcasts or internal social media channels as a viable option, Others may be more responsive to leaflets, team meetings, town halls, or desk literature, while others might respond better to them.
6. Establish relationships with key stakeholders.
Bull believes that these connections can give security leaders insight, and they can help them understand the corporate culture better and create a coalition. Unity is also possible when key stakeholders are involved. Bryant states, “Having a senior executive send a message to reinforce awareness and training campaigns can prove to be extremely beneficial.” “If the CEO or CDO, or CIO, contributes to a written or video communication, it will show top-down support.”
7. Partner with the communications and marketing department.
Employees will not be able to take in the message if they are too overwhelmed. Turner states, “You have to find that consistent drumbeat.” It is important to work with the company’s marketing and internal communications department. They are able to provide guidance, conduct surveys to assess the success of the security program, analyze metrics and make ensure that security strategies are consistent with the brand identity of the organization.
8. Align team efforts.
Bryant says that failure to consider cultural change management can be a barrier to an organization’s success in compliance and business growth. Bryant suggests that security culture teams coordinate their communications and strategies to communicate about the program. This will reflect the company’s vision (e.g. conservative, tech-driven, or traditional). ).
9. Don’t inconvenience employees.
Turner says, “We want to be a supportive group, not an annoying team that nags employees about going about their businesses, sends nasty email reminders about mandatory training, and then kicks them in the hallway on their way to a meeting.” ambushes.” He says that pop-ups set up in public areas are a great way to get them to come to him. We advertise what we do and draw people to our booths with prizes and giveaways in exchange for a chat.
10. Work cross-functionally.
“Sometimes organizational structure and culture can create gaps in responsibilities or a ‘that’s-outside-my-job-description’ approach,” Bryant notes. She says that security programs can be a great way to encourage employees to behave in a manner that is more secure and compliant with privacy.
11. Participate in new orientations for hire.
Turner believes that training for new hires is beneficial. He says, “It allows you to make an impact on new employees right away.” Turner was a strong advocate for these orientations in his previous roles. “I guided them through what we were trying to achieve, how to get a grip on us, what they could expect from us, where resources can be found, and what our priority security was.”
12. Prepare for upcoming challenges.
Bull says that the security environment presents unique challenges from both a cyber and physical perspective. Bull has clients who live in high-crime areas, which means that there is a significant rise in the number of companies calling Bull’s company for assistance when their employees are physically attacked on their way to work.
The problem is where does the boundary line start and end? Bull says that these people are not in the workplace but there is an obligation to ensure their safety while traveling to work. These are cultural nuances that can be very difficult, and it’s an issue for many companies right now.”