Who is responsible for security culture in your company? Well, that would be the security team, I hear you cry! Whilst security teams and personnel are certainly part of the answer… they are not THE answer and if you rely solely on the security team to inhabit a culture, you may run into to some issues…
For a strong security culture to exist, it’s imperative that security is the responsibility of everyone. Whilst security staff and managers of course play a fundamental role in establishing the policies and frameworks to enable a positive culture, it is a joint responsibility of all staff. Everyone must play a part and feel it is integral to their job role, rather than an inconvenience or burden upon their already busy working day.
Before looking at how to create a positive culture, lets first look at what a strong security culture is and why it even matters in the first place.
What is a strong security culture?
Everyone will have their own opinions on this, but a quick read of most security articles, blogs and security focused websites will highlight some common themes. These key themes are captured by the National Protective Security Authority (NPSA) which states that security culture is “a set of values, shared by everyone in an organisation, that determine how people are expected to think about and approach security”[1]. Building further on that, there is strong consensus that what transforms a culture from adequate to strong, is one that is embedded in the organisation and is, you guessed it, a collective responsibility.
But why does having a strong security culture matter? Why are policies and procedures not enough?
In its simplest form, a strong security culture will serve as the foundation to protect information, data and privacy, resulting in fewer breaches and security incidents for the company, its staff and customers. We must accept that there are always going to be security threats and incidents that are outside of our control, but through strong culture we can significantly reduce ‘preventable’ incidents. Ultimately, this saves the company time, money, effort and resources dealing with unnecessary and preventable security breaches.
Having sound security policies, procedures and expensive physical security infrastructure is great, but loses its value if the workforce is not actively engaged, taking responsibility for security issues and thinking and acting in a security conscious manner.
How can you encourage a positive security culture within your business?
Here are some key themes that are regularly seen across businesses with a strong culture:
A strong culture is embedded within the organisation and is seen as a collective responsibility.
People know how to report or raise security incidents and aren’t afraid to do so
It is better to have what may seem a small insignificant issue reported to the relevant security team, rather than waiting for it to turn in to a much larger problem or breach, that could have been prevented by earlier reporting.
The security culture enables people to do their jobs, rather than burdens them.
If your security policies are unreasonable and impeding staff doing their jobs, then they will most likely choose to ignore them and take risks. Work out how business needs and security requirements can work together, not against each other!
The security team are approachable
This encourages people to ask for advice or input from the security team before it’s too late. Highlighting a potential issue at the start of a project and working on a solution together is better than finding out there is a problem or potential breach at the end when the work has already been done! This could turn out to be an expensive mistake!
How can Risk Evolves help you achieve those things…
Trying to develop a strong security culture may seem overwhelming and like an impossible task. Whether you need help with GDPR, ISO certification, cyber security or health and safety to encourage a stronger culture, working with us will give you confidence in your culture and compliance, ensuring you reap its many rewards whilst protecting against risks and threats.
We’ll take your unique requirements and provide you with straightforward and concise solutions, outlining exactly what is needed.
Let us be your trusted partner, accompanying you every step of the way. Get in touch, today.