Rob Koch, Chief Executive Officer at DYOPATH
More and more business leaders are recognizing the importance of merging business strategy with IT strategy. Because of this merge, security is taking the lead as a major player in organizations rather than simply an IT task. Employees, too, have come to at least understand that security is reasonably important. But to assuredly protect your organization from cyberthreats, a strong security culture has to be created.
What is a Security Culture?
Every organization has a security culture, even the ones that don’t know it. However, in those cases, they likely have a poor security culture. A security culture is essentially an organization’s values, practices, and mindsets that determine how everyone within the organization thinks about, and acts towards, security.
In a strong, positive security culture, executives and employees have an educated grasp of cybersecurity threats that their organization faces. In addition, efforts towards awareness, prevention, and remediation are proactive and continuous.
Driving a Security Culture from the Top Down
I’ve seen it time and time again in best-in-class organizations. One commonality between them is that their security cultures are driven from the top down, built into their very fabric. By nature, employees take cues from their leaders on both a cognizant and subliminal level. Without executive leadership buy-in, it can be a daunting task to achieve a security culture that aligns to business outcomes and permeates all levels of an organization.
From the top of the leadership pyramid, a security culture can be developed and enforced with the help of a security program. With this top-level support, organizations are better able to acquire the funds and resources needed to implement the people, processes, and tools that support such a culture. These also encompass our three-pillar approach to DYOPATH’S highly flexible and adaptable security program.
Supporting a Sustainable Security Culture with a Holistic Security Program
Everyone across an organization should play a role in supporting a healthy security culture, because security is everyone’s responsibility. The way to do this is with a holistic security program, because frankly, the days of installing a few tools to prevent malware or phishing attacks are over. Tools are no longer enough; organizations need multi-layered protections in the way of people, processes, and tools. With a well-defined security program in place, consistent focus can be given to synchronizing and executing the proper security culture.
Additionally, there are three key elements that organizations of any size can integrate to start creating a security culture:
Instill Understanding
Are your employees aware of the data that they collect at your organization or the importance of that data? Help them understand what they’re protecting, why they’re protecting it, and what can happen should that data fall into the wrong hands. Understanding is usually the first part in creating a strong security culture.
Train through Storytelling
Security awareness training creates a security aware workforce. And when given consistently, it also shows employees that security is considered a priority by the organization and by leadership. But mindless, tech-heavy training isn’t very likely to have a lasting impact. Instead, change mindsets through storytelling. Try to keep the focus on the why rather than the how and educate your users on different attack scenarios. This helps employees personalize the security experience, seeing the importance of it in more than just their work lives, but their home lives too.
Implement a Shame and Fear-Free Way of Reporting Incidents
Unfortunately, over my time in the technology industry, I have seen many instances of employees being shamed for unwittingly committing security incidents. Some business leaders have gone so far as to even fire and sue employees who have accidentally caused a security breach. Many organizations try to instill fear in employees, rather than providing a safe and supportive space for reporting incidents.
The fact of the matter is that a large percentage of attacks actually come from within your organization – either accidentally or with intention. This might be the result of an employee sharing a username and password, opening a corrupted email, or even a disgruntled employee sharing privileged access. However an incident happens, it’s best to implement a user-friendly way for employees to report them. This is going to increase the odds of them coming forward about the incident rather than letting it lie dormant, possibly undetected.
Although it is not going to happen overnight, in time all of these elements, along with a holistic security program, will establish a resilient and sustainable security culture for your organization.
Thank you for taking time to read this blog. As part of our “Security Is a Journey, not a Destination” campaign, we are aiming to educate business leaders on viewing security as a holistic program, rather than just technology. I hope you will follow along for two more blogs I have coming up where I’ll be discussing security breaches and how to address them, as well as how to invest in security to avoid wasted costs and increase ROI.
You can learn more about DYOPATH and our Managed Security services by visiting our website.
Rob Koch, Chief Executive Officer
DYOPATH
About the author: Rob Koch is the Chief Executive Officer (CEO) at DYOPATH and a pioneer within the managed service provider (MSP) vertical. He sets the culture, vision, strategy, and overall business direction across DYOPATH. His leadership of DYOPATH is grounded in his personal values of adventure, determination, health, learning, love, peace, and success. His passion for DYOPATH comes from the people, “We have the best!”, says Koch. His favorite quote is, “It’s not the Destination, It’s the Journey.” Ralph Waldo Emerson.