A UK government paper from September 2024 defines security culture in an organisation as:
‘…the way its members understand and behave with regards to security, as a direct consequence of the extent to which security is designed to work for people, and of the overarching organisational culture in which they work.’[1]
The critical statement here is that security is ‘designed to work for the people’.
Attempting to enforce complicated and seemingly irrational processes and procedures on individuals within an organisation will almost certainly lead to security failures in the future. Team Members will find workarounds, not out of malice, but because the systems are not intuitive or practical.
In her 2019 paper ‘Left in the dust: Employee constructions of mission and vision ownership’[2] Professor Irina Kopaneva found that 93% of surveyed employees believed that their contributions to organisational culture were unnecessary. This highlights a fundamental disconnect between staff and the business’ values, including its approach to security. When considering the security culture of any organisation, it is important to consider that the majority of those within the organisation may already feel disengaged or feel their contribution unnecessary. For an attacker trying to access a facility or steal information, this is reassuring: if employees don’t feel responsible, they’re unlikely to challenge suspicious behaviour or notice security flaws.
Furthermore, with 52% of large organisations already outsourcing their cyber security function, and a further 28% intending to do so in the near future[3], there is a risk that internal ownership over security may diminish as responsibility shifts outside the organisation. A strong culture is a virtuous circle, where individuals all contribute to the success of the company by constantly examining the process and practices to create an ever-improving environment. This is no less true of security culture. Internal scrutiny aims to perfect the balance of security and convenience, thereby making adhering to good security practices intuitive.
But how does an organisation create such a culture?
Using Professor Kopaneva’s research, we can safely assume that employees having a stake in the security culture, or even helping to develop it, is a possible way of ensuring that more than 10% of staff care about the business’ culture, values, or mission.
Start by creating a culture of interest
To achieve this, begin by creating a culture of interest. Ensure that at least once a week, your departments devote time to discussing relevant and impactful events which may affect your organisation, clients, customers, and competitors. Bring one news story to the table each and offer the opportunity to discuss that article in an open forum.
Appoint security champions
Nominating enthusiastic members of staff to become security ‘Champions’ is a simple way of devolving small aspects of workplace security to individuals without impacting their role within the business. Start small and aim for gradual improvements!
- Password Champion – reminds staff about password managers, strong passwords, and using password managers. Give them a budget for software!
- Account Security Champion – working with the Password Champion, they remind all staff that their personal accounts should be private, and that the information remains available only to those they wish to see it.
- Building Security Champion – checking windows and doors before leaving the office and removing confidential information from whiteboards and desks.
- Systems Security Champion – someone interested in technology who can research and suggest the best CCTV and intruder detection systems and teach everyone how to use them.
- People Champion – Chief of the Champions, our People Champion reminds everyone to stay alert, call out bad security behaviours, suggest improvements, and ensures everyone does their annual ProtectUK[4]ACT and SCaN training…
Once the people are in place, the processes can be refined to create the perfect balance between security and convenience. It’s always a trade-off, but finding a point of acceptable compromise is where the success begins, and that 93% turns into 80%, then 70%, and so on.
Policies and processes developed with your staff are more likely to be accepted than those brought down from Mount Sinai…!
Aim for small improvements as opposed to immediate sweeping reforms. This is a marathon, and not a sprint. Sprints happen when we need to get somewhere quickly, often when an incident has occurred, but a consistent improvement over time is preferable and more likely to be accepted by staff. The difference between 100% and 80% policy adherence is good enough. Aiming for perfection can lead to disenchantment and disengagement.
Regularly test your security – but avoid a culture of blame! Disenchanting or embarrassing your staff – is counterproductive.
Finally, regularly look back to see how much you have improved.