Transforming a Dysfunctional Security Culture
Jeff Wolverton
Security culture in organizations can often suffer from indifference and disengagement. However, with focused efforts, it’s possible to shift from a lackluster security culture to one where employees actively champion security measures. Here’s a guide on how to achieve this transformation.
Understanding Security Culture
There’s a well-known business adage attributed to Peter Drucker: “Culture eats strategy for breakfast.” This emphasizes that without a robust culture, executing strategies becomes a formidable challenge. In an organizational context, culture influences how tasks are performed and goals are achieved. Security culture, specifically, comprises the ideas, customs, and social behaviors that shape how security is perceived and practiced within an organization.
Hallmarks of a Security Culture
A positive security culture evolves over time, progressing from mere compliance to a deeply ingrained, sustainable practice that promotes secure behaviors and prevents breaches. Conversely, a dysfunctional security culture can thwart organizational goals. Signs of a dysfunctional security culture include:
- Non-compliance with data management policies and procedures
- Inadequate protection of sensitive data
- Lack of employee security awareness training
- Poor breach protection and reporting mechanisms
- High turnover, low productivity, and employee dissatisfaction
Such a culture lacks the focus, programs, metrics, integration, and sustainability needed to positively influence employees’ security mindsets, jeopardizing the organization’s systems, data, reputation, and brand.
Steps to Fix a Dysfunctional Security Culture
- Address Major Issues First: Pay attention to overall cultural signals such as turnover and dissatisfaction, which can impact security. Monitor and respond to these signs proactively.
- Identify and Assess Problems: Catalog specific concerns about your security culture, such as employee attitudes or policy adherence issues. Use assessments, surveys, and diagnostic tools to quantify these problems and establish benchmarks for improvement.
- Evaluate Leadership Impact: Leadership sets the tone for organizational behavior. If leaders are dismissive of security policies or fail to support training, a dysfunctional culture is likely to take root. Leadership must actively participate in and endorse security initiatives.
- Focus on Key Behaviors: Instead of attempting to overhaul everything at once, prioritize one or two critical behaviors to change. Focused efforts can lead to significant improvements.
- Define Your Vision: Clearly articulate what a strong security culture looks like and the indicators of success. Ensure this vision is communicated to employees, so they understand the goals.
- Design a Broad Influence Plan: Use project management principles to implement changes and secure buy-in from advocates within the organization.
- Engage Employees: Security culture must be upheld by the entire organization. Involve employees in identifying protective measures, gathering implementation ideas, and providing feedback on training programs. Regularly share progress and educational information to maintain engagement.
- Recognize and Reward Positive Behavior: Celebrate successes, whether it’s proactive reporting of security incidents, completion of training modules, or improved phishing simulation outcomes. Recognizing and rewarding positive actions reinforces desired behaviors.
Achieving a Positive Security Culture
Transforming a dysfunctional security culture is a gradual, non-linear process that requires sustained effort. Over time, with intentional focus, improvements can be made and measured, leading to a robust security culture. This transformation not only enhances the protection of vital systems and data but also fosters proactive employee engagement, stronger relationships, and reduced risks.
By following these steps, organizations can move beyond dysfunction and cultivate a security culture that supports and enhances their overall mission. Reach out to us at PviIT Strategy to understand a clear path to achieving a positive security culture.
Jeff Wolverton
Jeff, the CEO of PivIT Strategy, brings over 30 years of IT and cybersecurity experience to the company. He began his career as a programmer and worked his way up to the role of CIO at a Fortune 500 company before founding PivIT Strategy.