Most corporations suffer from the delusion that a small team of cybersecurity experts buried within the bowels of IT (or elsewhere) can protect the other 99%+ of the company\u2019s workforce from exposing business-sensitive or business-critical information to malicious external actors.\u00a0 Unfortunately, this same delusion exists within many IT shops.\u00a0 95%+ of the IT staff members blithely assume that the security team (which may only represent 5% or less of the total IT staff) will keep them all out of trouble.\u00a0 These delusions have proven to be false many, many times but they persist nevertheless.\nIn the current age of widespread security awareness, almost every enterprise has established a security program.\u00a0 A security program consists of policies established by the CISO or ranking security leader, operational controls that enforce the policies, work rules and procedures that implement the controls, tools that support the rules and procedures, and a security operations team that employs the tools to monitor the rules and procedures and audit the consistency and effectiveness of the controls.\u00a0 This sounds complicated but the key components of a successful security program are well understood by most IT shops and have been implemented to one degree or another in most enterprises.\nA security program and a security culture are two different things.\u00a0 In a security culture employees have an informed understanding of the cybersecurity threats that confront their companies.\u00a0 They understand the motivations and intents of the malicious actors that operate within their industries or markets.\u00a0 Cybersecurity issues and concerns are routinely discussed in normal business meetings such as quarterly business reviews, business strategy sessions, budget planning meetings, M&A evaluations, etc.\u00a0 They\u2019re not confined to periodic meetings that are dedicated solely to security because leaders and staff members understand that security is an inherent part of everyday business operations.\u00a0 Employees working within a true security culture take an active role in implementing and enforcing security safeguards.\nSome might argue that it\u2019s impossible to establish a true security culture in large, diversified companies operating in multiple geographic locations but there\u2019s abundant evidence to the contrary.\u00a0 Most financial service companies are hyper-focused on risk management and have developed effective security cultures.\u00a0 Companies that depend upon the use of internally developed intellectual property \u2013 such as pharmaceutical firms \u2013 are equally circumspect about cybersecurity.\u00a0 Pervasive and conspicuous security cultures exist in many large multinational firms.\nIT should set the example\nIt\u2019s impossible to establish a security culture within a corporation if such a culture doesn\u2019t already exist within IT.\u00a0 IT is responsible for too many of the pathways and processes that can be manipulated by malicious actors to avoid playing a central role in cybersecurity defense.\u00a0 If the entire IT organization doesn\u2019t take its cybersecurity responsibilities seriously, what hope can there really be for establishing such a culture throughout the enterprise?\nWhile IT cannot establish an enterprise-wide security culture on its own, it should provide an example of such a culture that other functional departments can emulate.\u00a0 Unfortunately, this is rarely the case.\u00a0 There are too many IT shops in which security responsibilities have been delegated to a small team of security professionals and are largely ignored by other staff members.\u00a0 Many IT groups outside the security team routinely dismiss, disregard or debate instructions to insert more rigorous safeguards into their existing technology stacks or operational procedures.\u00a0 Furthermore, it\u2019s not uncommon for individual staff members to express dismay or indifference when asked to assist in the resolution of security-related audit issues or the response to specific security incidents.\u00a0 Security training is frequently regarded as a waste of time and an unwarranted intrusion on an individual\u2019s other, more pressing responsibilities.\nBuild the culture\nWhat can IT leaders do to establish security cultures within their own organizations?\u00a0 Here are six triggers that will produce the desired results if they are performed on a sustained basis.\n\nTeach. Educate staff members about the generic identities of the malicious actors threatening your company. Discuss case history examples of breaches occurring within other companies with similar products, services, operating models or markets.\u00a0 Ensure they understand the principal pathways that malicious actors have employed in the past to penetrate cyberdefenses and exfiltrate sensitive information.\nManage. Establish a prioritized list of cyber vulnerabilities, commonly called a risk register. Involve as many members of the IT team as possible in adding items to the list and prioritizing known vulnerabilities.\u00a0 Provide rewards and recognition to individuals who are the most prolific or insightful contributors to the risk register as a means of incenting others to contribute as well.\nTalk. A former colleague of mine used to say \u201cwhatever interests my boss fascinates me\u201d. Any leader who spontaneously exhibits interest or concern about some security-related topic at least once per day will soon discover that their peers and subordinates are doing the same.\u00a0 Staff members take cues from their leaders, both consciously and subconsciously.\nMeasure. Everyone is familiar with Peter Drucker\u2019s observation that \u201cwhat gets measured gets managed\u201d. Security metrics are tricky to design.\u00a0 They can focus on the enterprise-wide implementation of security safeguards or their effectiveness.\u00a0 For understandable reasons, many companies are reluctant to broadly communicate the effectiveness of their safeguards and if they can\u2019t be shared with employees or management team members the metrics are unlikely to influence behaviors.\u00a0\nPersonalize. Use every possible opportunity to develop analogies between the security issues employees encounter as Internet-enabled consumers and those they encounter in performing their jobs. Help your team members understand how compromised credentials, ransomware, cookies and other cyberthreats could impact their personal lives and they\u2019ll become much more sensitive to ways in which they use the Internet in your workplace.\u00a0\nPenalize. In a perfect world we would only need to educate team members about cyber threats and safeguards and their behaviors would change accordingly. However, in the world that we actually operate, penalties need to be levied when policies, controls and operating procedures have been compromised, either intentionally or unintentionally.\u00a0 Employees generally accept the need for personal penalties when business results are compromised.\u00a0 They need to understand that security controls have been established for business reasons and that failure to adhere to such controls will have consequences.\u00a0 Penalties obviously need to be graduated based upon the severity of the offense, but an absence of such penalties will undermine the culture you are trying to establish.\n\nLead the cultural crusade\nNo single team of infosec professionals \u2013 no matter how smart or well-funded they are \u2013 can unilaterally protect the corporation from the full spectrum of hackers, criminals and nation states that it faces on a daily basis.\u00a0 In fact, absolute security guarantees can\u2019t be achieved under any circumstances, but the odds of success increase immeasurably if a company is able to establish a security-aware culture in which every employee understands the risks they face and fully comply with the safeguards that have been put in place.\u00a0 While few would disagree with this statement, most are confused about where to start.\u00a0 Security teams have to have security cultures because that\u2019s their job.\u00a0 IT professionals outside the security team need to embrace the culture with both their hearts and minds and become visible evangelists as well.\nRevolutions succeed when their proponents are able to convert casual bystanders into reliable foot soldiers.\u00a0 If IT leaders can avoid over-engineering policies, controls and procedures and personally institute the trigger practices listed above, they can create a successful security culture within IT that will provide a guiding light to the rest of the corporation.\u00a0 IT leaders frequently bemoan their inability to exert broader leadership across their companies.\u00a0 This is their opportunity!