How to establish a security culture within IT

Most corporations suffer from the delusion that a small team of cybersecurity experts buried within the bowels of IT (or elsewhere) can protect the other 99%+ of the company’s workforce from exposing business-sensitive or business-critical information to malicious external actors.  Unfortunately, this same delusion exists within many IT shops.  95%+ of the IT staff members blithely assume that the security team (which may only represent 5% or less of the total IT staff) will keep them all out of trouble.  These delusions have proven to be false many, many times but they persist nevertheless.

In the current age of widespread security awareness, almost every enterprise has established a security program.  A security program consists of policies established by the CISO or ranking security leader, operational controls that enforce the policies, work rules and procedures that implement the controls, tools that support the rules and procedures, and a security operations team that employs the tools to monitor the rules and procedures and audit the consistency and effectiveness of the controls.  This sounds complicated but the key components of a successful security program are well understood by most IT shops and have been implemented to one degree or another in most enterprises.

A security program and a security culture are two different things.  In a security culture employees have an informed understanding of the cybersecurity threats that confront their companies.  They understand the motivations and intents of the malicious actors that operate within their industries or markets.  Cybersecurity issues and concerns are routinely discussed in normal business meetings such as quarterly business reviews, business strategy sessions, budget planning meetings, M&A evaluations, etc.  They’re not confined to periodic meetings that are dedicated solely to security because leaders and staff members understand that security is an inherent part of everyday business operations.  Employees working within a true security culture take an active role in implementing and enforcing security safeguards.

Some might argue that it’s impossible to establish a true security culture in large, diversified companies operating in multiple geographic locations but there’s abundant evidence to the contrary.  Most financial service companies are hyper-focused on risk management and have developed effective security cultures.  Companies that depend upon the use of internally developed intellectual property – such as pharmaceutical firms – are equally circumspect about cybersecurity.  Pervasive and conspicuous security cultures exist in many large multinational firms.

IT should set the example

It’s impossible to establish a security culture within a corporation if such a culture doesn’t already exist within IT.  IT is responsible for too many of the pathways and processes that can be manipulated by malicious actors to avoid playing a central role in cybersecurity defense.  If the entire IT organization doesn’t take its cybersecurity responsibilities seriously, what hope can there really be for establishing such a culture throughout the enterprise?

While IT cannot establish an enterprise-wide security culture on its own, it should provide an example of such a culture that other functional departments can emulate.  Unfortunately, this is rarely the case.  There are too many IT shops in which security responsibilities have been delegated to a small team of security professionals and are largely ignored by other staff members.  Many IT groups outside the security team routinely dismiss, disregard or debate instructions to insert more rigorous safeguards into their existing technology stacks or operational procedures.  Furthermore, it’s not uncommon for individual staff members to express dismay or indifference when asked to assist in the resolution of security-related audit issues or the response to specific security incidents.  Security training is frequently regarded as a waste of time and an unwarranted intrusion on an individual’s other, more pressing responsibilities.

Build the culture

What can IT leaders do to establish security cultures within their own organizations?  Here are six triggers that will produce the desired results if they are performed on a sustained basis.

1. Teach. Educate staff members about the generic identities of the malicious actors threatening your company. Discuss case history examples of breaches occurring within other companies with similar products, services, operating models or markets.  Ensure they understand the principal pathways that malicious actors have employed in the past to penetrate cyberdefenses and exfiltrate sensitive information.
2. Manage. Establish a prioritized list of cyber vulnerabilities, commonly called a risk register. Involve as many members of the IT team as possible in adding items to the list and prioritizing known vulnerabilities.  Provide rewards and recognition to individuals who are the most prolific or insightful contributors to the risk register as a means of incenting others to contribute as well.
3. Talk. A former colleague of mine used to say “whatever interests my boss fascinates me”. Any leader who spontaneously exhibits interest or concern about some security-related topic at least once per day will soon discover that their peers and subordinates are doing the same.  Staff members take cues from their leaders, both consciously and subconsciously.
4. Measure. Everyone is familiar with Peter Drucker’s observation that “what gets measured gets managed”. Security metrics are tricky to design.  They can focus on the enterprise-wide implementation of security safeguards or their effectiveness.  For understandable reasons, many companies are reluctant to broadly communicate the effectiveness of their safeguards and if they can’t be shared with employees or management team members the metrics are unlikely to influence behaviors. 
5. Personalize. Use every possible opportunity to develop analogies between the security issues employees encounter as Internet-enabled consumers and those they encounter in performing their jobs. Help your team members understand how compromised credentials, ransomware, cookies and other cyberthreats could impact their personal lives and they’ll become much more sensitive to ways in which they use the Internet in your workplace. 
6. Penalize. In a perfect world we would only need to educate team members about cyber threats and safeguards and their behaviors would change accordingly. However, in the world that we actually operate, penalties need to be levied when policies, controls and operating procedures have been compromised, either intentionally or unintentionally.  Employees generally accept the need for personal penalties when business results are compromised.  They need to understand that security controls have been established for business reasons and that failure to adhere to such controls will have consequences.  Penalties obviously need to be graduated based upon the severity of the offense, but an absence of such penalties will undermine the culture you are trying to establish.

Lead the cultural crusade

No single team of infosec professionals – no matter how smart or well-funded they are – can unilaterally protect the corporation from the full spectrum of hackers, criminals and nation states that it faces on a daily basis.  In fact, absolute security guarantees can’t be achieved under any circumstances, but the odds of success increase immeasurably if a company is able to establish a security-aware culture in which every employee understands the risks they face and fully comply with the safeguards that have been put in place.  While few would disagree with this statement, most are confused about where to start.  Security teams have to have security cultures because that’s their job.  IT professionals outside the security team need to embrace the culture with both their hearts and minds and become visible evangelists as well.

Revolutions succeed when their proponents are able to convert casual bystanders into reliable foot soldiers.  If IT leaders can avoid over-engineering policies, controls and procedures and personally institute the trigger practices listed above, they can create a successful security culture within IT that will provide a guiding light to the rest of the corporation.  IT leaders frequently bemoan their inability to exert broader leadership across their companies.  This is their opportunity!