Why Security Culture Matters to Your Business
Why Security Culture Matters to Your Business and How to Start Building Now
“I came to see, in my time at IBM, that culture isn't just one aspect of the game, it is the game.” - Louis V. Gerstner, Jr., former CEO of IBM.
Ninety-seven percent of IT leaders in a recent survey conducted by Egress Software expressed concern about insider data breaches. Of that, 78% estimate that their employees have accidentally put company data at risk.
Such accidents occur due to a variety of reasons - poor security processes, lack of awareness about security protocols, employees being unsure of security behaviors, etc. As far as internal software development is concerned, DevOps has transformed into DevSecOps in a bid to make developer, operation, and security teams collaborate more on resolving them.
Why? Because all of these practices focus only on education and prevention but not on a holistic cultural shift. Someone needs to own the security issues and implement a process to resolve them with some Service Level Agreement (SLA) in place. Currently, typical security management approaches include basic training programs, prevention and monitoring, behavior tracking, and tackling individual incidents with appropriate measures. While they do resolve issues to some extent, they don’t ensure watertight data security or prevent threats. Companies need to move beyond just tactical approaches and build a security culture aligned with both security and business goals.
What is security culture?
But first, what exactly is ‘security culture’? According to ISACA, it’s an approach built around the “knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people” regarding security. To implement a 360-degree approach to security like DevSecOps effectively, requires changes at the grassroots level. That means changing an entire organization’s attitude and thought processes to make security culture an intuitive, integral part of all employee actions and behaviors.
What are the barriers to making security culture a priority?
For leadership, maximizing revenue in a cost-efficient way is one of the biggest priorities. Investing in marketing and sales, acquiring smaller companies, store expansions, etc., are immediate revenue-generating efforts, while cybersecurity is not.
Most employees perceive security culture as the responsibility of “the IT guys”.
People are put off by complex processes and even more complicated jargon. They cannot relate to them and don’t understand how it helps them achieve their personal work targets.
When employees have to use software and other tools that are slow, need constant updates, or demand more of their time, it becomes inconvenient and frustrating.
Most firms are still divided on who is responsible for overseeing company security, what they should watch out for to reduce vulnerabilities, and what rules to establish without compromising financial returns.
How to create a security culture shift
Get full support
One of the first, most crucial steps is to get buy-in from key management and partners followed by every employee. Security culture is a long-term, concerted effort that requires going beyond simple training exercises or meetings. Breaking down silos is required to not just achieve a security culture shift but also to implement DevSecOps effectively.
Work security into business goals
Most companies might have a security training workshop or program for employees. However, for a real cultural change, it’s important to bake security culture-related goals into business drivers and decision-making.
Follow training best practices
Make training programs relatable by explaining real-world consequences and how they would affect employees personally. For instance, explain why multi-factor authentication is needed and what it achieves. Give them facts, make it interactive, break down the jargon, and involve them in mock drills.
Create transparency and trust
A 2019 Verizon data breach report shows that 30% of phishing emails are opened despite people being confident in their ability to recognize one. Equip employees with the practical information they need to spot malicious software, phishing attacks, etc., and give them the confidence to report when they see something suspicious.