6 Steps For Building a Strong Security Culture in Your Organization
Every organization needs to build a strong security culture. As discussed in my first blog in this 3-part series, building and maintaining a strong cybersecurity posture requires collaboration between IT staff and an organization’s management team. Yet building effective collaboration can be harder than it sounds.
My previous blog identified three general types of communication gaps that can impede cybersecurity collaboration.
- Lack of shared context on cybersecurity threats
- Organizational culture impeding communication
- Visibility gaps that prevent management from having clear, consistent information on the organization’s cybersecurity posture and identified risks
This blog focuses on the second challenge on the list, which is an organizational culture that impedes effective communication on cybersecurity risks and may lead to known risks going unreported, and therefore unremediated. While EVERYONE in an organization should have basic cybersecurity training (that’s the topic of a different blog), this blog will focus on solving some common organizational challenges between IT teams and management that may be standing in the way of building a stronger security posture.
How Does a Strong Security Culture Impact Cybersecurity Risk?
My previous post noted that effective cybersecurity collaboration needs to start with a shared understanding of the threat landscape and potential impacts to the organization.
Once a shared threat context is in place, or in progress, the next step for collaboration is shared, accurate knowledge of both the controls in place and the known gaps. The management team and IT staff need to be on the same page as far as how well the organization is protected given the threat landscape, and what weaknesses need to be addressed.
This sounds straight-forward. However, when LMG Security’s consultants work with clients on cybersecurity assessments, testing, and incident response, we frequently see signs of internal communication gaps regarding known security risks. In particular, we often find that IT staff are aware of security weaknesses, but management is unaware of the current risk profile.
This is where organizational culture matters.
Communication and visibility into the controls in place is fairly easy, since we are all comfortable sharing good news. However, few people want to be the bearer of bad news; yet, shying away from reporting cybersecurity gaps is a roadblock to getting the gaps fixed. IT staff and all users must be encouraged to report security gaps and concerns, feel comfortable doing so, and believe their concerns will be taken seriously.
How Can Organizations Build a Strong Security Culture?
As I noted in my previous post, addressing communication challenges to build better collaboration requires action and effort from both IT staff and management teams. However, the responsibility for building a strong organizational security culture falls more on the management side, since it requires visible management support and engagement. Here are 6 steps management and IT teams can take to build a stronger security culture:
- Management teams can encourage a strong security culture by asking all employees to report known or suspected vulnerabilities for investigation and remediation.
- Managers should convey a consistent and genuine interest in this topic, which should come as a natural outcome of management training now that they are informed of the threat landscape and potential risk to the organization.
- Managers need to ask IT team members and security staff about any concerning gaps or limitations. This should be done regularly! One survey found that 49% of employees don’t express their thoughts because they are not regularly asked to share their ideas.
- Emphasize that the organization can’t fix issues if no one reports the problem.
- Remove the fear factor. Bringing concerns forward has to be seen as a positive act, not an opportunity for the blame game. If staff feels a blame game situation is likely, it can be a significant deterrent to their reporting gaps that your organization needs to hear about and fix.
- Don’t blame the reporter for not mentioning it sooner. Be glad they brought the weakness to your attention. Say thank you!
- Avoid an immediate focus on determining who is at fault for the gap – focus on fixing it. Even if the person reporting it is not at fault, many employees don’t want to be responsible for implicating a coworker or starting a chain of events that could get a coworker in trouble.
- That said, it is healthy to look into why the gap exists. Focus the inquiry on process, not individual people. It is helpful if you can frame the gap in the context of your organizational security policies. If you don’t have written security policies to point to, see my colleague Ben Kast’s recent post full of helpful policy development advice.
- Employees need to know their concerns will be taken seriously. Over time, a “why bother” outlook can develop, especially if the organization or department is budget constrained or if security-related requests have been turned down or ignored in the past.
- Not all identified risks can or should be acted on immediately, but they should be risk rated, tracked for visibility, and placed in a ranked list of priorities.
- Develop a process for tracking reported gaps, such as adding the identified risk to your risk treatment plan for assignment and remediation tracking. Don’t have a risk treatment plan? See my previous blog on risk management for some tips, and watch for further discussion in my next post in this 3-part series.
- Avoid assuming the person who finds or reports the gap should be the one to fix it. A “you found it, you fix it” IT and security culture can make staff hesitant to share concerns, especially if they already feel fully tasked.
- Again, a centralized risk tracker can help. Add the gap to the tracker and then determine what roles are best suited to investigate and implement possible solutions. Also consider resource needs for implementation such as training or professional services.
- IT staff can contribute to a strong, collaborative security culture by communicating clearly and intentionally about security gaps and weaknesses.
- Don’t wait to be asked directly about cybersecurity gaps. Share your knowledge of any gaps, and be explicit about why it matters.
- Frame identified gaps within the shared context of the threat landscape and how the gap creates risk for the organization.
- Not all gaps are equally important. Help management understand which improvements are “nice to haves” versus which changes are essential to protect against known threats.
- Support the management team in their efforts to create a strong security culture. A strong security posture requires consistent, visible management support and engagement. Senior leaders in the organization should regularly discuss why everyone being cyber aware and following security policies is important for strong cybersecurity. IT teams can support these efforts by providing leadership with talking points for organizational communications, such as security reminders for users, relevant threat information, and positive updates to share on recent and planned security improvements.
Watch for my next post in this series, where I will discuss visibility challenges that can limit management’s view of the organization’s cybersecurity posture and impede building a strong security culture.
Would you like advice or support strengthening your organization’s security posture? LMG Security offers cybersecurity assessments, testing, and training to help organizations develop their cybersecurity programs and reduce risk. Contact us to see how our experienced consultants can support your cybersecurity goals.
Read part one of this series: Solving 3 Common Security Gaps Through Better Cybersecurity Collaboration