Is your company’s information security plan successful? Are you confident in your security practices? Maybe what you’re missing is a consistent security culture to tie it all together – which could be what you need to prevent a future information breach.

Previously, I explained how to document your security in order to successfully shape an information security program. Prior to that, I also talked about the two types of security that exist, holistic and contextual, and how they work successfully together. This third instalment will explain security culture – what it is, how it affects your business as a whole and what you can do to improve it.

Security Culture - What does it mean?

When decision makers talk about their organization’s security, they tend to mention their security strategy and how it affects the organization’s goals. The strategy also enables the business to be more agile, rather than slowing down processes. While these points are extremely important, there’s an intangible factor that glues them all together – and is often overlooked.

A security culture makes the security strategy followable and effective. It exists in an organization when employees carry out a default behavior when facing cybersecurity-related cases where no concrete guidelines exist. This behavior is the perceived “right choice” a person makes in new situations – whether it’s choosing to not open an attachment from an unscrupulous-looking e-mail, or responding, “no” to an unauthorized emergency hotfix request from a co-worker. If the company has instilled a successful security culture, employees follow cybersecurity principles in both familiar and unfamiliar situations. Therefore, the employee will not open the attachment (since it might carry malware), and will not patch the software without permission (since it does not follow procedure).

It’s even said that it is the employee’s subconscious – i.e. the mindset behind the employee’s actions – that helps make the right (cybersecurity-wise) choice. Having a security culture is more than simply following protocol – it’s the inner mind at work.

How does having a security culture affect your organization?

Why is it so important to dwell on how the subconscious works when security is usually all about strict procedures, clear policies, and specialized technology like firewalls and intrusion detection systems?
Well, every security procedure, policy, and technology needs humans to act on, follow, use and configure. The human factor is visible in everything an organization does – which can admittedly make it difficult to maintain cybersecurity.

The truth is, every job description contains security-related tasks that (if not performed properly) could cause major liabilities. Whether an HR specialist processes personal data insecurely, a receptionist allows unidentified visitors into the company premises, or a custodian throws away confidential paperwork without shredding it, these have potentially devastating cybersecurity consequences. Handling personal data improperly could lead to unauthorized disclosure, administrative fines, and damage to the company’s reputation if publicized. Similarly, allowing in an unauthorized visitor (that could potentially be a competitor) could result in the theft of valuable company information. And a custodian throwing away sensitive papers without the use of a shredder could risk confidential data becoming public. To avoid these situations, all employees must have a cybersecurity mindset, achieved by thinking ahead to predict the consequences of actions.

Another thing to take into account are security improvement efforts. These also require a security culture and are only effective if the company is moving in the same direction as its cybersecurity strategy. Without security culture, the company will lack that direction and turn every department into siloes – with each acting independently based on their core responsibility, regardless of overall security implications. Developers will want to hotfix issues in a production environment because it’s quicker, IT operations will always look for ways to reduce costs, and network engineers will use permit-any rules on their firewalls to speed up deployment. These siloed actions could result in detrimental outcomes, like – respectively – allowing simple mistakes to jeopardize the stability of the business, maintaining sub-standard and vulnerable systems, or leaving the company prone to external attacks.

Cultivating and promoting your security culture

To have a successful security culture, your business must employ a top-to-bottom approach when dealing with cybersecurity improvements and issues. This means cybersecurity initiatives must have visible management support before involving employees. It’s hardly logical to expect employees to actively practice security procedures if management doesn’t set a good example to follow. Security culture is like a community – it’s formed through mutual interest, driven by collective experience and information is freely shared across the group. Using methods that help communities grow and flourish can help the organization cultivate and promote its security culture.

Having an engaging security attitude can also be invaluable for organizations, being a cost-free way to improve security awareness, security culture and generally have better security posture. Companies should also have an environment where security achievements are recognized and mistakes are treated as valuable lessons. Combined with security knowledge and awareness, a healthy security culture boosts protection against human-factor-related security issues like social engineering, phishing and insider threats.

In addition, businesses need to incorporate cybersecurity in day-to-day duties to show employees that cybersecurity traverses through all domains of the business – anywhere from IT to HR. It’s important for employees to understand their actions could have serious security implications and that they need to always adhere to best practices. But understanding the possible harm is not enough – corporate policies must be consistent in reflecting security practices, whether it’s at a person’s desk (putting secure documents under lock and key), at the front entrance of the company building (watching the door for suspicious individuals trying to sneak in) or online (restricting access to sensitive online files). Maintaining consistency is key to having effective cybersecurity and promotes business agility.

Combining those three ingredients – a top-to-bottom approach, an engaging attitude and a comprehensive security management framework – creates a recipe for success. But while this makes a good starting point for growing your security culture, it’s only just the beginning – and we can help.

How Luxoft can help you?

At Luxoft, we help you build a strong security environment and overcome security challenges that spawn from a lack of security culture. Luxoft guides companies on how to build information security frameworks while adhering to best practices around security documentation, security process design and security management. With deep knowledge across multiple industries, we deliver what’s necessary for every business to survive in this digital age.

And security is just the beginning – we provide customized end-to-end solutions that optimize your operations, workforce and customer experiences.

For more information, contact us by clicking here.

Marcin Swiety
InfoSec Director, Luxoft Digital
Marcin Swiety
A seasoned Information Security professional dedicated to business and delivery management in cybersecurity space. He has built and managed internal and external Information Security Services in areas like Data Center, Infrastructure, Network, Outsourcing and Software. He is a white-hat expert and decorated cybersecurity veteran, holder of CISSP, CISM, CISA, CEH, WCSD and ITIL certifications. He is passionate about how InfoSec can play a business enabler role for the digital transformation era.