The phrase “security culture” is being used a lot more often within organizations, during conversations with other security professionals and even in the media. But there is a problem: the definition is not necessarily clear, and the steps to start working toward creating a positive security culture are even less clear. Organizations only have a vague idea what that really looks like or how to accomplish it.
This guide exists to provide a high-level look at what security culture is and what actions you can take to begin favorably changing the security culture within your organization. The goal of this guide is not to give a detailed deep dive into all things security culture (though we’ll provide resources for that in the future); instead it is to help readers understand the fundamentals of what security culture is and what steps you can take to move the culture needle in your organization.
It is important to understand that making a meaningful culture shift is not something that happens overnight. Dedication and consistency will lead you to great results. The more established your security culture is, the easier it is to maintain, and new employees tend to align with this culture rather quickly.
We are social creatures. Many behaviors are caught rather than taught. When we start a new job, we subconsciously adopt many of the behaviors we see. If people lock their workstations every time they walk away from their computers, new employees often pick up habits like this without giving it much thought at all because it has been socially modeled as just the way things are done here. This is the beauty of a strong and present security culture; once momentum is gained, it becomes easier to maintain.
