Philip Cao

Stay Hungry. Stay Foolish.

Two Steps to a Robust Security Culture

4 min read


By Kwinton Scarbrough, CISSP

In the midst of the business and technology merge, organizations of all industries have started their journey into the cognitive era of cybersecurity. In this era, it is essential for a business to have an IT security strategy to govern how the organization will protect itself from internal and external cyber threats. However, what commonly fails to align to IT security strategy is the organization’s overall security culture. IT security strategy can only be effective if there is a strong security culture embedded into the very fabric of the company’s operations. Today, I will cover the two core components for building a robust security culture, to maximize the effectiveness of the IT security strategy.

An organization’s security culture is comprised of the mindset and habits of employees, as it relates to IT security. Habits that are intended to prevent and protect against internal and external threats are, unfortunately, not always unified for the greater good of the organization. Many times, different siloed habits are formed within individual business units based on the easiest route to achieve the task at hand (e.g.: using shared accounts, instead of unique individual accounts or using privileged accounts to perform simplistic tasks). Within an organization that lacks a mature IT security strategy, employees are more likely to naturally learn and follow what is perceived to be the path of least resistance to accomplish a task. They then continue to pass these learned, non-compliant, methods on to other employees within that business unit. Eventually, it becomes the mindset of that business unit as the only way to accomplish that task because – as I’m sure you’ve heard before – “ that’s the way we’ve always done it.” Building a strong security culture will encourage employees to question the norm if something doesn’t seem quite right.

Every organization is unique and will have its own security culture. Throughout my consulting experience I’ve come to find the state of the security culture depends on two factors: (1) well defined security policies, processes and procedures; and (2) exceptional communication about the adoption of those security policies, processes and procedures. To have a strong security culture, these two factors must be coordinated and implemented together as one has little to no lasting effect without the other.

Define a Security Policy

A security culture begins with a well-defined and properly enforced security policy. The development and enforcement of a security policy starts at the very top of the leadership pyramid and reflects down to the junior level employee. In defining a security policy, the first step is to understand the business environment and its threat landscape. An organization’s security policy should

  • Define the baseline security requirements
  • Define the requirements that meet or exceed the industry and regulations requirements
  • Align to the risk appetite of the organization

While a well-defined security policy should be clear and strictly enforced, it should not, however, dictate how each business unit must operate to comply with the requirements. Meaning the policy should be separate from the procedures. While the security requirements should be clearly defined, a strong security culture will allow for each individual business unit to determine an optimal method for incorporating these requirements into their own business operations. The ideal security policy should be seamlessly integrated into employee day-to-day thinking and decision making to ensure a secure mode of operations for all business units. The security culture should unify the organization by allowing all business units to work together, while operating in loosely-coupled coordination to provide an optimal level of protection against internal and external threats. For an organization as a whole, the goal is to create centralized policies that can be incorporated into the daily process and procedures for all business units within an organization. An organization with a strong security culture has employees that understand cybersecurity and the importance of making the necessary operation adjustments to comply with defined security requirements.

Communicate and Train Secure Habits

The communication of security requirements and security awareness go hand and hand in building a strong security culture. More communication brings more awareness and with more security awareness, individual employees are more likely to incorporate security into their day-to-day thinking and decision making. As a result, security becomes thoroughly embedded into the mindset and work habits of each employee therefore creating a strong security culture.

However, communicating the security requirement is not as straightforward as defining the security policy. To effectively communicate security policies, the communication tactics should be tailored to the target audience based on analyzed behavior, their current security understanding and preferred communication style. The goal is to effectively communicate, to each business unit, why it is necessary to follow the organization’s security policies. Better communication of the purpose and reasoning for security policies, will help to build a strong security culture through the elimination of decentralized execution of centralized policies. To take security maturity one step further, organization should also provide security awareness training. This training should serve the purpose of eliminating nonconformist habits, by bringing awareness and competence to better, more secure habits.


Clearly defined and communicated centralized security policies will allow an organization to enforce organization-wide security requirements. Each business unit will understand the importance of security, while having the freedom to create and establish optimal operations within well-defined boundaries.

[(ISC)² Blog]

Leave a Reply

Copyright © 2006-2022 Philip Hung Cao. All rights reserved