When an organization builds a security operation, there are several factors that need to be addressed - a sort of checklist of factors that should be considered in the process of developing an effective security and compliance strategy that addresses the needs of the organization without becoming too overbearing.  

Somewhere on everyone’s list is that rather generic task: "develop a culture of security”.  

When you mention developing a culture of security, everyone nods their head and says: “yes, we need to make sure that we have a culture of security" but then you sit back and wonder what I really mean by a “culture of security” and how do I build one of those? 

Two items that would be on everyone’s list when building this culture of security are: “developing a tone at the top” and “security is everyone’s job”.  

We typically implement the first of these by generating a memo from an executive, typically the CEO, explaining how important security, compliance, and privacy are to the organization. This is an important stake in the ground. It lets all employees know that the leadership values security.  

We implement the second factor, “security is everyone’s job”, through security awareness campaigns. This training may include discussions on security policies and practices, compliance obligations and current malware campaigns, and, particularly, training on spotting phishing emails.

But what is in the middle?  What’s in that middle ground between our leadership emphasizing security and our users implementing it in their daily jobs?  

There are two factors in that middle ground impacting the development of a culture of security. It is one thing for our CEO to emphasize security, but it is important that each member of management below the CEO emphasizes security, compliance, and privacy just as strongly.  

Focus on these elements must be designed into every process, procedure, application, and business function. Compromises don’t always originate where sensitive personal data are stored, processed, or transit. One of the largest comprises of payment card data originated with the compromise of a business application using SQL injection.

If the management team makes security a part of everyone’s job, then security by design enhances a culture of security. Conversely, if the management team, through their actions and words, downplay the importance of security, the culture of security becomes nothing more than an illusion. That attitude will soon be reflected throughout the company by every manager, supervisor, and team lead. Security will be a secondary concern.

The irony of the dynamics of this lesson is that it takes longer, even with a positive management team, to build a culture of security than it does to destroy that culture with a negative attitude. The positive approach must be reinforced every day. Once we relax, or simply fail to reinforce a security mindset, a void grows between being a secure organization and being an organization exposed to a security weakness.  

The other factor that operates in this middle ground and influences the effectiveness of developing and maintaining a culture of security is the approach that the professionals on the security team take when dealing with the management teams and the users.  

Some security departments have been sadly saddled with the moniker, “the Department of No”. It is difficult to develop a positive relationship with management, users, developers, or administrators if the only answer that they can expect from the security team is “no”.  

However, if we turn this around, a positive approach by the security group to working with all those teams can greatly change the security posture of a company.  This process can be as simple as always walking into a meeting with the attitude that the security professionals will be partners with all to develop secure and safe operating environments.  

The answer “no” should be replaced with the answer “let’s see how we can do this safely”.  As a CISO, I saw a large increase in the demand for security advisement with this approach.   

Building a culture of security involves understanding the needs of users and their management teams and partnering with them to reach solutions that increase the security, compliance, and privacy of our technology, application, and business environments.  It is very easy to create a poor security culture, but it takes an investment in education and people to build a strong, positive security culture.