Why Security Needs to be Embedded in Culture?

Cyber Security | Insight | Published 23. Jun. 16

Share with Your Professional Network

Security function needs to change its course. Instead of focusing on security outcomes, it should become a business partner that advises on risks. Acting as a guardian does not serve the company either and it is too easy to leave security to the security department. But how to help people become aware of the risks and change their behavior? The answer to this dilemma is security culture, says Thom Langford, CISO, Publicis Groupe.


Culture eats strategy for breakfast as a famous citation suggests. When it comes to security, it is true. Careless, uninformed, or disgruntled employees are a common threat. However, you can´t solve the problem by offering more and more detailed instructions and bans. Quite contrary, by doing so, the security department will be the last one to be informed about the mistakes and actualized risks.

“To create security as a competitive advantage, start by being easy to reach and generous with information. Extend your advice to everybody’s digital lives. If people become aware of the security issues on the road or at home they are more willing to accept the security advice in the work place,” Thom Langford states.

People see security risks as a definitive issue, as something that needs to be reduced or removed. Actually most of the situations are not that straightforward, what is acceptable one week, is not acceptable the next.

“You have to have a security strategy, there is no doubt about that, because you have to understand the business environment you are operating in. But strategy is going to change from time to time, while the culture is something that’s going to be around for a long time. Batman has a strategy but Joker has a culture, that is why he keeps coming back.”

Often people are not aware of the risks. Nobody leaves their home front door open, but many leave their computer unlocked when they go to lunch. To create a security culture, one needs to ensure that people within your business are fully aware of what security means.

“Stop treating users as idiots. Being open and allowing people to come to you with their mistakes, means that they’ll be more willing to learn from those mistakes. It is extremely important to engage people and increase their self-awareness.”

Supporting the business means that the security department should know their place and co-operate with the business. The focus should be on the business outcome and comparing potential risks to it.

“If you do it vice versa and focus on security outcome alone, you will end up saying no all the time. In our company, we rely on openness and communication. We are also using some of our own marketing techniques, use our own social media platforms, for example. We want to create the feeling that we are all on the same side trying to achieve the business goals and get everybody their bonuses at the end of the year.”

Seven Rules of the Security Culture:

  1. Treat users with respect. There is no dumb question.
  2. Engage people regarding security issues.
  3. Be open and encourage others to openness. Mistakes are learning opportunities.
  4. Reward and celebrate small improvements.
  5. Stop saying no all the time. Instead of yes/no answers, explain the risks.
  6. Co-operate with the business and support it.
  7. Business outcome comes first, security outcome, second.

Thom Langford, CISO at Publicis Groupe, was a speaker at the 600Minutes Information and Cyber Security in Finland on the 19th of May 2016. He will be speaking at the Internet of Things, Sweden, event on the 7th of December 2016. For all our upcoming events, visit the Event Calendar»

The Most Efficient Working Day!

Invited Guests

The most efficient working day. Insights and ideas from the stage and from a network of executives. The best solutions for your business challenges.

Read more »

Solution Providers

Meet executives with investment needs. Bring your solutions and insights to your most potential clients. 11 markets, 20 000 executives, guaranteed meetings.

Read more »

Management Events brings together top-level executives and solution providers, providing high value to both parties. Our concept attracts 20 000 visionary leaders to our events in eleven countries, over 170 times a year. Management Events Surveys provides insights and trends for solution providers and executives, helping them gain deeper understanding of challenges and needs of the largest corporations.

Sorry but your browser screen is too small for this site.