Published 23. Jun. 2016

Why Security Needs to be Embedded in Culture?

Cyber Security


Culture eats strategy for breakfast as a famous citation suggests. When it comes to security, it is true. Careless, uninformed, or disgruntled employees are a common threat. However, you can´t solve the problem by offering more and more detailed instructions and bans. Quite contrary, by doing so, the security department will be the last one to be informed about the mistakes and actualized risks.

“To create security as a competitive advantage, start by being easy to reach and generous with information. Extend your advice to everybody’s digital lives. If people become aware of the security issues on the road or at home they are more willing to accept the security advice in the work place,” Thom Langford states.

People see security risks as a definitive issue, as something that needs to be reduced or removed. Actually most of the situations are not that straightforward, what is acceptable one week, is not acceptable the next.

“You have to have a security strategy, there is no doubt about that, because you have to understand the business environment you are operating in. But strategy is going to change from time to time, while the culture is something that’s going to be around for a long time. Batman has a strategy but Joker has a culture, that is why he keeps coming back.”

Often people are not aware of the risks. Nobody leaves their home front door open, but many leave their computer unlocked when they go to lunch. To create a security culture, one needs to ensure that people within your business are fully aware of what security means.

“Stop treating users as idiots. Being open and allowing people to come to you with their mistakes, means that they’ll be more willing to learn from those mistakes. It is extremely important to engage people and increase their self-awareness.”

Supporting the business means that the security department should know their place and co-operate with the business. The focus should be on the business outcome and comparing potential risks to it.

“If you do it vice versa and focus on security outcome alone, you will end up saying no all the time. In our company, we rely on openness and communication. We are also using some of our own marketing techniques, use our own social media platforms, for example. We want to create the feeling that we are all on the same side trying to achieve the business goals and get everybody their bonuses at the end of the year.”

Seven Rules of the Security Culture:

  1. Treat users with respect. There is no dumb question.
  2. Engage people regarding security issues.
  3. Be open and encourage others to openness. Mistakes are learning opportunities.
  4. Reward and celebrate small improvements.
  5. Stop saying no all the time. Instead of yes/no answers, explain the risks.
  6. Co-operate with the business and support it.
  7. Business outcome comes first, security outcome, second.

Thom Langford, CISO at Publicis Groupe, was a speaker at the 600Minutes Information and Cyber Security in Finland on the 19th of May 2016. He will be speaking at the Internet of Things, Sweden, event on the 7th of December 2016. For all our upcoming events, visit the Event Calendar»