With the growing awareness and realization that human error is the root cause behind three-quarters of all security breaches, the need for a positive security culture is taking center stage. But what does a positive security culture mean and look like? According to a recent study by Perpetuity Research, here are some indicators that help gauge the strength of your security culture:

• Security is a priority of the organization
• The organization achieves strong compliance with policies and procedures
• Employees have a strong awareness and understanding of security risks and consider security as part of their job description
• Security is woven into organizational values
• Employees help co-workers be more secure
• Employees feel safe to report security incidents, even when they caused it
• Employees feel comfortable asking questions to the security team

 Factors that Affect Security Culture

A number of factors can affect an organization’s security culture. According to the Perpetuity report, these include:

Value of Security To Organizational Leaders

The “tone at the top” is usually what influences security culture the most. If the C-suite does not value security, then this will reflect in the culture of the organization. If leaders are not driving culture and demonstrating their commitment to security policies, then a positive culture will have difficulty taking root and prospering.

Investments Towards Security and Culture Building

Most business leaders are focused on targets, growth, and profit/loss metrics of the business. Security is just another cost center to them. Moreover, any culture change program needs sustainable and repeatable investment in time, money and resources for communications, training and stakeholder management. Short-term thinking and the absence of consistent investments can undermine the establishment of a positive security culture.

Attitudes and Perceptions of The Security Function

If the security function is viewed as a barrier rather than an enabler, there is a negative perception of security, or if the security team lacks power or credibility, then this, too, can negatively impact the security culture. An arrogant, punitive security team could lead to a toxic culture that only benefits cybercriminals.

Quality of Communications

There is a need to demonstrate to leadership that security will not only detect and respond to threats but will enable it to thrive and be successful. Therefore, communications can have a direct impact on the way your leadership team perceives the value of security. Additionally, communication is critical in ensuring security messages are heard and prioritized, in engaging and motivating the workforce and in demonstrating compliance with legal and best practice framework requirements.

Level of Security Staffing and Turnover

When security teams are understaffed, it becomes increasingly challenging to establish and foster a positive security culture. Moreover, constant turnover in security staffing, resulting in long-term employees having to focus on training new hires or relying on temporary workers, hampers their ability to cultivate a stronger security culture.

Frequency of Security Training

If employees do not participate in security awareness training often or do not partake in refresher courses, then it is highly unlikely that they will retain their learning. Culture comprises attitudes, perceptions, feelings, habits, and behavior. If consistent and repeated efforts are not made to change the attitudes and behaviors of employees, then security culture is likely to diminish.

Competing Priorities

Staff members frequently face competing priorities and heavy workloads that can restrict their capacity to adhere to security requirements. Additionally, from a business perspective, completing tasks and achieving objectives takes precedence over security considerations. As a result, cutting corners in security is often perceived as a minor offense with minimal consequences.

Poor Security Management

The absence of proper and professional leadership will often pose a barrier to security culture. A lack of overall management strategy, active engagement within the security teams, and risk management overall can all have wide repercussions on culture.

Culture is not a switch that can be flipped on or off. It’s like a garden that needs attention, watering, feeding, and nourishment for years until it can flourish. Ultimately, the level of commitment, effort, investment, and control that organizations have over these factors and circumstances will determine the success or failure of a security culture in any organization.