Security culture begins at the top

Building a strong security culture begins at the top of the organisation, right from the CEO and CIO level.

What’s the most important factor of a successful security program? Technology such as endpoint protection? Making sure your change management processes and system development life cycle includes consideration of security risks? Strong policies? Not quite.

While all of these are important, a prerequisite - ensuring all these controls are accepted by employees and not bypassed (either intentionally or accidentally) - is a strong security culture. Building a strong security culture begins at the top of the organisation, right from the CEO and CIO level.

We’ve all seen the “people, process, technology” triangle, particularly for information security management. However, all too often, when considering security requirements and controls, there is more emphasis on processes and technology than on people. A poor security culture, training and attitude can easily undo any of your controls and create the weakest link for an organisation’s security.

It only takes one poor decision for someone to undo an organisation’s security controls, and the individual doing this can be anyone, from a high-level executive to a clerk. There have been stories over the years of incidents such as patient medical records being found on the street because it was carelessly thrown into the rubbish bin; or a file containing sensitive information being left in a public place. The consequences for either scenario can be severe, and while policies may exist prohibiting employees from doing either, there are no technical or process controls (other than physically checking every sheet of paper that leaves a building) to prevent these occurring.

Significant information security risk exists due to the accidental or deliberate actions (or inactions) of employees. Simple human error, ignorance and omission are the root of most data breaches and e-crimes. While most people will try to do the right thing, everyone makes mistakes or may be unaware that what they are doing is actually a risk to the organisation. How many stories have we heard about people sharing passwords because it’s the easy thing to do, or downloading free software from the Internet to get the job done?

Awareness and training goes a long way to educating employees on how to prevent risky activity. However, the priority employees give to security and whether or not they really pay attention to the awareness training is influenced by executives. If employees don’t see high-ranking managers making clear statements and demonstrating that security is a priority, they won’t treat it as a priority either.

How can a CEO or CIO demonstrate to employees that security should be a consideration in their daily activities? This can be achieved through range of means:

  • a message during their security awareness training
  • a brief mention in the employee welcome package
  • a policy message posted clearly around the facilities alongside other organisational policies (such as its Safety or Equal Opportunity policies)
  • including their name or position as a driver behind security initiatives to demonstrate that it is an important project, and improve the rate of its success.

ISO 27001, the Information Security Management System (ISMS) standard, includes as a certification requirement:

(section 5.1 d) “management shall provide evidence of... communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement”.

This requirement is based on the same belief that organisational culture is set from the top. Employees at the bottom of an organisational hierarchy will only view certain behaviours as a priority if it is presented and followed by executive management as a core cultural component.

This expectation also extends to senior and middle management, team leaders and supervisors - everyone should follow the same security practices and procedures. If a manager is seen as not taking a security policy or procedure seriously, or receiving “personal policy exemptions”, their employees won’t take those policies seriously either.

Leadership by example, and clear communications from the CEO, CIO and their managers about the importance of security is cruicial to ensuring the “people” part of the “People, Process, Technology” triangle does not become the weak link.

As security professionals, we are tasked with thinking about process and technology controls as part of our everyday management, project and operational roles. However, don’t forget about the people aspect, ensure this message is also communicated to the executives that everyone looks to for leadership. Only they can set the example for everyone else.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about ISOTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Wayne Chung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts