<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2815180&amp;fmt=gif">

How to Make Information Security Part of Company Culture

Effective cybersecurity is more than a collection of technologies and policies.

No matter how robust and well-thought-out your cybersecurity strategy is, it only works if people follow it. 

This is a greater challenge than many InfoSec leaders realize. Employers don’t have many options to verify employees follow security policies.  

Since constant surveillance is not a viable option, many components of the corporate cybersecurity policy are applied through the honor system. This is especially true of remote and hybrid workforces, where up to half of the surveyed employees admit cutting corners when it comes to cybersecurity. 

It’s easy to blame employees for breaking company policy, but that doesn’t really tell the whole story. Work roles are social roles, too. Every employee action – including risky behavior – reinforces some aspect of company culture. If that culture values productivity or profitability more than it values cybersecurity, employees will compromise one for the other. 

It falls on executives and security leaders to cultivate a company culture that prioritizes security as an intrinsic value. As long as security policies reflect values that employees do not actually believe in, policy violations will remain a problem. In many cases, company culture is part of the solution to that problem. 


Choosing the Right Technology Makes a Critical Difference

Employees who admit to breaking security policies often report feeling under pressure to do work quickly. If restrictive security technologies disrupt their ability to do work quickly, they may feel compelled to find workarounds that bypass those technologies. 

Restrictive file transfer policies are a classic example. Many companies use sandbox solutions to verify incoming files in a simulated environment. A user who wants to download an incoming email attachment will have the sandbox system to open the attachment and detect whether it launches a malicious payload. This process may take several minutes. 

Imagine the user is a sales employee on the phone with a major potential customer. A few minutes of dead space can make or break the sale. The employee may decide to share a personal email address with the potential customer to immediately open that file and continue with the pitch, even though it violates policy. 

All security technologies impact usability in some way. InfoSec leaders have a responsibility to optimize that balance in a way that encourages employees to follow security policies. The more restrictive a policy is, the stronger the incentive to bypass it becomes.

Encourage Feedback on Security Policies and Rules

Lack of security education is one of the greatest predictors of non-compliance. People are far more cooperative when they understand what is being asked of them, and why. Education can play a transformative role in bringing employees and leaders together on security issues. 

If employees don’t know why they must change their passwords, or only use company-approved mobile devices, they have little incentive to uphold those norms on their own. Education helps show people why following the rules works to their benefit and reinforces the value of self-policing even when nobody is looking. 

When employees understand why security policies are in place and what those policies protect against, they feel empowered to make a difference. Education helps employees recognize the importance of something like opening an email attachment. It gives them agency and extends trust in a way that cultivates a healthy, security-oriented environment for everyone.


Cultivate a Security-Oriented Culture with Castra 

The combination of open communication and education can dramatically improve security culture. The IT department does not drive that change on its own – it supports leaders building a more secure workplace from the top-down. Delegating security compliance issues to a diligent team of experienced security professionals helps reinforce accountability for security-oriented company culture. 

As your SOC partner, Castra can help you open lines of communication between employees, vendors, and security personnel. We can help educate stakeholders on the value of information security, leading to significant improvements in security compliance.