4 building blocks of a security culture

There’s no doubt that awareness of information security in corporations has dramatically improved in recent years. Stories of breaches and hacks have filled the mainstream press in a new digital age where most people understand the value of data and the risk of it falling into the wrong hands. Here are some points to consider when developing your security awareness strategy. The end goal here is to create a culture of security that moves beyond regulations and policies to educate and inspire your people to care about protecting what matters to your business.

Each of these points is equally important and must be considered as part of a holistic approach to creating your very own security culture.

1.    Policies
Many organisations have moved to make managers and employees aware of their responsibilities by creating policies to govern information security. These policies are crucial, but they can only be effective when owned and given a practical purpose. For example, ensuring people are trained on these policies and understand the impact of a failure to follow them.

2.    Leadership
These initiatives and policies must not be seen simply as tick box exercises that run the risk of not being taken seriously. To ensure this isn’t the case information security must be owned and reinforced as a business issue that matters at the highest level. One way to support this is to align security strategy with key business goals and objectives, issues like protecting customer loyalty or managing risk.

3.    Assessment
The ultimate success of any security culture can only really be determine by continual measurement and feedback from stakeholders. Surveys, interviews, tests and audits are crucial in revealing whether programs are effective but also to identify any gaps that need to be filled.

4.    Technology
Implementing technologies that reduce your attack surface and help reinforce your security strategy is essential. But software alone cannot prevent every threat, it’s always worthwhile to invest seriously not just in the technology itself but ensuring that it’s correctly implemented in the right places.

Be the first to comment

Leave a Reply

Your email address will not be published.