4 tips for building a strong security culture

Instead of blame and fear, security teams need to create a culture of personal responsibility to best protect data. Here's how two security leaders do it.

Security teams can’t protect what they can’t see. While monitoring tools are getting better, end users and business managers need to tell IT and security teams what they’re doing with data on different applications, and more importantly, when something has gone awry.

A culture of blame and fear when it comes to security means end users won’t tell you if they are using an unsanctioned app, have clicked on a malicious link or have seen unusual activity until it’s too late. Security teams should empower users with a culture of personal responsibility so that they treat data security in the same way they approach other company policies like health and safety.

A blame culture encourages poor security

Seeing humans as a weak link and creating an environment where employees fear reprisal for security failures isn’t a good way to run a company. Yet some organizations have taken extreme measures to punish victims of scams. A media firm in Scotland fired and sued one of its staff after she fell for a phishing scam and handed over almost £200,000 [$250,000] to fraudsters impersonating the company’s managing director requesting a payment to be made. Brian Krebs recently posted about instances of employees being fired for failing phishing simulation tests.

This kind of blame culture only makes employees less unlikely to come forward when something does go wrong ... and it puts data at risk. “The people handling the information, they can't be the weak link,” says Mark Parr, CISO at KPMG UK. “I want people to feel comfortable and that if they've made a mistake, they can tell me. That's all about building trust and for my colleagues to feel that I'm actually there to support them and not there as the stick to beat them if something should go amiss.”

To help build this trust between security and staff, KPMG has started a program that recognizes staff for highlighting security issues within the company. “I want to develop that culture where people are happy to tell me or to report into our helpdesk if there is an issue or something has happened,” Parr says. “We have an internal system where we can recognize staff and other members of staff can see that. If somebody comes to me and says, ‘I noticed this and it's a bit of an issue,’ then I will let their line manager know that this person stepped forward.”

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!