• United States




Taking the pulse of your information security culture

Mar 29, 20165 mins
CybercrimeInternet SecuritySecurity

Anyone who has been a manager in a company of a reasonable size understands the concept of corporate culture. Investopedia refers to corporate culture as “the beliefs and behaviors that determine how a company’s employees and management interact and handle outside business transactions.” It is a pretty important concept if you want a thriving organization. To give you an idea of the importance I place on cultural fit, anyone I seriously considered for a position in the past 12 years had to complete a cultural fit study before they ever got to the technical aspect of the interview process.

In recent months, the concept of a corporate security culture has been discussed. As ISACA puts it, corporate security culture determines what an organization does about security, as opposed to what it intends to do. Given that some are now referring to employees as “human firewalls,” the idea of each employee doing what the company says they do regarding security is all too important.

As an example, much of the ransomware being spread today begins with an employee opening a .zip attachment to a spam email. Virtually every organization with a formal security policy prohibits the opening of .zip attachments to email, but in the absence of a supporting culture, the protections break down.

The lack of a solid company security can have disastrous consequences. IBM in its 2014 Cyber Security Intelligence Index reported that 95% of all security incidents involved employee error. The problem is not just errors, however — MarketWatch reported last week that 1 in 5 employees would be willing to sell their password for the right price. While I find such studies to be a bit dubious, I am confident this number is greater than zero. It only takes one compromised password to breach an organization.

Admittedly, the concept of security culture is somewhat nebulous. With corporate culture, we have learned over the years how to foster it, and what would kill it. Security culture, being a much newer idea, is harder to grasp. As such, it may be best to ignore the idea for the time being, and focus on encouraging employee involvement in security. The culture can then develop itself.

So, how do you foster employee involvement in the hopes of building such a culture?  Here are some basic ideas:

Begin at employment

I mentioned earlier in this article that I was a big believer in cultural fit testing prior to employment. I think the same approach applies to security. We can all be asking questions of prospects in advance of employment to get an idea of how they would deal with security. We can ask technical questions about their security knowledge, or behavioral questions to help figure out how they have dealt with such issues in their past.

Start from the top

Security culture begins at the top, with the CEO or head of the company. This person must model good security practices themselves, and speak sincerely about it at every opportunity. I have been involved in many an all-hands meeting where the CEO attempted to speak sincerely on a topic while reading to a script created by marketing. It is pretty easy for the employees to see right through this. The company head must understand enough about security to really speak about it.

Every manager a leader

As with the CEO, every manager must live and model good security practice. Their involvement must go deeper, however. Those of us in the IT “glass house” understand how to apply security practice to the organization as a whole. What we often cannot judge effectively, however, is how to apply this to the day-to-day operations of a particular department. A manager with strong training can help we IT folks understand how to apply security to their own function. If IT cooperates, the manager will have a much easier time selling participation to the department members, and security practices will be less disruptive to the business.

Survey the workforce

Early in my career, I worked for IBM in Florida, blocks away from the birthplace of the IBM PC. Every year, IBM would conduct a detailed employee opinion and satisfaction survey for each site, and then would make visible changes to the operation based on employee feedback. If they ever suspected that the culture at a site was not thriving, they would immediately do an ad hoc survey to figure out why.

We can do the same thing with security, by periodically asking employees about their security knowledge, opinions and practices. That is the easy part. The hard part is analyzing the results, and acting on them to improve the organization’s security posture.

Train the workforce

Those of you who regularly read my articles are probably rolling your eyes at this point, given the frequency with which I have mentioned awareness training, including the information security magic bullet. It is sufficiently important, however, to bear repeating over and over. Train your workforce, and refresh them at least yearly. We can’t expect them to follow good practices if they don’t know what those are.

Make security a campaign

Most organizations have a community cause, like blood donation or Toys for Tots, that they support every year. These often involve posters, weekly progress updates, rallies, etc. We should do the same to foster employee security involvement. The marketing folks in most organizations could probably create an effective campaign in their sleep. Make it a priority for them to do this, and evolve the effort over time.

Reward good practices

When employees do the right thing, reward them. In some cases, material rewards are appropriate, but a reward can be something as simple as public praise. In the psychology world, this is referred to as positive reinforcement, something every parent would understand.

Bottom line — follow the right steps, and your security culture will form on its own. The reward will be a workforce focused on keeping the organization safe.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author