Want to know why Security Culture eats security strategy for breakfast

Want to know why Security Culture eats security strategy for breakfast?


Wouldn’t it be great to know the attitudes to security in your business, the conversations people are having and the things they are doing, or not doing? So, if you could be a fly on the wall what would you see? You buzz into the boardroom…

The board are nearing the end of their meeting. Security is on the agenda, but it’s one of the several items left to deal with and they just won’t have time to get through everything. The chair suggests there’s nothing much to say about security – there haven’t been any incidents – and other items are more pressing. Well, that’s disappointing – you were assured that security would get regular airtime at board level.

So you buzz out of the boardroom and through the office…

You count about three-quarters of unattended computers have their screens unlocked. You’ve told people about this, repeatedly, and the results of your last compliance test indicated that the majority of people know they’re supposed to lock their screens. Somebody gets up from their desk and walks towards the loo. They realise they’ve left their screen unlocked and they look back in a quandary. Then they look around at all the other unlocked screens and go on their way. You’re confused, and you take a breather, landing on some confidential documents scattered across a desk – aargh!

On the neighbouring workstation, someone is clicking through Facebook on their phone plugged into a USB port. That’s just wrong on so many fronts! There’s a policy about social media at work and…

What’s that you hear? The sweet hum of a shredder. You fly towards it to find a new employee (you gave them a quick security induction last week) doing what they’re supposed to do: shredding documents conscientiously. But the shredder is noisy, and their line manager asks them if they’d mind not doing that now

“I’m on the phone. Just put it straight in the bin. It’ll be OK.”

You think you’re in security hell by now and you fly to the kitchen for some respite. By the coffee machine, two colleagues are talking about a recent penetration test, the results of which you disseminated to everyone:

“Apparently loads of people clicked on the phishing email – and nobody challenged the guy who came into the office and wandered about.” Their colleague shrugs: “I know, but what can you do?”

You wish you’d never become a fly on the wall. You’re in complete shock! After all, you have a comprehensive security strategy signed off. Everybody knows the policies you’ve created, don’t they? Emails have gone out…

But security culture is what happens when the CISO isn’t looking, and, until you tackle security culturally, the established and prevailing culture of the business will trump your strategy every time.

In other words, your security strategy must be more than policy and awareness; it must focus on people, their values, the things that make them tick, and the things they say and do daily to show that the security of their business and the well-being of their colleagues and customers matters to them.

So let’s imagine what it could all look like if a healthy, proactive security culture had taken hold. You fly back through the office… 

Those colleagues at the coffee machine are talking about how they might ask for some proper training about phishing emails, and change things in their department so that strangers are challenged appropriately.

That line manager thanks their new colleague for using the shredder and tells them how well they’re fitting in. That Facebooker has their mobile switched off and is filing away confidential documents. And, because none of the other screens are left unlocked, that employee turns back to lock theirs before going to the loo.

Finally, you fly into the boardroom… The chair states that everyone there knows the importance of security to the business, the repercussions of reputational damage, how hefty fines could put a hole in their bottom line, what it would mean to the business if they couldn’t trade after a ransomware attack, and they suggest that everyone stays a bit longer to cover the whole agenda properly.

The boardroom is where security culture change starts, and getting their buy-in is the subject of Layer 8’s next webinar.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email


View our other posts and insights

Scroll to Top