Security awareness

Nurturing a Culture of Security

November 6, 2015 by Peter Lindley


Major cyber-security breaches are now reported almost on a continuous basis. News coverage of one serious incident has barely begun to subside before another emerges. The Sony Hack, Ashley Madison and – – now at time of writing – TalkTalk are just a few examples.

Who will be next?

Moreover, how many cyber incidents are not reported?

One thing is certain – the impact of such breaches on the companies affected is potentially catastrophic whether in terms of financial loss of damage to reputation.

What is also clearly borne out by the analysis of such incidents after the event and by the vast majority of surveys in respect of cyber security breaches is that the chief root cause tends to be inadvertent – and occasionally willful – action (or inaction) by internal members of staff.

In addition, where attacks originate from an external source – cyber criminals, for example – their success usually depends on exploitation of failures on the part of internal members of staff or a failure by the organization in question to have adequate security policies and procedures in place.

Of course, drawing up security policies and procedures is ineffective unless all staff are aware of their role in ensuring these are followed.

Ideally, embedding security policies, procedures and general good practice as part of a security culture in the organization is the best way to reduce the likelihood of your organization becoming the latest victim of a cyber security breach.

So how do you implement and nurture a culture of security?

Senior Management Buy-in

Firstly, there needs to be a commitment at the senior management level to treating cyber security as a high business priority.

Having senior managers – including the CEO, preferably – who are prepared to champion cyber security by, for example, including security as a regular agenda item at senior management meetings is a crucial factor in nurturing a security culture. A security policy reminder issued to all staff via the CEO is likely to receive more attention than if issued directly by the security manager, for example.

In the past senior management commitment has not always been easy to obtain. Chief executives often found it difficult to see the value for money or any clear return on investment from allocating money and resources to security measures.

Now most senior managers should be well aware of the potential impact to the organization of a cyber breach resulting in a compromise of enterprise data.

There is also an increasing recognition of cyber security as a business-enabler and the importance of being able to provide assurance to customers – and prospective customers – that robust information security management arrangements are in place to safeguard their data.

Security Policy and Procedures

As mentioned, security policies and procedures need to be in place to provide guidance to all staff regarding what actions they need to carry out – or to avoid – to help ensure that cyber security risks are managed effectively.

Conducting a formal risk assessment of the organization’s own data processing systems is the best way of ensuring that the policies and procedures – and other security measures (technical, physical, etc.) – will be most effective.

The security policies and procedures can provide the bedrock of the security culture and the key way to embed these and nurture the security culture is by an effective security awareness program.

Security Awareness Program

To successfully nurture a security culture, the security awareness program must include security awareness training which should not be a one-off event but rather a regular requirement for all staff either via a CBT (computer-based training) package or – better – delivered by the organization’s IT Security Officer or other point-of-contact in respect of security policy and guidance.

The training should cover the key aspects of the security policies and procedures without being bogged down in detail that may not be relevant to the average user and may actually act as a turn-off. The key messages to get across will depend on the particular organization and its systems. As mentioned, a risk assessment is the best way to identify specific requirements. These are likely to include the following: the centrality of passwords to system security, the importance of adhering to password policy, the need for caution when using email and the Internet, (in particular that staff must not click on suspicious links or attachments in unsolicited emails), and guidance on the procedures for reporting any security incident, actual or suspected.

Including details of topical security breaches reported in the media helps to demonstrate the reality of the threats and focus minds in relation to how social engineering can be used as part of a spear phishing attack, for example.

As well as general security awareness training for all staff, specific training for all those with specialist roles in relation to security management is also important e.g. for system administrators in relation to access controls and management of rights and privileges or staff responsible for logging and monitoring of system access. Training for IT staff involved in system design and development may also be need to be considered in relation to relevant security standards and best practice guidelines such as SSLDC (Secure System Development Life Cycle).


An Ongoing Commitment

To nurture a security culture fully, it is not enough to carry out a Security Awareness Program as a one-off event or project. There needs to be an on-going commitment from the top down with regular reminders covering key security messages issued to all staff via the chief executive to complement regular – ideally, at least annual – awareness training.

Staff who are prepared to act as champions for security best practice – in addition to senior managers – can also be identified (during awareness training for instance) and roles could be assigned to those interested in acting as a point-of-contact for cyber security issues within particular business areas. These staff could assist for example in cascading information down from the Information Security Manager or IT Security Officer in relation to specific cyber security alerts or incidents.

Including security responsibilities in staff – and line manager – job descriptions and as part of performance management and review arrangements are measures that would also help embed security within the culture of an organization.

Regular surveys can also be useful in assessing the level of security awareness within the organization and identifying any areas of weakness or changes that might be needed to the awareness program.

All incidents – actual and potential “near-misses” – that occur should be carefully analyzed to identify the cause, and how any future occurrence can be avoided. Lessons learned then must be communicated to all staff or specific staff as necessary. As well as possible revisions to policies and procedures resulting from particular incidents, consideration should also be given as to whether the security awareness training or other aspects of the program might also need to be revised.

Other ongoing activities would involve the use of media such as posters and the organization’s Intranet to promote continually security awareness and good practice. Setting up a security awareness area on the Intranet with key messages and policy reminders is useful but again an ongoing commitment is required to ensure the content remains relevant and does not stagnate.


To embed good security practice within an organization and continue to nurture a culture of security, an ongoing commitment from senior management and all staff is necessary. In addition, clear policies and procedures must be regularly communicated via a security awareness program – not a one-off event. However, if a security culture can be successfully nurtured in this way, the likelihood of a cyber security breach occurring can be significantly reduced.

Rather than representing a vulnerability to be exploited as part of a cyber-attack due to a lack of awareness or commitment, staff will instead form the most important line of defense against a breach.

Posted: November 6, 2015
Peter Lindley
View Profile

Pete is an IT Security Manger for a large financial services organization in the UK with many years experience implementing and managing Information Security Management Systems and acting as the single point of contact for advice and guidance in relation to all IT security issues.