Security isn’t an IT issue; it’s an organizational issue, and it’s a project that never ends. Security requires continual attention not only from the IT team but from every person on staff.
That dedication to security requires a special type of workplace culture. Ideally, everyone on staff understands the role they must play in keeping their organization’s network and data safe from cybercriminals and other security threats. But if that’s not the case at your organization, here are some practices that will help you foster a culture of security.
Foster a culture that values guarding the data entrusted to your organization.
Cultivating a culture of data security requires a different set of skills than the ones the IT team regularly uses. So who spearheads this kind of cultural initiative?
It may be your forward-thinking CIO, your CEO, internal communications, or even HR. After all, this is an internal marketing job more than an IT job. Since you’re promoting a cultural change, it could even be defined as a change management project. You’re trying to get the attention of staff and convince them to change their habits. That’s no easy task!
No matter who you choose, the person in charge of this initiative should wield high-level communication and persuasion skills. If needed, you can enlist the aid of a partner on staff who can assist your leader of choice. All they need are the requisite soft skills and the motivation to accept the challenge of helping make the case for data security.
Recruit security champions.
It takes more than one person to change a culture. You need a team to help you reach and persuade everyone on staff, so we suggest training a group of security champions or ambassadors. Once they understand how critical it is to build a culture of security, they can help colleagues develop good security habits.
Elevate the security discussion.
Security awareness starts at the top of the organization in the C-suite and board room. If you want to build a culture of security, you need to start by working with those at the top of the organizational chart. You’re going to need their buy-in, both literally and figuratively.
After you’ve got their interest, start by focusing security training first on the C-suite, senior staff, and department heads. The C-suite is often the target of social engineering attacks, so they need to know what they might be up against. Plus, they set the example for others. If they don’t value security and follow the rules, the staff reporting to them won’t either.
Help staff develop good security habits.
Staff have a critical role to play in security as they’re the first line of defense. It is vital that they recognize when a security threat is occurring or likely to occur.
To determine if your organization is in a good place, ask yourself these questions:
- Do staff understand the reasoning behind security policies and procedures?
- Does the IT team meet regularly with other departments to discuss business processes, needs, and concerns? Do you even have a relationship with other departments?
- Are staff likely to go to the IT team if they’ve made a mistake that could threaten data security?
If there are changes needed, keep in mind that some staff will likely have to abandon risky habits and develop safer ones, which may make them feel inconvenienced by “your” rules. A behavioral change of this magnitude won’t happen unless your team—IT staff, security champions, and leadership—has established relationships with staff based on trust, communication, and support.
Customize your message.
People on staff use data and technology in different ways. Some of them use personal mobile devices for work while others don’t. Some have access to member data, and others don’t. These differences mean that you shouldn’t deliver the same training message to everyone. If what you’re saying is irrelevant to somebody, they’re going to tune you out. Instead, meet with groups of staff who do the same type of work or use the same type of technology and deliver them the information most relevant to them.
Pay extra attention to social engineering.
Just as cybersecurity measures evolve and improve over time, so do phishing attacks. Currently, AI tools are being used to personalize fraudulent emails based on a target’s online footprint, making it more difficult than ever to spot scam emails.
Considering that it only takes one person to cause a security breach, social engineering training for staff is just as wise of an investment as ever. Let staff know ahead of time that you’ve hired a firm to deploy phishing attacks. If someone falls for the phishing attempt and clicks on the “bad” link, they’re told they’ve been phished and must watch a video about social engineering and phishing. The goal is for users to always identify the sender’s legitimacy before clicking on anything in their emails.
Make security concerns personal.
Security is a concern at home as well as work. Let staff know that your organization’s security awareness training will also help them prevent security threats, such as phishing and other social engineering attempts, which could affect their personal and financial data.
Provide training bites (not buffets) to keep them coming back for more.
Attention spans are short and getting shorter. Don’t overwhelm staff with information they’ll never remember. Share security stories (lessons) via staff meetings, coffee breaks, emails, videos, collaboration platforms, and good old-fashioned signs in common areas. Provide a comprehensive resource online that can be accessed whenever someone has a question.
Remember those Nigerian prince scams?
Paint a picture and use stories when possible. People relate to and remember stories and images more than directives. They also provide context and relevance for complex issues. You can start by talking to staff about security incidents in the news. Explain how these incidents happened, how they impacted the organization, and how they could have been prevented. Describe how the same thing could happen to your organization—or to any of them as individuals. Help them understand how, yes, this can happen to you and here’s how.
Reward security-conscious staff.
Encourage staff to find security vulnerabilities and bring them to your attention. For example, reward the person who ’fesses up and tells you about a workaround that’s used because an existing process is cumbersome. Work with staff to find process fixes that aid productivity and close up any vulnerabilities.
Security begins with trust—and you.
Creating a culture of security requires a relationship of trust between the IT department and the rest of staff. The IT team must be seen as solution providers and partners in productivity, not rule enforcers and progress obstructers. Once you’ve created a security-conscious mindset within your organization, you can start to feel more confident about your ability to protect your data assets.

Talk to Our Experts
Looking for more information? Have questions? We’re here to help!
Drop us a line, and we’ll get in touch right away.