Security culture is something that remains fairly vague despite how often it gets talked about. A lot of people can tell you what a good security culture looks like and feels like, but there isn’t much discussion about how you get there. Do we just ask people to care about security more? Force them to watch a 10 minute “awareness training” video once a year? If only it were that simple.

Changing the culture of a company is a difficult thing. Culture is closely tied to emotions, and emotions are tricky. If you want people to care about security, they first need to have a positive relationship with many of the things they associate with it.

In this article, we will go over many of the common touching points that employees have with security. For each one, we will dig into how we can make those experiences positive and how it fits into our broader security culture strategy. We will start off with what I consider to be the most important factor in security culture: interpersonal relationships.

Build relationships

If you’re in a security-related role, I can’t overstate how important it is to have positive relationships with individuals in your company. People that you are friendly with are more likely to approach you with questions about how to do things right, point out hidden issues that need to be fixed, and be more willing to help if you need their time.

You don’t have to be everyone’s best friend, and you don’t have to be a social butterfly. You can just be friendly in the interactions you have with others every day. Are you working with someone because something went wrong? Show them some grace. Collaborating on something? Compliment the things they did well. Asking for their time? Say “please” and “thank you” and “I appreciate it.” If you are someone that enjoys friendly conversations, sprinkle a little of that in too or crack a joke.

Above all, be genuine. If you’re always forcing yourself to be polite, you need to work on your attitude. That may sound blunt, but you shouldn’t just use people to further your mission without giving something back in return. A good relationship goes both ways. Work is more fun and productive when you truly get along with people.

Share knowledge

Security succeeds when everyone participates. If you want a shared responsibility model for security, you need to continuously break down knowledge silos and distribute the skills and strategies that come from your security personnel. Not everyone needs to be an expert in security, but everyone should be made aware of the things they are responsible for and given the skills to succeed.

Hopefully your company has some regular platforms for knowledge sharing where you can carve out a little space for security-related topics. If you don’t have any sort of place for that, maybe you should consider starting one. Having a learning culture is a great way to support a security culture.

If you’re a security professional, work on breaking down security concepts at a high level to help people understand how you think about things. When relevant security skills are passed on to others, it makes them more likely to recognize issues and prevent new ones.

Make it cool

There’s a logic hole in the last section in case you didn’t notice: knowledge sharing only sticks if people are paying attention. Not everyone is inherently interested in security. In fact, many people view security as a hurdle that just makes their job harder. How do we get those people to care about security? By metaphorically slapping them across the face with it.

Security professionals know security isn’t just sexy hacking and malware, but we don’t have to let everyone else know that. The earliest pioneers of cyber security had success drawing attention to security issues with “stunt hacks” that shocked and captured the attention of the professionals of the world and made them wake up to the realities of security risk.

We can do similar things on a smaller scale (with permission) to make people more interested in security. When sharing security knowledge, make it cool by making the content relevant, being clever, and demonstrating impact.

Celebrate wins

It’s one thing to see security professionals demonstrate good security, but it’s even better to see non-security people do security well. When people are doing things that you want to see more of, you should call that out and maybe even use it as a positive example for others. The more people see their peers doing things the right way, the more normalized those practices become.

You should also celebrate non-security wins. This goes hand-in-hand with some of the earlier guidance for building relationships. You want others to care about security, so you should care about the things important to them too. I’ll say it again: a good relationship goes both ways.

At this point, we’ve talked a lot about things that you should do to help establish a positive security culture. The next sections will be focusing more on what not to do. There are some pain points that companies with poor security culture all have in common. We will be covering how to avoid those things and turn them into positive experiences.

Zero blame

The biggest way that security culture fails is when blame is a common occurrence. Mistakes happen, and hindsight makes all mistakes feel obvious. Show some grace and be patient when you work with others on security issues. That doesn’t mean you should downplay the severity of security issues; it just means you should focus on the solution instead of pointing fingers.

Sometimes, there may be recurring issues that indicate a deeper problem or common theme. This is when it’s easiest to blame the person or group responsible. But we can still take the blame out of the conversation and make those discussions less personal. Effective security solutions utilize systems and processes, not decisions and behaviors. Sometimes training is part of the solution, but it will never be as effective as secure-by-default configurations and guardrails.

Zero ego

Another way that security culture fails is when security personnel act like they are smarter than other employees. If your job is primarily to identify things that have gone wrong in other people’s work, you need to be careful not to get a big ego or think you “fix everyone’s stuff.” The way to fend off ego is with humility. Be kind to others and recognize the value of their contributions to the business. Security culture is an “us” mentality, not a “me” mentality.

Minimize overhead

If you’re reading this, you’ve probably heard or made this statement: “Security makes my job harder.” Whether it’s taking time away from non-security work or adding manual steps to an existing process, security gets a bad reputation for slowing down efficiency. When you make someone’s job harder, it can feel to them like you don’t respect their work.

To foster a positive security culture, a lot of consideration and energy needs to go toward finding a way to make security easier. Think about how you can automate things to lighten the load on those given more responsibilities. Consider alternative ways to mitigate a security threat if it adds manual steps to a process.

Sometimes, adding overhead will be unavoidable. But when it is, make sure to communicate reasons and offer to brainstorm solutions with complainers. Having an empathetic delivery of your security program benefits everyone involved.

Be realistic

This next consideration is probably my biggest pet peeve in security. The term “critical” has lost its meaning over the years thanks to the security world using it to describe things that don’t mean “a threat is imminent.” As a security professional, you contribute to this problem when you make a big deal out of inconsequential things. It makes people less likely to listen to you and less likely to take security seriously.

Security vulnerabilities each have their own unique context and can be prone to false positives. Here are a couple of examples to paint this picture:

  • You have a dependency in one of your applications with a critical remote code execution vulnerability. The vulnerability is complex, has no known exploit, and is affecting an internal-only application.
  • 3 new critical vulnerabilities were released for an open-source dependency you use. When you reach out to your software engineers, they find that you aren’t using the vulnerable part of that package.

The key thing to remember is that not everything that is labeled critical necessarily is. If you want to establish a positive security culture, you can’t be an alarmist who expects everyone to drop what they are doing all the time. Be considerate of your coworkers' limited time and dig into the context before raising an alarm. Being realistic will reward you with open ears when something is truly important.

Visible support from leadership

The last building block for security culture we will talk about is leadership support. Having business leaders that participate in and care about security is helpful for multiple reasons. Monetary investments help, but leaders play an important role in establishing a positive security culture. When people see that their boss cares about something and talks about it a lot, they will see that thing in a very different light. Getting leaders to support security in a visible and vocal way sets the tone for the entire organization.

Putting it all together

We ran through a lot of advice in this article, so before wrapping up, let’s take a step back and highlight the key strategies we covered:

  • Build relationships
  • Share knowledge
  • Make it cool
  • Celebrate wins
  • Zero blame
  • Zero ego
  • Minimize overhead
  • Be realistic
  • Visible support from leadership

Changing security culture can feel like an uphill battle for some organizations, but it can be done. Culture is the culmination of the interactions and feelings shared by people. By focusing on the everyday touching points that people have, you can slowly change those feelings and make security a positive and desirable thing at your organization.