Building security cultures¶
Sustainable security culture emerges from organisational practices, not just awareness training. Build environments where security is natural part of how work happens.
Cultural foundations¶
Psychological safety: Safe to report mistakes, ask questions, admit confusion without fear of punishment.
Shared responsibility: Security is everyone’s job, not just security team’s job.
Continuous learning: Regular touchpoints, not annual training. Security as ongoing conversation.
Positive framing: Security enables business rather than prevents things. Protect what we care about.
Leadership modelling: Leaders visibly practise good security. Follow policies. Ask security questions.
Making security visible¶
Security champions programme: Volunteers in each department who advocate for security, answer questions, gather feedback.
Regular communications: Security tips in newsletters, Slack channels, team meetings. Short, actionable, relevant.
Physical presence: Security posters, reminders at copy machines (“Did you collect your printout?”), screen lock reminders.
Celebrate wins: Public recognition when staff catch phishing, report incidents, suggest improvements.
Storytelling: Share (anonymised) security incidents - what happened, how caught, lessons learned, improvements made.
Integration with work processes¶
Project planning: Security represented early in projects, not added at end.
Change management: Security review as normal part of change process.
Onboarding: Security integrated into first week, not afterthought.
Exit procedures: Security included in offboarding checklist.
Performance: Security behaviours considered in reviews. Reporting incidents is positive, not negative.
Measurement¶
Leading indicators: Participation in training, incident reporting rates, security questions asked, champion engagement.
Lagging indicators: Phishing click rates, security incidents, policy violations, audit findings.
Cultural indicators: Employee surveys on security perception, voluntary training attendance, security in conversation.