InfoSecurity 2016: Creating a culture of security in your company

For companies looking to boost their cyber security defences, a lot of focus is usually given to the technology side of things, with emphasis being placed on building an arsenal of digital tools and solutions.

Obviously the technology is a major component, but it's not the only piece of the jigsaw. Employees also have a key role to play, as John Skipper from PA Consulting Group explained in a talk about fostering a company-wide security culture.

The key, John said, is trust: "Business is becoming 24/7, it's becoming pervasive through digital channels. To make that work it's important that you trust the people your doing business with digitally and that they trust you." But, while trust can take years to build, in this so-called 'age of the data breach' it only takes one incident for all the hard work to be undone - as TalkTalk knows very well.

Digital trust revolves around three areas:

  • Protecting your customers - Meeting expectations and building loyalty
  • Protecting your business - Ensuring the continued delivery of services and unserstanding the risks
  • Protecting your assets - Maintaining confidentiality and integrity of data and understanding who is accountable

The problem businesses of all sizes are facing is that a perfect storm of risk is being created. They continue to engage with customers across more digital channels - mobile, web, email etc - which increases a businesses attack surface, whilst at the same time threats are evolving as "attackers have access to more and more sophisticated tools."

But John believes that too many companies focus just on technology, often forgetting that "handled correctly, your people are the strongest link in your security chain."

So, how do you actually go about creating a security culture? Well, it all starts from the top. Your company's leaders - CFOs, CMOs and even CEOs - "have to be seen to be getting this right." If they lead by example, it will quickly trickle down to the rest of your employees.

It's also important to promote excellence at all times and "reward good behaviours" rather than just punishing mistakes. Remember, a culture change is only effective if it affects employees "beliefs" and "understanding," so simply setting rules and policies won't help. Employees need to be affected at a behavioural level, which can be achieved by making them feel trusted and valued.

Through all of this, a security-first culture can become a part of your company's DNA, improving customer relationships, boosting reputation and, ultimately, driving revenue.

Image source: Shutterstock/hywards