Part 3 of 6: This blog series details 5 practical steps for creating a culture of cybersecurity in the workplace.


Security comes down to three things: people, process, and technology. Process and technology, are largely handled by senior management and the IT department. Yet, people remain the leading cause of data and security breaches, with human error responsible for 52 percent of such incidents.

While this high rate of incidence is largely due to a lack of training - which we’ll discuss in our next post - the process must begin by developing a company culture that values data security.

The responsibility for protecting the company’s assets, including employee and customer data, is one that must begin to be seen as shared rather than assigned.

hands (1).jpg

Building a culture of security means establishing behavior that is part of an organization‘s daily operations. This will be largely executed through training, simulations, and regular communication. However, for these to be truly effective, all key stakeholders within the organization must buy into the concept.

Failing to create buy-in prior to policy changes or control increases not only hinders progress, but may even make matters worse through shadow IT creation, where employees circumvent provided IT by using services such as personal email and cloud file-sharing to conduct corporate business, in order to avoid cumbersome or confusing policies.

So, how do you get employees to buy into your culture of security? Here are our top 5 strategies:

‘Everyone’ Means Everyone.

Getting every organizational stakeholder involved in this process is vital. “Everyone from the janitor to the CEO has to think about security all the time.” says Bob Flores, a partner at Cognito and a former CTO of the Central Intelligence Agency. Changing corporate culture must come from the top down. This also goes back to the fact that hackers are smart and know who a company’s weakest link is, and how to target them. If even one stakeholder doesn’t buy in, then that’s your weakest link. If this person is a board member or executive with access to vast amounts of data, the problem becomes exponentially larger.

Find the Motivation

While large-scale, multi-million dollar cyberattacks make for great headlines, they don’t serve as a good example for ‘John Doe, manager at Joe’s Coffee Shop’. Many people still believe that hackers only care about big corporate America, though nearly half of all cyber-attacks are committed against small businesses. Make any examples you communicate realistic and relevant to employee’s specific roles. In addition, help employees to see that the security approach they practice at work not only protects corporate data, which includes employee information, but can also be useful at home in their everyday lives.

Make Policies Realistic

Policies are still the cornerstone of good security management, but in order to be truly effective and relevant, they can’t be written and delivered in a detached company-wide email from the CIO. Instead, they need to be contributed to, and bought into, by all key stakeholders. This not only reassures employees that they are involved in the process, but also ensures the policies will support, rather than hinder, core business objectives. Additionally, don’t update policies and procedures all at once, overnight. People are most willing to embrace security if the concepts and technology are quick, hassle-free, and easy-to-understand. So start small and build off of what employees already know.

Communication is Key

A successful security awareness program is not a project with a defined timeline and an expected completion date, but is instead a development of organizational culture. In order to truly create a culture of security, messages need to be designed and delivered according to each type of employee. There is no such thing as a one-size-fits-all security campaign, but some questions that organizations must always answer for employees include the following:

  • “What are the benefits?”
  • “What does it matter?
  • “Why should I care?”
  • “What impact do my actions have?”

Additionally, your risk assessment, will have highlighted key risk factors; communicate these results to employees. Being transparent about the reasoning for policy changes goes a long way.

Training at Every Step

From on-boarding to off-boarding, and every chance in between, training employees on what is expected of them is crucial. Employees that feel prepared are far more likely to buy into the ‘security culture’. So arm them with tools to be successful as the first defense against cyber attacks. Additionally, create an open dialogue that allows employees to feel comfortable to ask questions, request additional support or training, or be able to just ‘pop into’ an IT specialist’s office to ask if an email attachment looks odd. More on cybersecurity training in the next installment of this series.

According to Tracy Streckenbach, author and management consultant, "Culture is about performance, and making people feel good about how they contribute to the whole." When it comes to creating a culture that values cybersecurity, every employee’s contribution to the whole is doubly important. Creating that culture begins by creating buy-in.


Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.

Author: Jennifer Guidry, CMO | HCISPP