Why security culture matters
Organisations face a wide range of security risks, from fraud and theft to nation state espionage and insider risk. Conflicts in foreign lands impact multinationals, too; local and expat staff in the conflict zone need up-to-date information, immediate protection and potentally evacuation; supply chains break down; and their networks become targets for nation state cyber-attacks.
Security teams have a critical role to play in today's volatile world, but they are only part of the security story. They set the rules, provide the infrastructure, monitor and verify, but they cannot be everywhere all at once. Ultimately, security is delivered through the everyday actions of ordinary employees. When people flout the rules, forget the protocols, feel pressure to work around standard operating procedures, decide not to speak up about their concerns, or find ways to game the system for their own benefit, the best laid security plans fall short.
That is 'security culture': what people do when other people are not watching.
What is security culture?
For many years, security culture has been limited to training, often just mandatory annual training. This is just one element needed to build and grow a healthy security environment where all employees understand their role in delivering security, know why this matters, and successfully execute the behaviours and actions needed of them.
Security culture is underpinned by three factors: attitudes, knowledge and behaviours:
Attitudes: do employees care about security and understand they have a role to play?
Knowledge: do employees understand what is expected of them and know how to behave securely?
Behaviours: do employees do what is expected of them?
Security culture is not achieved by chance or osmosis - it is created and recreated through intentional and disciplined activities aimed at shifting attitudes, building knowledge and nudging employees to adopt security-first behaviours, such as checking credentials, reading travel security briefings, reporting phishing emails, challenging unauthorised tailgating, and speaking up when something doesn't look or feel right.
Building security culture
In our work with clients, we advise them to follow these steps when building their security culture programme:
- Why: define priority security risks, whether that's phishing, unauthorised access to R&D facilities, or insider risk.
- Who: define priority employee groups, whether staff with privileged access to confidential information, members of the finance team, help desk colleagues with the ability to change account passwords, or travelers to high-risk countries.
- What: define the specific behaviours, attitudes, and knowledge they want to see - and be specific. The biggest mistake security teams make is failing to be specific about the behaviours they want to target: close the door, report the phishing email, report a concern, or request photo ID when resetting a password, for example.
- How: build a programme of activities closely matched to these objectives - they how must follow the why, who, and what, not the other way around. Many security teams start by doing, and them try to retrofit a rationale.
- Find your allies: building a security culture is hard work and you'll need supporters, partners, and allies across the business, especially senior leaders, key functional partners like cyber security and HR, and individual influencers.
- Measure: security culture metrics are not perfect, but it's better to start with something and build from there as you learn what works. It's critical to get a baseline so you know whether anything is changing as a result of your efforts.
The security team must model security culture
The security team can't do this alone, but their posture, approach to partnership, and response when someone makes a mistake or asks for help is critical to the success of security culture efforts. If employees find the security team to be closed, prescriptive, judgmental or inflexible, don't be surprised if they fail to report, find workarounds, and stay quiet when something happens.
Security culture is fast embedding into regulatory requirements, industry standards and board expectations of what good looks like in security management. If you are not yet getting questions from the executive about security culture, expect them soon.
In a world where security threats are growing and becoming more complex, ordinary employees are an untapped security asset for many organisations. Security culture is central to the next generation of effective security management. Get ahead, get started and build a security culture that can deliver real and sustainable security for your organisation.
Clarity Factory work on security culture
Our report on security culture, sponsored by the ASIS Foundation, will be published by ASIS International in Summer 2026.
Get in touch if you'd like to discuss how The Clarity Factory can help you to build your security culture programme.