5 Ways to Develop an IT Security Culture

5 Ways to Develop an IT Security Culture

Developing a culture of IT security is imperative to ensuring your organization's data remains safe.

In 2002, Michelle Alvarez was ‘baggy pantsed’, as punishment for walking away from her computer screen without locking it. While she was away, one of her colleagues used her email account to send a message to everyone in the company saying; “Hi, my name’s Michelle and I wear baggy pants.”

Hardly crime of the century, but at the time Alvarez, who is a threat researcher and editor for IBM's managed security services, had just started working for a firm which took IT security very seriously; ‘baggy pants’ was one way that staff were reminded of the importance of taking care when dealing with the online domain.

Read on to find out about:

  • Why cyber security is a key issue at work
  • Five top tips to bolster your firm’s approach to online security

A top-of-mind awareness

Just as one trip to the gym won’t keep you fit for life, a single-pronged approach to cyber-safety is not going to be enough. Companies need ongoing, engaging sessions dedicated to nurturing a workplace conscience that puts security at the forefront of workers’ minds.

This drive must start at the top so that it filters through the rest of the workforce. In tandem, employers must outline the risks involved and demonstrate how reducing the risk of security breaches supports the business. 

Employees need to receive this vision in a positive way; using negative tactics – threats of penalties or dismissal – will not work because a successful strategy relies on individuals buying into and supporting a culture of trust, not obeying one of fear.

Below are six key considerations to make to enhance your workforce awareness of cyber-security.


All the best security defense systems have one weakness in common: the human element. This is particularly applicable to phishing attacks, whereby fraudulent emails dupe individuals into divulging sensitive information.

Tony Dyhouse, cybersecurity director at UK Technology Strategy Board’s ICT Knowledge Transfer Network feels that technology as a protector is a largely mythical concept, as it is far easier to defeat the user than the technology.

Staff need educating against phishing attacks and this needs to start at social media, because individuals often do not realize the value of the information that they freely give away online.

UK and Ireland security strategist at Symantec, Siân John has conducted workshops at a global bank that concentrate on waking staff up to security risks. The biggest challenge in her eyes, is getting people to appreciate how their lack of understanding could bring a business down.


Online security is as valid for the average citizen protecting their email account as it is for multinational institutions and governments holding onto the personal data of millions of people.

Furthermore, cyber criminals can target pretty much anyone they like – hacking isn’t a costly affair so getting into any data resource will probably result in a profit. Social media has lowered the trench wall even further, exposing more people for longer periods, and often when their guard is down.

Big enterprises need to frame this 24/7 vulnerability within the context of company security to demonstrate the vested interest employees have in being pro-active against cyber-threats.

Again, the initiative has to start at head office, according to Tim Holman, president of Information Systems Security Association. Holman cites apathy as one of the biggest challenges, and points to large companies and even the UK government failing to care enough about cybersecurity threats to business. In such a climate, how can employees be expected to take the subject seriously?


Competition makes any situation more interesting. Accordingly, if you can introduce this into IT security culture, staff will be more engaged. Organize a competition between departments which awards points for adherence to a ‘top ten’ of cyber-protection dos and don’ts, then display the results in a league table that everyone can see and is incentivized to take an interest in.

This spirit is endorsed and practiced by Phil Cracknell, head of IT security at TNT Express, who considers humor as the key to communicating the security message to all levels of staff.

One of Cracknell’s schemes used Star Wars themed videos used to spread the security word. In one video, Darth Vader appears at reception claiming he has forgotten his ID and giving the ‘you know who I am’ routine. The videos were emailed to staff each day, and were a huge hit, Cracknell claims.

Together, stronger

While the security team should be spearheading company initiatives, security procedures will be more effective if roles are shared by other departments.

Tasks can be delegated, thus spreading responsibility and stretching a cyber-conscience over a greater area of the company, which in turn will foster a culture that runs with, rather than against, security protocols.

As John Skipper from PA Consulting Group states, “handled correctly, your people are the strongest link in your security chain

Public recognition

A visible code of conduct for the prevention of and dealing with cyber-attacks will make protocols and practices measurable, more real and therefore more achievable, thereby increasing engagement.

If individuals stand out in their efforts to adhere to an established, well-broadcast code of cyber-security conduct, ensure their achievements are recognized and rewarded.

Most popular means of reward include gift vouchers or time off. Financial incentives can also be used, but can create a negative backwash if employees start to rely on them and then they are taken away; keep things simple and aligned to business

As vital as cyber security is, employees are there to do a job, so make sure their daily lives ultimately allow them to do what they were hired to do. Align online security gradually; a more measured, incremental approach will increase respect and acceptance, initializing culture change. 

Match the key aspects of cyber security to the most relevant areas of the business so that employees can appreciate your concerns within a workable context.

Final thought

The bedrock of IT security is a collective awareness, education and subsequent collaboration to combat an ever-present threat. There is no silver bullet, rather, minimizing the threat of cyber-attack requires a sustained, multi-faceted program that involves the whole company.

As such, small measures are also the first steps on a long journey towards a safer attitude to IT in the workplace which will ultimately mean the difference between a company’s success or failure.

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals. To view more IT content, click here.

Insights for Professionals