How to Implement a Successful IT Security Culture


Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Tuesday, August 8, 2017

A successful IT security culture is vital to protecting your sensitive data, but it can be an impossible task if your organization lacks the fundamentals of a security culture. So how can you make employees security-aware?

Article 5 Minutes
5 Ways to Develop an IT Security Culture

No matter what IT security you have in place, if your employees don’t respect their digital security policy, it could be a waste of time. This can also lead to more serious issues, including an increased risk of experiencing a data breach.

Essentially, employees are going to do whatever makes their life easier, and so it can be incredibly difficult to implement a security-aware culture within the work environment.

Not only will it help your data to remain safe, a well-developed IT security culture can have additional benefits as well, including:

  • Engaged employees taking responsibility for security issues
  • High levels of compliance
  • Employees acting in a more security conscious way
  • Employees being more likely to report unusual activity or behavior

Achieving this level of security-awareness is a challenge. In order to develop the ideal IT security culture, this article is going to look at:

  • Why cyber security is such a key issue within the workplace environment
  • 5 ways in which you can strengthen your firm’s IT security culture
  • The benefits of doing so

Five steps to creating an IT security culture in your business

A top-of-mind awareness

One bowl of salad a year isn’t classed as healthy eating, similarly a single-pronged approach to IT security isn’t going to be enough to keep your data protected. In order to keep employees up to date with security practices, try holding regular sessions that engage employees in learning about how they can be secure in the workplace as well as at home. These sessions should work towards nurturing a mindset where IT security is at the forefront of everything they do.

In order for this to be successful, awareness needs to start at the top and filter through the different levels of management to the rest of the workforce. Additionally, the risks involved in everyday activities need to be highlighted to employees in order to demonstrate how security-awareness can support the business.

This needs to be delivered in a positive way in order to create a supportive culture of trust. Threats of penalties or dismissal won’t work and will instead create a culture of fear.


Every defense system in the world has the same weakness; human error. This is particularly relevant when discussing phishing attacks.

Tony Dyhouse, cybersecurity director at UK Technology Strategy Board’s ICT Knowledge Transfer Network, feels that ‘technology as a protector’ is a largely mythical concept, as it is far easier to defeat the user than the technology.

This means that education is key to developing a successful culture around IT security. Starting with social media, employees need to be taught the value of the information they give away for free across their personal networks.

UK and Ireland security strategist at Symantec, Siân John believes that the biggest challenge is to show people how their lack of understanding could impact a business in a variety of ways.


Online security is a concern for the average citizen, as well as international organizations or governments protecting the data of millions of people.

Hacking isn’t an expensive endeavor which means that any data procured is likely to result in a profit. With cybercriminals capable of targeting whoever they like, and social media allowing people to be exposed for longer periods of time, data protection is becoming a serious issue.

Large corporations need to address this vulnerability 24/7 within the context of company security and demonstrate to employees why they should have a vested interest in being pro-active against cyber-threats.

According to Tim Holman, president of Information Systems Security Association, this initiative needs to start at head office. He believes the implication of large companies and governments failing to demonstrate care about cybersecurity will impact the IT security culture as a whole.


Competitions are always likely to draw more interest and gamifying IT security could lead to a more engaged workforce.

This could include arranging competitions between departments where points are awarded when employees adhere to the top do’s and don’ts of cybersecurity. Incentivizing IT security in this way will develop a culture that is willingly participating in IT security.

A similar method was implemented by Phil Cracknell who used a Star Wars themed video at Yell to encourage IT security. One such video involves Darth Vader at reception without his ID going through the ‘you know who I am’ routine. These videos were emailed to employees daily, and were incredibly popular. Cracknell believes humor is the key to getting his message across to all employees.

Together, stronger

Although it should primarily be the security team’s responsibility to spread the word, involving heads of departments in the process will spread responsibility and allow a greater reach for security-awareness within the company. This in turn will foster a culture of IT security.

As John Skipper from PA Consulting Group states, “handled correctly, your people are the strongest link in your security chain.”

After discussing the five elements of a strong IT security culture, it’s clear that to build a strong foundation, companies need:

  • A collective awareness
  • Good education
  • Collaboration

There’s no single answer that can solve the issues faced by IT security professionals, instead it’s a strategy that requires several different approaches in order to create the most effective security culture available.

A sustained, multi-faceted program involving the whole company is going to be the best line of defense against cybercrimes. It may seem like a long road to a healthy security culture, but small steps will go a long way to getting you started in developing a safer attitude to IT in the workplace.

Tech Insights for Professionals

The latest thought leadership for IT pros

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.


Join the conversation...