Analysts contend the best way to ensure security in your enterprise is to create a culture of security. (See “A new approach to the old problem of enterprise security.”)

But how do you do that?

We asked John O’Leary, the director of education for the Computer Security Institute and a Certified Information Systems Security Professional. O’Leary regularly leads a CSI seminar called “How to Create and Sustain a Quality Security Awareness Program.”

According to O’Leary, you must make employees and management aware of the importance of security, teach employees to recognize security incidents and hazards, and ultimately, integrate sound security practices into employees’ day-to-day lives. This article explains three steps you can take to achieve that shift and create a culture of security:

  1. Start with upper management.
  2. Make security relevant to employees.
  3. Establish security’s importance from day one.

Start with upper management
Creating a culture of security begins with executive management, according to O’Leary.

Upper management must set the example by going beyond rhetoric to convince employees that they believe in the importance of security.

Believing in the security program means religiously following a set of security guidelines that include wearing a name badge, shutting down computers before leaving the office, choosing passwords that are not easily guessed, and changing passwords regularly, he advised.

It’s also the CIO’s job to make sure executive management understands the importance of security. You have to make it clear that security is expensive but that your investment will be recouped over the long term, according to O’Leary.

“Short term, yes, you’re spending money on this. But if the network is down, you lose and can’t do the mission of the organization,” he said. “If you tie security goals, like availability, integrity, and confidentiality, to the mission of the organization, it’s much easier to see why you want security and why you have to have it.”

Make security relevant
The second step O’Leary recommends is to stop issuing security commandments and start explaining why security is important.

“It’s easy for people in my position—security types—to say, ‘Thou Shalt Do This’ and ‘You really ought to do that,’” he said. “But unless you can couch it in terms they understand, then the people who you’re talking to are not going to change their behavior. And really what all of this is about is changing behavior.”

The key is to make security relevant to employees. Management needs to explain that if someone is lax about security, it can impede workflow.

“If you’re talking to people whose job is order entry, you have to talk security in terms of its effect on order entry and how inappropriate security can cause order entry to be unavailable, and therefore they can’t get their job done,” O’Leary said. “Orders don’t get entered. Things don’t get pulled from the warehouse, etc.”

You should also tailor your message to your audience. When talking to a technician, you should address the technical aspects of security. If you’re speaking with network administrators or network architects, however, your best bet is to ask for their help rather than telling them what to do.

“Asking for their help can be a wonderful way to get cooperation,” O’Leary said.

Establish security’s importance from day one
Finally, if you want to establish a culture of security, you must impress its importance on employees from day one.

That means security training should be part of the employee orientation process, O’Leary said. Explain to new employees that security is part of your corporate culture and outline the procedure for identifying and reporting security violations.

“You want to give them something during that orientation briefing that they can leave with that says here’s the general rules of security for this place.…Here are the people that you call if you suspect that there are any security violations,” he said.
What steps do you take to institute security as a cultural imperative at your company? E-mail us or post your comments.