Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

11:30 AM
Joan Goodchild
Joan Goodchild
Edge Features

Building a Cybersecurity Culture: What's Love Got to Do With It?

Turns out, a lot. Get people to fall in love with the security team, and you'll get them to care about security, CISOs say in this second installment of a two-part series.

Fredrick "Flee" Lee is CISO at Gusto, a cloud-based payroll, benefits, and human resource management software provider. Along with his fun-sounding nickname, he has a playful view on how to get organizationwide buy in on security: Get people to fall in love with the security team.

"The key to building and instilling a security culture within an organization is to make security lovable," Lee says. "Security can't hide behind their hoodies, so to speak. Security should be the most approachable team in the room so that other teams within the organization want to actively engage with [them], instead of skirting around [them]." 

Security is serious, Lee explains, but you want your security team to be approachable — to be seen as the helpers, he says. Nail that and suddenly security isn't seen as a roadblock or barrier; it's the team who's going to go out and find solutions to securely enable products and features that weren't possible in the past. 

At Gusto Lee says he accomplishes this by conducting security team-building and offsite activities with colleagues from other teams, and by having an open-door policy and office hours so anyone, from any division, can feel welcome to approach with questions. He also offers lab-based training for developers.

"You don't get someone to fall in love with a sport by throwing the rule book at them," Lee says. "You let people experience it. At Gusto, we've implemented lab-based training with an emphasis on collaboration. Our security pros don't go up to a whiteboard and dictate what to do to developers as a lecture. Instead, we create learning modules that enable developers to think like hackers. We let them wear the hoodie, so to speak. That way we create champions and evangelists who get their teams excited about security." 

Lee also makes sure to keep his security folks visible year-round by seating them among the teams they support.

"That way they're viewed as part of the team, instead of a compliance layer," he says.

Next Stop: Cybersecurity Utopia?
Jon Check, too, sees the need for security to be personable. The senior director of cyber protection solutions at Raytheon Intelligence, Information and Services has been working lately on educating others about what he calls "Cyberlandia" – the optimum state of cyber readiness featuring happy employees who feel empowered and energized to face whatever threats are thrown their way.

"A healthy, positive workplace culture is an organization's greatest cybersecurity deterrent," Check says. "Instead of taking a reactive stance to adversarial threats, corporations should invest their time, budgets, and energy into a crucial asset that isn't often discussed: a corporate culture rooted in employee well-being."

A people-first approach to designing security is the first step to reaching Cyberlandia, Check says. It requires a soft touch when communicating with employees.

"Given the sensitive work within the cybersecurity sector, there are always high-stress and high-risk discussions in the workplace," he says. "An effective manager will strategically disclose this information to those who need to hear it, knowing that misplaced information could cause undue stress across the office."

Speak Softly – and Lose the Big Stick
Indeed, the soft skills of communication are essential to building security culture, says Geoff Belknap, CISO at LinkedIn. But while the security team doesn't want to instill fear and scare people into secure behavior — that isn't effective, Gusto's Lee says — it is still essential to be honest and frank about what's at stake when it comes to risk mitigation.  

"I do think there's an interpersonal element of security culture that can get overlooked. Historically, security teams have taken on the 'policing' role in an organization — enforcing security practices and emphasizing the negative consequences of mistakes," Belknap says. "The problem with this mindset is that it creates an adversarial dynamic of ‘us versus them,' when in reality, security affects the entire organization and should be everyone's responsibility.

It's all about creating a security-aware culture, he adds. As part of that, it's critical for security teams to convey why security is a priority for everyone using language that employees from all levels of the organization can understand.

"Avoiding jargon or falling back on 'that's just the way it is' when you're explaining things will go a long way toward fostering understanding throughout the organization," Belknap says.

Related Content:

(Image: Leigh Prather via Adobe Stock)

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
11/21/2019 | 12:00:13 PM
You forgot about data ethics
Data ethics is growing rapidly as part of security culture because it trains and empowres employees to see and handle sensitive data in a different way. Risks can be significantly reduced when there's a culture of personal care and responsibility for data, and not just a broad awareness of risks.

And it can work very well as a risk management tool because being ethical is second nature to most humans.

This is where AI is already influencing security culture, and in a very surprising way.
User Rank: Apprentice
11/20/2019 | 10:35:37 AM
Re: Language is Key
Great Article Joan. I recently left Gartner to join a start up who is empowering organziations to create a positive security culture. The team at Elevate Security has finally found a way to measure employee behavoir and celebrate the people who adopt a stronger security mindset. Along the way we found ways to make it fun and work towards Cyberlandia as Jon Check referenced! 

We are giving $100 to a charity of your readers choice for anyone who gives us the opportunity to provide a demo of our new approach. Not a super sales focused experience, more of peers talking about what works and how to messure it. 



Tom Carter

Elevate Security

[email protected]
[email protected],
User Rank: Strategist
10/29/2019 | 4:53:07 PM
Language is Key
Even guidance documentation needs to be presented with a less perjorative term than "must". Being told to do something in this way creates a natural unconcious resistance. Depending on the reader, this resistance can filter out what may be critical instructions, and increase the probability of a mistake. 
Cartoon Caption Winner: Be Careful Who You Trust
Flash Poll