How can you build a security culture in your business?
The foundation of a strong security culture is trust. If you demonstrate to your staff that you trust them to report security concerns in a timely manner, and they trust that you will use that information in a positive way, then you have the makings of a great culture.
Create a culture of accountability, not blame
One of the first stumbling blocks faced by a business working to create a strong culture of security is a failure to move away from blame. Blame is almost always counter-productive, it rarely solves a problem and worse, it leads to people failing to report incidents.
Moving away from blame does not mean that people are not accountable for their actions, but instead gives them a chance to learn and grow. Allowing people the opportunity to own their mistakes and take responsibility, and involving them in any work carried out to resolve the issue, leads to drastically reduced chances of recurrence.
Showing employees that all incidents, no matter their cause, will be reviewed fairly will demonstrate trust, and lead to both development opportunities and an increased willingness to report incidents in the future.
The key takeaway here is that mistakes should not be stigmatised, and individuals or teams should not be singled out for blame. Any security incident should be seen as both a wider failure of controls across the business and, most importantly, an opportunity for improvement for both the individuals involved and the wider business.