Cultivating a Culture of Security
When we talk about company culture, we are referring to the collective manifestations of beliefs, values and attitudes that exist in a company. It is a culture that exists whether intentional or not. A wise leader then, cultivates the beliefs, values and attitudes that he or she believes will ultimately lead the business and its employees to succeed.
Our customers consistently tell us that security is a top priority. Security then, while extremely important in our product, is ultimately important at every level of our business. You could say that we have a culture of security.
We offer these building blocks then to start adding security to your company culture:
Build a Team of Creative, Analytical and Critical Thinkers
It goes without saying that critical thinking skills are an asset in an employee, but these skills are also crucial when protecting the security of your business. Be sure your team is filled with thinkers. Ask questions of potential team members that show you their thinking process. Do they analyze and measure when solving a particular problem? Do they come up with creative solutions and then test them? Or do they simply do what looks or sounds right?
Does your team have a devil’s advocate? The role of the devil’s advocate doesn’t have to be adversarial; having a devil’s advocate allows you to see every issue from all angles and to avoid groupthink.
When communicating with your team, be sure to share your own insights and thinking processes too, so that they can see how you arrive at decisions made around security.
Build an Understanding of Why Security is Important
Whether your company’s security concerns are in protecting personal health information of patients, protecting the confidentiality of your clients, keeping intellectual property private, preventing breaches of financial data, keeping systems safe from hackers, or all of the above – be sure your employees understand the why behind each of these reasons. Talk about the reasons often in an ongoing conversation. Don’t just tell them about the behavior to avoid, talk about why to avoid particular things. Talk about maintaining privacy when on the phone in a public place, the implications of uploading and downloading data in an unsecure environment, and the importance of creating strong passwords.
Continue to Emphasize Security in Every Aspect of Every Role
Behavior around security measures, like any behavior, can be positively reinforced. Practicing security goes beyond the IT department. How many of your employees could tell you what they do to make the organization more secure?
For example, if you ask that your employees all have their own individual network logins and never share their passwords, is this reinforced in other instances when logins and passwords are used? If employees in marketing or sales are sometimes told to use a shared login/password for other online tools, they may see that the importance of security isn’t always observed. Whenever possible, use separate logins and passwords. If this is not possible everywhere, be sure that passwords are changed on a regular basis and emphasize that they are only given out to those who need access. When there is employee turnover, be sure to change shared passwords that the departing employee had access to.
Think of this as a “state of being vs. a state of mind.” In other words, it’s great to think about it, but you have to live it too.
Hold regularly scheduled security audits where employees are asked to change their passwords and to show you that their computers have password protected screensavers.
If you have a cheat sheet of all your passwords in an unlocked drawer, or on a piece of paper under your keyboard, then you have a bit of work to do. Being the example of security that you need your employees to be is probably the most important behavior you can demonstrate.
When you are successful in cultivating a culture of security the benefits will follow you in other aspects of business. Customers and partners will feel good about working with you. Employees will not only understand the importance of security practices, but they will feel protected knowing that in this culture of security their own private data is important and secure.