Cultivating a Security Culture: 5 Steps to Engage Your Team in Information Security

Posted on September 3, 2020 - by Laird Wilton - in Building Your InfoSec Program

Having an information security culture can dramatically improve the overall security within your organization. That’s because your employees are the frontline of defense against cyberattacks and malicious actors. Cultivating a security culture can empower them to be more discerning when they encounter potential attacks.

Even if they think they are adept at spotting phishing emails or suspicious links, other tactics like social engineering remain prominent. Here’s how to cultivate a security culture to help keep your data safe and stand out to customers that consider security in the buying process. 

How to Cultivate an Information Security Culture

Security culture ensures that security becomes embedded in every part of an organization rather than leaving it to the IT department or managed security specialists. Follow these five steps to encourage your team to embrace it:

1. Making it About Learning, Not Consequences

According to Kaspersky, as many as 45 percent of employees hide cybersecurity incidents rather than report them. That’s the exact opposite of what needs to happen, yet it occurs when employees fear repercussions if they make a mistake. If employees know the most likely outcome for them will be additional training or reduced access to certain data, they might be more likely to notify the security team. 

Rather than emphasizing punitive measures for employees that fall prey to scammers, focus on positive feedback for the things they do right. That ensures employees feel good about security and empowered to act when the moment arises.

2. Establish Formal Policies

Help your users know exactly what they should and should not do in any given instance through the creation of formal policies to guide them. 

Depending on what your company does and your industry, you may need well over 10 policies. Traditionally companies used a DIY/templates approach or hired a consulting firm, but Securicy can quickly generate customized policies for your business, which includes everything you need for compliance with HIPAA, SOC 2, or other frameworks and regulations. Once you’ve got the policies, you also want to make sure you establish a system to track employee agreement, task assignment, and report on security compliance

Some examples of policies you may need for your business: 

  • An acceptable use policy
  • A human resources policy
  • A data classification policy
  • An asset management policy
  • An email policy
  • A password policy
  • An encryption policy
  • An incident response reporting policy for all employees, with an incident response plan for your security team

3. Schedule Training Simulations

In a crisis, it’s easy to freeze if you don’t have a clear plan of action already determined. Live-action training like simulations, table-top exercises, and roleplaying can help staff understand how and why a security incident unfolds and what to do about it. Make these semi-frequent and use them as educational opportunities to keep your employees up to date with current threats. 

Phishing simulation software can also be used as part of your training and awareness program, which can help you evaluate how your employees respond to attacks in their inboxes. 

4. Don’t Keep Security in a Silo 

Part of maintaining strong information security involves promoting good communication between colleagues and departments. Your employees should never feel shy about reaching out if they have questions or concerns. In particular, they should feel able to:

  • Forward suspicious emails to the IT department or designated security team member for investigation
  • Reach out to coworkers through other means if they receive a suspicious communication, like Slack, text, or phone
  • Feel comfortable reporting a potential incident, unusual activity, or a breach

5. Implement Security Frameworks

Security frameworks are guides that can help you secure your organization without accidentally leaving anything out. These can help you decide which policies you need, give you a benchmark for compliance, and put you in a strong position when you need to answer vendor security questionnaires

There are many out there (SOC 2, ISO 2700K, and NIST are several popular standards for tech companies). If you don’t have a security framework yet, we like the CIS Controls as a starting because they are thorough while being intuitive enough for non-IT employees to grasp. Using the CIS Controls as your framework also puts you in a strong position if you later decide to use other security frameworks. 

Leveraging a framework can also show you where any weak points or vulnerabilities stand, helping you to secure your company before those holes are exploited. Depending on your needs, you can use an internal reporting tool (like our Reporting Center in Securicy) or a third-party auditor to monitor your compliance.

Educate Your Employees for Excellence

At the core of a strong information security culture lies well-trained employees. You can have all of the policies in place, but if your people don’t know what to do with them (or disregard them outright!), you’ll run into problems fast. Having a strong security culture provides a solid foundation to build on and your customers will quickly find out if you’re commitment is only half-hearted. For B2B buyers who care about data security, your culture can make you stand out and close the deal. 

If you’re adopting a security culture in your organization, get in touch with us. We’ll provide the insights, support, and resources you need to make sure your strategy is efficient and effective.


Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing your cybersecurity plan.

Try Securicy Free

About the author

Laird Wilton is a tech entrepreneur, Techstars alumni, board member, and the COO and Co-Founder of Securicy. Securicy’s SaaS offering guides businesses through creating, implementing, and managing their information security and privacy compliance program.

Laird lives in Cape Breton, Nova Scotia with his wife and young family. When not working, he spends his time traveling with his family, coaching minor football, playing hockey and volunteering at his community’s recreation center.