<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Dave Bykowski

By: Dave Bykowski on March 24, 2022

Print/Save as PDF

What Is An Information Security Culture? How Can You Foster One?

Information Security

Cybersecurity and compliance are important building blocks for a healthy IT infrastructure. Some organizations assume that once they have these two elements in place, they have checked the box and their IT environment is secure.

The truth is that simply putting tools in place does no good without a culture that is actively engaged, monitoring, and implementing information security enhancements regularly.  

So, how can organizations establish and maintain a culture that keeps IT compliance and cybersecurity front of mind, while engraining the idea that overall information security is the goal?

As manager of information security and compliance at Kelser Corporation, I get asked this question a lot and I’ve identified several key characteristics that set organizations with strong IT security cultures apart from the rest of the pack.

In this article, I’ll identify and explain five characteristics of organizations that have institutionalized strong information security cultures. You can use these characteristics to see how your own organization measures up

What Is An Information Security Culture?  

An information security culture reflects an organization’s ongoing commitment to keeping its information safe. An information security culture includes compliance and cybersecurity, but most importantly, it focuses on protecting your company’s data from any unauthorized access (not just electronic access). 

Why Is An Information Security Culture Important? 

Organizations have all kinds of sensitive information ranging from the recipe for their secret sauce to government-regulated design and manufacturing specifications.

No matter whether the information is important to the organization’s product or to international security, information that would be damaging if it were released publicly must be protected. 

An information security culture ensures that every employee understands and embraces their role in protecting sensitive information, enhancing the safety of your organization’s information. 

5 Key Elements Of An Information Security Culture 

Many elements combine to create and foster a strong information security culture. I’ll highlight five that I view as key.

1. Ownership

I’ve had conversations with customers who want to pay someone else to create an information security culture for their organization. I can tell you from experience that approach doesn’t work. 

The organization needs to own this initiative. Outside resources can be used to implement portions of the plan, but the ownership for the overall initiative must come from within the organization. 

Every person within the organization needs to understand their role and own their responsibility for protecting information. 

2. Buy-in

As with any other major organization-wide initiative, the success of an information safety culture is directly tied to buy-in at all levels of the organization

For example, I’ve worked with companies where the policy stated that company information is not to be accessed via personal devices, but in action, that policy applied to everyone except the leadership team. That’s an ineffective policy. The direction and demonstration of commitment to it need to come from the top.

Leaders need to understand the value of the information security culture and mirror best practices.

The rest of the organization also needs to adopt an information security culture mindset. When people understand the importance of the issue, the role they play, and the impact their daily actions can have, they are more likely to embrace an information security culture. 

3. Champion

Organizations that successfully implement an information security culture also have at least one internal champion. This person (or group of people) doesn’t need to be an expert and can be from any level of the organization, but they need to be an evangelist. 

The champion(s) will take the reins and lead the initiative within the company, explaining why information security is important and the role that each person plays to secure the organization’s data. 

Let’s face it, we all have short attention spans. People are busy. We forget things. The champion takes on the role of keeping information security at the forefront and guiding the organization to a safer existence.  

4. Risk Assessment & Management

To educate team members about their role in helping to mitigate risk, the organization must assess and understand where it falls on the risk spectrum

What do you do? What are the threats your particular organization faces? What might they look like? Where might they come from? What will they do? 

If your organization is a multinational entity involved in the defense industry, your risk is likely higher. 

Higher profile organizations have a higher risk. Specialized technology companies have a higher risk. This means that a multinational entity involved in manufacturing for the defense industrial base would almost certainly be high risk.  

A stand-alone business with one site that has limited access to personal or credit card information is likely at lower risk. (Although there is still a level of risk, that risk is mitigated by basic compliance requirements.) 

A healthcare company will have privacy concerns, so their information security concerns will likely be focused on protecting personal data. 

Figure out how to mitigate and manage your risk. Understand the frameworks and compliance requirements your organization may already have in place (such as NIST 800-171, HIPAA, or PCI-DSS), identify information security gaps, and build on the tools you have already established. 

Keep in mind that this is an ongoing process, as the threats and risks are constantly evolving. 

In many cases, companies bring in a third party to provide a fresh perspective on their threat assessment and management activities.

5. Resources

Another key tenet of organizations with successful information security cultures is that they have allocated resources to support the initiative

A survey of financial institutions conducted by Deloitte found respondents spent 0.2 to 0.9 percent of annual revenue or 6-14 percent of their IT budget on cybersecurity alone. These numbers are averages for organizations already involved in cybersecurity activities. 

If your organization is just getting started, I’d recommend committing at least one percent of your annual revenue to information security. If used properly and effectively, one percent of annual revenue can do a lot. 

I know one percent of annual revenue may seem like a lot of money, but I’ve seen the full impact of data breaches. From financial loss to downtime for the business to reputational harm, data breaches come with a serious cost.

On the plus side, I’ve seen organizations do a lot to shore up their information security with a wise investment of just one percent of annual revenue.   

What’s The Bottom Line When It Comes To Establishing Or Enhancing Your Organization’s Information Security Culture?

Now you know what an information security culture is and why it’s important. You also know the key elements for successfully adopting and fostering the culture: ownership, buy-in, champion, risk assessment and management, and resources.   

You know the importance of educating people at all levels of your organization about information security, why it’s important, and the role each person plays.

Once you make the case by identifying and quantifying the risks and rewards associated with action and inaction, people will be more likely to support information security initiatives, making it easier to engrain in the overall culture.

I’d like to emphasize something I said earlier: While organizations often work with third-party organizations to develop the details of their information security initiatives, it’s important that the responsibility for establishing it as a cultural initiative rests within the company

Initiatives created outside the organization have very little chance of long-term success. 

Kelser Corporation has been in business for 40 years and has helped hundreds of companies with IT and security issues. As a managed services provider, we provide ongoing IT support for small- and medium-sized businesses. We know managed IT services aren’t right for everyone

In spite of that, our organization values trust and transparency. We are committed to providing easy-to-understand IT information that organizations like yours can use to keep your information safe. 

If you’ve been thinking about IT managed services and want to know more about how it helps companies like yours, check out this article: How Much Does Managed IT Cost? What’s Usually Included?

About Dave Bykowski

Dave Bykowski is Kelser's manager of information security and compliance. Dave's multiple certifications and nearly two decades of industry experience help him guide businesses in their journey towards cybersecurity and compliance.

Suggested Posts

Visit Our Learning Center