Get to Know Security Culture

Learning Objectives 

After completing this unit, you’ll be able to:

• Explain what a security culture is.
• Describe what happens to an organization in the absence of a strong security culture.

This module was produced in collaboration with the World Economic Forum (WEF) and Fortinet. Learn more about partner content on Trailhead.

Before You Start

If you completed the Get Started with Security Awareness trail, then you already know what it means to build a security awareness program, and how to identify risks and protect your organization. Now let’s talk in detail about how to define a good security culture at your organization.

What Is a Security Culture?

In short, a security culture is the ideas, customs, and social behaviors of a group that influence its security. Organizations often embed culture in their vision, mission and values. An organization’s culture describes the attitudes it has toward various topics. Here are some questions that may form the basis of an organization’s culture:

• Does it value innovation over tradition?
• Does it focus on people or processes?
• Does it embrace change?

Culture acts as a roadmap or framework, shaping and informing people’s everyday interactions. Culture also serves as an evaluative tool with which individual performance can be measured against shared values.

To gauge the effectiveness of an organization's security culture, it is important to observe how individuals and teams approach security in their day-to-day operations. By identifying the organization's current security culture it’s possible to identify and address  areas for improvement. To achieve this, organizations may utilize various tools and frameworks to evaluate and pinpoint gaps in processes, policies, or practices that may be hindering the overall security posture of the organization.

Conducting a security culture gap analysis gives you an opportunity to discover and address risks, helping protect your organization against potential threats. This is the first step in proactively safeguarding sensitive data.

Tools to assess the current state and identify security gaps include: 

• Surveys
• Interviews with staff members across all levels of the organization,
• Scenario-based exercises (e.g., tabletop exercises)
• Frameworks based on academic research
• Industry models (e.g., ISO 27000/1, NIST Cybersecurity Framework (CSF), Center for Internet Security (CIS) Controls)
• Vendor assessments (e.g., KnowB4’s Security Culture Survey, Gartner’s CARE framework).

Each tool can offer valuable insights into an organization’s ability to comply with regulations, protect its assets from cyber threats, and foster a secure working environment for employees.

What Happens to an Organization When It Has No Formal Security Culture?

Security culture includes the organization's formal and informal rules and procedures for handling security issues. The degree of formality vs informality influences the overall effectiveness of the organization’s security culture.   

A formal security culture is codified and explicitly written in an organization's policies and procedures and modeled in the decisions and actions of leaders and employees. Organizations that invest time and resources in formalizing their security culture are typically effective because expectations are clearly expressed and everyone in the organization is held accountable for their role in maintaining and improving the organization’s security culture.

An informal security culture is one where policies, procedures, rules and measurable standards  are not clearly established or explicitly defined in writing. Informal security cultures are more vulnerable to internal and external threats because of unclear expectations and lack of consistent employee training on how to properly handle sensitive information. In addition, these organizations are also more likely to suffer from increased regulatory scrutiny and reputational damage if a breach does occur. 

Organizations invested in a strong culture recognize that security is not just a department, but rather an organizational commitment. By making security part of everyday life with active and meaningful training, established written policies, and measurements to track progress - committed organizations build better blocks of defense for their current and future success. Employees play their part through consistent compliance with security policies and positive influence of peers and subordinates; doing their best to protect themselves and the organization’s mission.

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching security model on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Sum It Up

In this unit, you’ve learned what a security culture is, tools used to measure its current state, and what happens to an organization when it has no formal security culture. Next, let’s turn to how to define a strong security culture. 

Resources

• Trailhead: Get Started with Security Awareness
• Salesforce Security Blog: Establishing a Trust-First Culture for All
• External Site: The World Economic Forum (WEF): What happens to an organization when it has no security culture? 
• External Site: KnowBe4: Introducing the Security Culture Maturity Model