“Culture eats strategy for breakfast” is probably one of the most oft-repeated statements on the importance of culture to business.
If protecting your business from criminals who want to steal from you was as easy as giving employees policies and rules to follow, then we’d do those things and be finished. Unfortunately, that’s not enough these days — for two reasons.
First, criminals are constantly upping their game. As a business leader, you know the importance of constant innovation. Cybercriminals do, too. Tactics change constantly and it’s hard to keep yourself up-to-date on the latest threats, much less your employees.
Secondly, humans are complex and we often do not make decisions based on finely written policy. Sometimes we make decisions based on how we feel. In terms of security, that irrationality can actually be a good thing. Employees often catch fraud attempts because “something doesn’t feel right.” We want to use that irrationality – that “gut feeling” – to our advantage when protecting our businesses.
That’s why culture is important. You can’t dictate it – written policy and processes are there to support your culture and provide guard rails, but they will not create it. You also cannot completely control it – culture lives in your employees’ hearts and minds. So how do you make cybercrime and fraud protection key attributes of your company culture?
- Be an example. Employees will follow your lead, but you have to do just that: lead. Do they see you exhibiting a healthy suspicion when something doesn’t feel right? Do they see you following processes put in place to protect your business from business email compromise or ransomware? If you take short cuts that put your business at risk, employees will do the same. You need to walk the talk. Your behavior as a leader shifts attitudes, beliefs, and ultimately, employee behavior.
- Be clear. People like clarity; it keeps us focused on what really matters. Clarity helps us prioritize our work. On the flip side, confusion (the lack of clarity) often leads to a company culture where individuals are constantly in reaction instead of proactive mode. That leads to burnout for both you and your employees. Similarly, when it comes to protecting your business, be clear about what’s expected of your workforce. Create written policies and have processes and procedures in place that make it clear that protecting the business is a priority.
- Be repetitive. Creating the security culture you desire in your business is not a one-time event, it’s a continuous process. Repetition is key for instilling good security habits in your employees. If you want the people working for you to make secure habits a part of their regular routine, repetition is really important. See what I did there? Repetition helps create new habits over time, so out of the ordinary tasks become routine – for example, calling a vendor to confirm they’re really asking you to change their ‘pay to’ account. Lather, rinse, repeat.
Establishing a strong security culture will not happen overnight. Many days you’ll wonder why it’s taking so long for your team to “get it.” But as a leader, you have complete control over what you do to bring about culture change. Lead by example. Make your expectations clear. Train your employees. Repeat secure processes until they become habits. Do this and in time you can sit back and relish your culture for breakfast, lunch and dinner.
Lisa Plaggemier is Chief Evangelist at Infosec, a leading security education provider. She has a track record of demystifying security to engage and empower employees to better protect their organizations. Lisa draws on her years of international marketing experience to advocate for security training and awareness programs that are fun and provocative.