Connect with us

Hi, what are you looking for?


Management & Strategy

How to Fix a Dysfunctional Security Culture

Moving from a state of indifference about security to a place where users actively champion it can be transformed through a focused effort.

Security Culture

There’s an old business saying that goes: “Culture eats strategy for breakfast,” that’s often attributed to Peter Drucker. While it is debatable whether he said it or not, the sentiment is clear—without a strong culture, organizations will be unable to execute on their strategies.

Culture underpins everything an organization does—and how it gets things done. While culture is a term often referred to the organization as a whole, there are also cultures (or subcultures) within organizations related to business practices—like security. At my company, we define a security culture as the ideas, customs, and social behaviors of a group that influence its security.

The Hallmarks of a Security Culture

Culture shifts over time. A positive security culture will grow from basic compliance to a sustainable and well-integrated one that drives secure behaviors and prevents breaches.

But cultures can also become toxic or dysfunctional, working at cross purposes with the desired values and goals of the organization.

From a security standpoint, a dysfunctional culture might exhibit such signs as failing to follow the organization’s policies and procedures related to data management; failing to properly protect sensitive customer, employee, or company data; lack of employee security awareness training; failure to adequately protect against breaches—or to appropriately report when a breach occurs.

Broader signs and signals may also be observed: things like high turnover, employee dissatisfaction, low productivity, or lack of engagement.

A dysfunctional security culture lacks the necessary focus, programs, metrics, integration, and sustainability to positively influence employees’ security mindsets. The result can be detrimental not only to the organization’s systems and data—but also to its reputation and brand.

Advertisement. Scroll to continue reading.

It is important for companies to be continuously vigilant, always alert to signs of a dysfunctional culture; always taking proactive steps to ward off apathy and move towards engagement where employees feel supported and valued.

Fixing a Dysfunctional Culture

Organizations can take steps to fix a dysfunctional company culture—and a dysfunctional security culture.

  • Focus on the “big rocks” first. Overall cultural signals like turnover and dissatisfaction often provide early warning signs of potential impacts on other areas or aspects of the company—like security. It is important to be continually monitoring and responding to these signals before they become more invasive.
  • Identify and catalogue the signs. What are the aspects of your company’s security culture that have you most concerned? Employee attitudes? Lack of adherence to policies and processes? Breaches? Use assessments, surveys, and diagnostic tools to help identify and quantify issues. This will provide a benchmark to measure progress as you move forward.
  • Assess the impact of your leadership team. Your leadership team sets the stage for the actions and behaviors of everyone within the organization. If they are dismissive of security policies, fail to take part in or support training efforts, or turn a blind eye to employees who defy security rules, a dysfunctional culture will take root (or is already at play).
  • Don’t try to boil the ocean. Pick one or two behaviors you would like to change because of the impact these behaviors have and focus on fixing those.
  • Be clear about your vision. What would a strong culture look like? What signs would be in place to indicate that a sustainable, positive culture of security exists? Then put that vision at the forefront for employees so they know exactly what success should look like.
  • Design a plan to influence behaviors broadly. Use project management principles and gain buy-in from individuals who can serve as advocates.
  • Engage employees. While a strong security culture is determined from the top down, it takes the entire organization to sustain that culture. Solicit input from employees, involve them in identifying necessary protective measures, gathering ideas for implementation, and obtaining feedback on the effectiveness of training programs. Share feedback and progress; provide a steady drumbeat of information and education, helping support your security culture vision.
  • Recognize and reward. Maybe it is rewarding people who proactively report suspected phishing and other security incidents. Maybe it is the number of employees who successfully completed a security training module. Maybe it is an improved outcome in email phishing simulations. Maybe it is an improvement in scores on an assessment of employee support for a security culture. When gains are realized, share results with employees and celebrate.

Mending a dysfunctional security culture is a gradual process, something not achieved overnight but certainly attainable. It is a non-linear process that involves gains and setbacks along the way. But intentional focus pays off over time – improvements can be made and measured, positively impacting the protection of vital systems and data. With sustained effort, a positive security culture can be accomplished, eventually moving beyond dysfunction to proactive employee engagement, relationship building, and risk reduction.

Written By

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts a security awareness training and simulated phishing platform with over 65,000 organizations and more than 60 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, he was co-founder of Sunbelt Software, the anti-malware software company that was acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.”


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights