GUEST ESSAY: Why corporate culture plays such a pivotal role in deterring data breaches

Picture two castles. The first is impeccably built – state of the art, with impenetrable walls, a deep moat, and so many defenses that attacking it is akin to suicide.

The second one isn’t quite as well-made. The walls are reasonably strong, but there are clear structural weaknesses. And while it does have a moat, that moat is easily forded.

Related podcast: The case for ‘zero-trust’ security

Obviously, on paper the castle with better defenses is the one that survives a siege. But what really makes the difference here is the people manning it. See, the soldiers in the second castle are unquestionably loyal to their king. While in the first castle, there is a turncoat in the ranks.

As you’ve probably surmised, the castles are meant to represent a business’s security infrastructure.

The soldiers are a business’s employees. Unless the two are in alignment with one another – unless your employees care about keeping corporate data safe and understand what’s required to do so – your business is not secure.

People power

It doesn’t matter how strong your walls are. It doesn’t matter how much money you invest into point solutions and hardened architecture. It doesn’t matter how many people you hire to man your IT department. Having strong security infrastructure is all well and good, but you cannot afford to forget your people. They are, and always will be, the weakest link in your security posture.


You need a corporate culture geared towards cybersecurity to provide the foundation for everything else. For that culture to be sustainable – for it to really resonate with your staff – it needs to possess a few key qualities. Here’s a good guide, according to TechBeacon:

•It must disrupt the established, ‘traditional’ way of doing things. A cybersecurity culture is change-driven at its core. As such, it must be deliberately structured to promote change – to allow the organization to adapt to the changing security landscape.

•It must be engaging and fun. Cybersecurity is too often looked at as painfully boring drudgery. Your goal is to reframe it – to make it something your workers want to get involved in. How you achieve this depends on your organization, but it does require that you know your staff fairly well.

•It must be rewarding. People should have the opportunity to pursue new careers within your organization based on their security expertise. People should be recognized for their contributions to improving your business’s security posture. People should, in other words, get something in return for participating in this new culture.

•It must provide a return on investment. In this case, what’s meant here is that it must in some way enhance your business’s security – it must make it easier to effectively keep your data safe.

Focus on basics

As for how one instills such a culture? Start from the top. The leadership of your organization must lead by example here – they must demonstrate and communicate the importance of cybersecurity and promote it at every opportunity.

From there, it’s a matter of establishing the right processes, programs, and procedures. A knowledge-base that’s understandable and accessible to all staff. Well thought-out protocols related to access control, breach management, and device usage. Training and security awareness initiatives that get people interested in and passionate about cybersecurity.

Amidst all this, make sure you also focus on the basics. On a strong password policy and an authentication process that doesn’t impede your workers. On network monitoring and endpoint management.

Finally – and here’s the most important part – talk to your staff. Engage with them about the weaknesses they feel exist in your approach to cybersecurity. Find out their pain points, work to address them.

Because at the end of the day, collaboration is the key to making all this happen. Only by working together can we ever hope to keep our assets, our people, and our businesses safe from cybercriminals. Only by working together can we truly promote a culture of cybersecurity.

About the essayist: Max Emelianov is CEO of HostForWeb, a Chicago-based web hosting services provider.


*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: