Moving Beyond Security Culture Bottlenecks

Creating and maintaining an effective security culture is the holy grail for many, if not all, organizations in this era of security breaches and heightened privacy concerns among employees, customers and other key stakeholders.

But despite their best efforts, many struggle to create a strong security culture. Even those that do often fail in their efforts to sustain that culture over time.

It’s not easy. There are many sticking points that can challenge even the most security-conscious and safety-savvy organizations. Here we look at five security culture sticking points and bottlenecks that can get in the way of creating and sustaining a strong security culture.

1. Personal Biases and Blind Spots

Humans are not rational beings. The decisions we make on a daily basis are based less on reason and reality than on habit and preconceived notions. These are often based on past experiences or may even be baked-in as part of our upbringing or peer groups.

These biases impact us in many ways—including their impact on data security. Our immersion in our own culture creates biases and blind spots, allows for miscommunication and misinterpretation of motives and can have the power to nullify an organization’s otherwise well-intentioned and well-designed security program.

2. Misguided Thinking Around Policies and Regulations

Policies and regulations are generally the most-used tools companies employ in their battle to divert security threats. But policies and regulations also are generally the least effective tools for protecting company and customer data. It’s not that policies don’t work, but that they’re often poorly conceived, drafted and implemented.

If your people aren’t following your security policies or using the proper tools or procedures to perform certain actions, then it is likely that your policies, processes or tools are somehow conflicting with human nature and blocking their ability to perform their jobs effectively.

3. Failure to “Walk the Talk”

Leaders—your employees are watching you, whether you know it or not. Your actions—or inactions—have a big impact on their own behaviors. If you say that security is important but blatantly ignore basic security protocols and exercise poor judgement—like leaving sensitive information on computer screens while taking “just a quick break”, or if you hold the office door open to let employees enter secured areas without badging-in or if you deem your time too important to be bothered to participate in security training—then your efforts will fail.

Your employees will quickly discern whether you believe and behave according to the norms you’re evangelizing or if you’re just giving them lip service. If you fail to walk the talk, your employees’ behaviors may get worse, not better.

4. Failure to Embrace a Continuous Improvement Model and Mindset

The world around us changes rapidly, and we need to change along with it. This is particularly true when dealing with technology. Technological advances are ongoing, as are efforts by hackers to break into your systems. The hack attempts you’re trying to fend off today won’t be the same as the problems you’ll need to solve tomorrow. Culture drifts. If you aren’t continually striving to adapt and move forward, you’re falling behind.

5. Working Against Human Nature

One of the greatest sticking points in creating a sustainable security culture—and, arguably, the most difficult to overcome—is human nature. Too often, the steps that organizations take to build a strong security culture are contrary to human nature. Chances for failure are high If you try working against human nature. If your security program sends out a lot of great information but your people don’t change their behavior, it’s because you haven’t given them a reason to care. If your people aren’t following your security policies or using the proper tools or procedures to perform certain actions, then it is likely that your policies, processes or tools are somehow conflicting with human nature.

No amount of knowledge has ever prevented a data breach; it is only what someone does at the point of decision (with or without specific knowledge) that will prevent a breach or allow a breach to happen. Everything you do needs to account for human nature.

These are the top five security culture sticking points that can get in the way of creating and sustaining a strong security culture. Identifying, understanding and taking steps to eliminate these sticking points and removing bottlenecks can help you to build and sustain a strong security culture and achieve the results you’re looking for. There’s no magic bullet to immediately unglue these sticking points, but a program should begin with running regular security awareness training and education sessions and useful strategies that include phishing simulation exercises.

Keep in mind, though, that this is not a one-and-done event. It’s an ongoing process that needs to be continually reviewed, modified, adjusted and reviewed again.

Avatar photo

Perry Carpenter

Perry Carpenter (author of, "Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors" and host of the "8th Layer Insights" podcast) currently serves as Chief Evangelist and Strategy Officer for KnowBe4

perry-carpenter has 7 posts and counting.See all posts by perry-carpenter