True Security Culture constitutes- only Mindsets!

People often ask nowadays, “What constitutes a true security culture in an organization and how can an organization work towards enabling such a culture?” The answer to this is monosyllabic–‘ mindset’.

Interestingly, in ‘mindset’ lies the key to evoking and implementing a true security linked culture. For the right ‘mindset’, an organization has to make a transformative journey through 3 key stages on a continuum.

The 3 Key Stages

In the 1st stage, which is about creating the security baseline, an organization begins to implement some security linked controls and creates awareness about security challenges.

Majority of information security threats are a result of vulnerabilities created by users within an organization and which are exploited by either internal or external factors. The threats get compounded when there are inadequate security linked controls within organizations. Adequacy of information security linked processes, people, and technology are key to establishing the first line of defense for organizations.

Secondly, an organization expands its portfolio of security linked controls and starts to position security as a key business support driver. Interestingly, this is a stage wherein an organization positions itself to tilt its culture to embrace security in a comprehensive manner. This is the stage that most large Indian organizations are in today.

They have established adequate policies, processes, technology, and controls and have transitioned employee thinking from awareness to education on security. In the final stage, an organization has not only embraced but also internalized security as a way of working.

This can be described as security utopia. Herein, the organization and its employees are directed towards proactive security risk management for all their information assets. A true security culture is not a zero tolerance approach to security breaches or violations. It is rather a ‘mindset’, wherein security becomes a priority and also an intuitive way of working for employees and departments limiting impact of any security breach.

Organizations at this stage of the continuum have three distinct characteristics: Firstly, the ownership of security is not restricted to a few individuals but is shared by each individual in the organization.

Secondly, approach to security decision making has moved from being top-down to a hybrid structure born out of understanding of the complexities and nuances of the emerging security threats and consequent response requirements.

Thirdly, the organizations use security as a competitive enabler and differentiator in the market place.