Creating a Security-First Culture Employees Can Embrace

This blog was written by John Grancarich, Chief Strategy Officer for Fortra.

Businesses and governments spend hundreds of billions of dollars on security solutions to fend off the increasing number of ransomware attacks, data breaches, and other security threats. The most common approaches include enhancements to cloud security, data protection, identity management, and network security. These security tools are built to raise alerts for evaluation, allowing organizations to identify potential issues early.

Yet, despite all this spending — and all the sophisticated controls — the humble phishing email has remained stubbornly successful even with its hallmark misspellings and weird grammar. I suggest that the proper reaction to this is not frustration or asking how foolish someone could be, but rather, to ask, “Why?”

Why does this continue to happen, and what can we do to improve it? This question will become increasingly urgent as it’s only a matter of time before AI ensures these phishing emails are all perfectly well written and even harder to spot.

The Foundation of an Effective Security Culture

We must challenge ourselves to ask how we can enable the ultimate security control — our people — to be consistently successful in the face of the constant cyber-attack attempts in both their personal and professional lives. Here’s where the culture piece comes in, and specifically security culture. What do we need to do to foster a healthy culture grounded in continuous learning and improvement?

To start, here are three strategies we can embrace to improve our existing security cultures. The total monetary outlay involved?  Zero.

Strategy One: Create Psychological Safety

Psychological safety refers to a shared belief within a team that it’s okay to take interpersonal risks. This means individuals feel comfortable expressing their thoughts, asking questions, or admitting mistakes without fear of being embarrassed, criticized, or punished. It’s something we adhere to every day at Fortra for all employees.

The concept was popularized by Harvard professor Amy Edmondson, who identified psychological safety as a top factor in high performing teams. The key is this: We shift our perspective so that errors are seen as opportunities for learning rather than grounds for blame.

Strategy Two: Find the Why

Some time ago, I read a book called “The Toyota Way.” It describes the famous Toyota production system and the company’s journey to becoming the standard in automobile quality.

Part of this philosophy includes something called the Andon cord above each employee on the assembly line. They can pull that cord at any time to stop the entire line when they see an error or defect. No judgment. Just people mobilizing to learn more and to improve together.

Toyota ultimately formalized this into what became known as the Five Whys.

This system of inquiry focuses on learning the root causes of challenges to be solved instead of concentrating only on the symptoms. Imagine what would happen if an employee clicked a link in a phishing email and we gathered to learn more and get better instead of simply trying to tune a security control or place blame.

Strategy Three: Embrace Continuous Learning

Continuous learning has a prerequisite: accepting the work of improving security culture will never be completed. Constant forward evolution is essential. We must think of it as turning a dial slowly and consistently over time. The dial never reaches its maximum point because the terrain is always shifting — think new security threats and changing personal factors.

Therefore, the goal is continued progress and positive momentum. One way we’re seeing continuous learning become part of the technological answer is with the growth of machine learning. This includes the buzzword “gen AI” and ensuring that our tools are continuously learning from and adapting to the data being fed to them.

Another way is ensuring that our people and our culture don’t see tools as the only answer to the problem. The tools used in an organization can affect culture, and the wrong culture can reduce the effectiveness of tools. Look for providers who can provide tools and recommendations that support building a culture of security and not simply addressing issues in a technology silo.

Creating a Stronger Security Culture

We all need to recognize our own critical importance as individuals as we actively help solve cybersecurity problems. In my view, the promise of AI is very real, and we all need to learn how to leverage it at a transformational level over time. Culture is the foundation on which we should build these new capabilities. I’d encourage you to start this endeavor by thinking about your current security culture and how you can begin turning that dial toward the future.

How Fortra Can Help You Build a Security-First Culture