homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Why a Strong Security Culture?
370x370_Lance-Spitzner.jpg
Lance Spitzner

Why a Strong Security Culture?

What is the value of security culture to an organization’s mission?

September 20, 2021

People often discuss the importance of a strong security culture but fail to define what they mean by security culture, and even more importantly, why is it so important, what is the value culture to an organization’s mission? Culture is defined as peoples shared attitudes, perceptions and beliefs. A common metaphor is comparing culture to an iceberg. Like an iceberg, culture is hard to see as most of it is hidden. Like an iceberg, culture is also hard to move. There are decades of research on organizational culture with which we can build on, one of my favorite culture frameworks to start with is the Culture Factor published in the Harvard Business Review.

210910_SpitznerBLog_Picture1.jpg

Image from People Centric Security, by Dr. Lance Hayden

A security culture would be your workforce’s shared attitudes, perceptions and beliefs towards cybersecurity. The biggest drivers of your security culture are often your security policies and how your security team communicates, enables and enforces those policies. If you have relatively easy to follow, common sense policies communicated by an engaging and supportive security team, you will have a strong security culture. If you have complex, overwhelming or intimidating security policies communicated and enforced by an arrogant, punitive or fear-focused security team you will have a weak or perhaps even toxic security culture. Not sure what you have? Here are some of the most common indicators of a strong security culture . . .

  • People feel safe reporting incidents, even if they caused it
  • People include security as part of their job description
  • Employees correct and help their coworkers to be more secure
  • A shared belief that security plays a strong role in your organization’s success
  • People feel comfortable asking your security team questions
  • Frequent requests for trainings or briefings on security, or ask security to become involved in projects early on

If you really want to understand your security culture one of the best measurement methods is a security culture survey. But more importantly, why focus on a strong security culture? Why spend time understanding, building and measuring something as nebulous as this? Two reasons - the first one is obvious, but the other one perhaps not so often considered.

1. Secure Workforce: The stronger your security culture is, the more likely your workforce will exhibit secure behaviors, and as a result your organization will be far more secure. This is critical in today’s environment. The 2021 Verizon DBIR identified people were involved in over 85% of all breaches globally. The human element is a risk every organization needs to be actively managing, and a strong security culture creates a safe environment for that to happen.

    2. Successful Security Initiatives: This is a value many people do not consider or overlook. Think about the many different security initiatives your organization has rolled out, initiatives such as a Vulnerability Management program with IT Operations, DevSecOps training for your Developers, Cloud migration or perhaps a MDM or Password Manager roll-out for your entire workforce. Now think about how many of those security initiatives have failed, stalled or only been partially successful. Now think about WHY? Was it because of the technology selected, or was it because of a breakdown in communications, coordination or partnership between security and other departments?

    Perhaps one group did not understand the value of what was being asked of them, or did not understand their goals or responsibilities? Did the Vulnerability Management initiative fail because of the product selected, or because IT Operations does not trust and were fed up with the security team constantly causing problems with operations? Did the DevSecOps program fail because of the automated security tools selected, or because Developers were tired of the security team constantly pointing problems and issues but never providing any solutions? Did the Password Manager roll-out fail because of the vendor selected, or because the security team failed to explain WHY the workforce should be excited about the solution? Far too often security initiatives fail not because of technology but because of people issues like trust and communication. A strong security culture bridges these gaps, helping ensure your security initiatives are far more likely to succeed, regardless of the technology you use.

      If you are interested in learning more about Security Culture, consider the SANS five-day course MGT521 Security Culture for Leaders.

      ABOUT THE AUTHOR

      Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture and awareness training and is a SANS Senior Instructor. He helped pioneer the fields of deception and cyber
      intelligence with his creation of honeynets and founding of The Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries, and helped over 350 organizations build awareness programs to manage their human risk. He is also on the Board of Advisors for Attivo Networks. Lance is the author and an instructor for MGT433: Managing Human Risk: Mature Security Awareness Programs, and MGT521: Leading Cybersecurity Change: Building A Security-Based Culture, and built the SANS Security Awareness business unit from the ground up over the past 10 years. With the catalyst of COVID-19, Lance created multiple resources for securing humans from home, from those working remotely for the first time or managing newly remote teams, to children learning and playing online. Learn more about Lance here.

      Share:
      TwitterLinkedInFacebook
      Copy url Url was copied to clipboard
      Subscribe to SANS Newsletters
      Receive curated news, vulnerabilities, & security awareness tips
      United States
      Canada
      United Kingdom
      Spain
      Belgium
      Denmark
      Norway
      Netherlands
      Australia
      India
      Japan
      Singapore
      Afghanistan
      Aland Islands
      Albania
      Algeria
      American Samoa
      Andorra
      Angola
      Anguilla
      Antarctica
      Antigua and Barbuda
      Argentina
      Armenia
      Aruba
      Austria
      Azerbaijan
      Bahamas
      Bahrain
      Bangladesh
      Barbados
      Belarus
      Belize
      Benin
      Bermuda
      Bhutan
      Bolivia
      Bonaire, Sint Eustatius, and Saba
      Bosnia And Herzegovina
      Botswana
      Bouvet Island
      Brazil
      British Indian Ocean Territory
      Brunei Darussalam
      Bulgaria
      Burkina Faso
      Burundi
      Cambodia
      Cameroon
      Cape Verde
      Cayman Islands
      Central African Republic
      Chad
      Chile
      China
      Christmas Island
      Cocos (Keeling) Islands
      Colombia
      Comoros
      Cook Islands
      Costa Rica
      Croatia (Local Name: Hrvatska)
      Curacao
      Cyprus
      Czech Republic
      Democratic Republic of the Congo
      Djibouti
      Dominica
      Dominican Republic
      East Timor
      East Timor
      Ecuador
      Egypt
      El Salvador
      Equatorial Guinea
      Eritrea
      Estonia
      Ethiopia
      Falkland Islands (Malvinas)
      Faroe Islands
      Fiji
      Finland
      France
      French Guiana
      French Polynesia
      French Southern Territories
      Gabon
      Gambia
      Georgia
      Germany
      Ghana
      Gibraltar
      Greece
      Greenland
      Grenada
      Guadeloupe
      Guam
      Guatemala
      Guernsey
      Guinea
      Guinea-Bissau
      Guyana
      Haiti
      Heard And McDonald Islands
      Honduras
      Hong Kong
      Hungary
      Iceland
      Indonesia
      Iraq
      Ireland
      Isle of Man
      Israel
      Italy
      Jamaica
      Jersey
      Jordan
      Kazakhstan
      Kenya
      Kiribati
      Korea, Republic Of
      Kosovo
      Kuwait
      Kyrgyzstan
      Lao People's Democratic Republic
      Latvia
      Lebanon
      Lesotho
      Liberia
      Liechtenstein
      Lithuania
      Luxembourg
      Macau
      Macedonia
      Madagascar
      Malawi
      Malaysia
      Maldives
      Mali
      Malta
      Marshall Islands
      Martinique
      Mauritania
      Mauritius
      Mayotte
      Mexico
      Micronesia, Federated States Of
      Moldova, Republic Of
      Monaco
      Mongolia
      Montenegro
      Montserrat
      Morocco
      Mozambique
      Myanmar
      Namibia
      Nauru
      Nepal
      Netherlands Antilles
      New Caledonia
      New Zealand
      Nicaragua
      Niger
      Nigeria
      Niue
      Norfolk Island
      Northern Mariana Islands
      Oman
      Pakistan
      Palau
      Palestine
      Panama
      Papua New Guinea
      Paraguay
      Peru
      Philippines
      Pitcairn
      Poland
      Portugal
      Puerto Rico
      Qatar
      Reunion
      Romania
      Russian Federation
      Rwanda
      Saint Bartholemy
      Saint Kitts And Nevis
      Saint Lucia
      Saint Martin
      Saint Vincent And The Grenadines
      Samoa
      San Marino
      Sao Tome And Principe
      Saudi Arabia
      Senegal
      Serbia
      Seychelles
      Sierra Leone
      Sint Maarten
      Slovakia
      Slovenia
      Solomon Islands
      South Africa
      South Georgia and the South Sandwich Islands
      South Sudan
      Sri Lanka
      St. Helena
      St. Pierre And Miquelon
      Suriname
      Svalbard And Jan Mayen Islands
      Swaziland
      Sweden
      Switzerland
      Taiwan
      Tajikistan
      Tanzania
      Thailand
      Togo
      Tokelau
      Tonga
      Trinidad And Tobago
      Tunisia
      Turkey
      Turkmenistan
      Turks And Caicos Islands
      Tuvalu
      Uganda
      Ukraine
      United Arab Emirates
      United States Minor Outlying Islands
      Uruguay
      Uzbekistan
      Vanuatu
      Vatican City
      Venezuela
      Vietnam
      Virgin Islands (British)
      Virgin Islands (U.S.)
      Wallis And Futuna Islands
      Western Sahara
      Yemen
      Yugoslavia
      Zambia
      Zimbabwe

      By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

      This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

      Recommended Training

      • MGT521: Leading Cybersecurity Change: Building a Security-Based Culture
      • MGT512: Security Leadership Essentials for Managers
      • MGT433: Managing Human Risk

      Tags:
      • Security Management, Legal, and Audit

      Related Content

      Blog
      CurriculumTile_340_x_340.png
      Security Management, Legal, and Audit
      December 9, 2022
      SANS Cybersecurity Leadership Curriculum
      Developing World Class Cybersecurity Leaders
      MGT_Triad_370x370_Headshot.jpg
      SANS Cybersecurity Leadership
      read more
      Blog
      340x340_MGT-Triads.jpg
      Security Management, Legal, and Audit
      January 18, 2022
      SANS Leadership Triads
      Go Beyond Good Enough. Become A Transformational Leader or an Operational Cybersecurity Executive.
      MGT_Triad_370x370_Headshot.jpg
      SANS Cybersecurity Leadership
      read more
      Blog
      Cybersecurity_Leadership_Summit_Blog.png
      Security Management, Legal, and Audit
      October 14, 2021
      A Visual Summary of SANS Cybersecurity Leadership Summit 2021
      Cybersecurity Leadership Summit was a free, virtual event for the community. Check out these graphic recordings created in real-time during the talks.
      370x370-person-placeholder.png
      Emily Blades
      read more
      • Register to Learn
      • Courses
      • Certifications
      • Degree Programs
      • Cyber Ranges
      • Job Tools
      • Security Policy Project
      • Posters & Cheat Sheets
      • White Papers
      • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Cybersecurity Leadership
      • Digital Forensics
      • Industrial Control Systems
      • Offensive Operations
      Subscribe to SANS Newsletters
      Receive curated news, vulnerabilities, & security awareness tips
      United States
      Canada
      United Kingdom
      Spain
      Belgium
      Denmark
      Norway
      Netherlands
      Australia
      India
      Japan
      Singapore
      Afghanistan
      Aland Islands
      Albania
      Algeria
      American Samoa
      Andorra
      Angola
      Anguilla
      Antarctica
      Antigua and Barbuda
      Argentina
      Armenia
      Aruba
      Austria
      Azerbaijan
      Bahamas
      Bahrain
      Bangladesh
      Barbados
      Belarus
      Belize
      Benin
      Bermuda
      Bhutan
      Bolivia
      Bonaire, Sint Eustatius, and Saba
      Bosnia And Herzegovina
      Botswana
      Bouvet Island
      Brazil
      British Indian Ocean Territory
      Brunei Darussalam
      Bulgaria
      Burkina Faso
      Burundi
      Cambodia
      Cameroon
      Cape Verde
      Cayman Islands
      Central African Republic
      Chad
      Chile
      China
      Christmas Island
      Cocos (Keeling) Islands
      Colombia
      Comoros
      Cook Islands
      Costa Rica
      Croatia (Local Name: Hrvatska)
      Curacao
      Cyprus
      Czech Republic
      Democratic Republic of the Congo
      Djibouti
      Dominica
      Dominican Republic
      East Timor
      East Timor
      Ecuador
      Egypt
      El Salvador
      Equatorial Guinea
      Eritrea
      Estonia
      Ethiopia
      Falkland Islands (Malvinas)
      Faroe Islands
      Fiji
      Finland
      France
      French Guiana
      French Polynesia
      French Southern Territories
      Gabon
      Gambia
      Georgia
      Germany
      Ghana
      Gibraltar
      Greece
      Greenland
      Grenada
      Guadeloupe
      Guam
      Guatemala
      Guernsey
      Guinea
      Guinea-Bissau
      Guyana
      Haiti
      Heard And McDonald Islands
      Honduras
      Hong Kong
      Hungary
      Iceland
      Indonesia
      Iraq
      Ireland
      Isle of Man
      Israel
      Italy
      Jamaica
      Jersey
      Jordan
      Kazakhstan
      Kenya
      Kiribati
      Korea, Republic Of
      Kosovo
      Kuwait
      Kyrgyzstan
      Lao People's Democratic Republic
      Latvia
      Lebanon
      Lesotho
      Liberia
      Liechtenstein
      Lithuania
      Luxembourg
      Macau
      Macedonia
      Madagascar
      Malawi
      Malaysia
      Maldives
      Mali
      Malta
      Marshall Islands
      Martinique
      Mauritania
      Mauritius
      Mayotte
      Mexico
      Micronesia, Federated States Of
      Moldova, Republic Of
      Monaco
      Mongolia
      Montenegro
      Montserrat
      Morocco
      Mozambique
      Myanmar
      Namibia
      Nauru
      Nepal
      Netherlands Antilles
      New Caledonia
      New Zealand
      Nicaragua
      Niger
      Nigeria
      Niue
      Norfolk Island
      Northern Mariana Islands
      Oman
      Pakistan
      Palau
      Palestine
      Panama
      Papua New Guinea
      Paraguay
      Peru
      Philippines
      Pitcairn
      Poland
      Portugal
      Puerto Rico
      Qatar
      Reunion
      Romania
      Russian Federation
      Rwanda
      Saint Bartholemy
      Saint Kitts And Nevis
      Saint Lucia
      Saint Martin
      Saint Vincent And The Grenadines
      Samoa
      San Marino
      Sao Tome And Principe
      Saudi Arabia
      Senegal
      Serbia
      Seychelles
      Sierra Leone
      Sint Maarten
      Slovakia
      Slovenia
      Solomon Islands
      South Africa
      South Georgia and the South Sandwich Islands
      South Sudan
      Sri Lanka
      St. Helena
      St. Pierre And Miquelon
      Suriname
      Svalbard And Jan Mayen Islands
      Swaziland
      Sweden
      Switzerland
      Taiwan
      Tajikistan
      Tanzania
      Thailand
      Togo
      Tokelau
      Tonga
      Trinidad And Tobago
      Tunisia
      Turkey
      Turkmenistan
      Turks And Caicos Islands
      Tuvalu
      Uganda
      Ukraine
      United Arab Emirates
      United States Minor Outlying Islands
      Uruguay
      Uzbekistan
      Vanuatu
      Vatican City
      Venezuela
      Vietnam
      Virgin Islands (British)
      Virgin Islands (U.S.)
      Wallis And Futuna Islands
      Western Sahara
      Yemen
      Yugoslavia
      Zambia
      Zimbabwe

      By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

      This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
      • © 2023 SANS™ Institute
      • Privacy Policy
      • Contact
      • Careers
      • Twitter
      • Facebook
      • Youtube
      • LinkedIn