The New Need for A Company Culture of Security

The New Need for A Company Culture of Security

Just like a fire in your office building, cyber attacks are the 21st century version of catastrophic loss to your business. Your first line of defense is awareness and avoiding the pitfalls behind the myths.

In the early 20th century, the lack of fire preparedness resulted in catastrophic losses until building and safety codes were routinely instituted. Just like a fire in your office building, cyber attacks can disrupt operations, have negative financial impact and damage your credibility with customers because of the perceived inability to keep their information safe, as well as the inability to respond to their needs.

Prevailing myths about cyber security are contributing factors to the lack of cyber security preparedness. Let’s examine some of the more common ones.

MYTH #1: “I am not a target.”

But if you have a computer and a bank account, you are.

MYTH #2: "I can’t afford to be completely secure like the big companies.”

It is not about being completely secure but doing the things that make you less attractive as a target. It’s about being robust in your security instead of having the unrealistic expectation of complete security. Conversely . . .

MYTH #3: “I’m doing X (firewalls, antivirus, etc.), therefore I’m secure.”

Complete security is a myth. It’s good to have X, but you need a combination of tactics to be as secure as you can be.

MYTH #4: “IT has it handled.”

Do you really know how secure you are? Does IT know how secure you want to be and need to be?

Because technology has become pervasive throughout our organizations, attacks are also becoming pervasive throughout as well. Consequently, cyber security has become a business need you cannot simply relegate to IT or finance. We need to change the mindset that security is “tolerated” only as long as it doesn’t interfere with normal business.

So what does a culture of security look like? Well, it might look like a three-legged stool of awareness, action and attitudes.


Cyber security must be embraced by senior leadership and actively supported, nurtured and even lived by the senior leadership. Because these attacks can occur anywhere in your organization, everybody needs to be educated about potential threats and how to recognize them.


It is counter-productive to punish people when an attack happens. We’re better served by being proactive and cultivating an atmosphere based on action. If you see something, say something, because you never know if it might be a potential attack. This needs to be prevalent throughout the organization because so many attacks use social engineering. For example, it might be an email that looks like it comes from your boss asking you to wire them money. So when one person in the company sees it and sounds the alarm, it might prevent someone else in the organization from falling victim.


More complex passwords that change periodically, multi-factor authentication such as tokens and fingerprints and segregation of duties and access to information are all tactics proven to dramatically increase security but which are commonly perceived to get in the way of business. Tolerance for these “inconveniencies” helps encourage robust security.

How do you get such a culture of security? There are a number of best practice frameworks to choose from. It is also helpful to find an expert who can help you instill a security mindset into your culture by including security in strategic planning, communicating security-related information on a regular basis and recognizing people who are doing a great job in being secure.

John Burgess
President & Chief Security Officer
Mainstream Technologies Inc.