Cultivating a culture of information security


Data flows through every organisation and is used by everyone in some shape or form. So in the context of today’s sensitive security landscape, it is more important than ever to keep data protection a top consideration so that it can be tackled effectively.

However, encryption technology, firewalls and other tactics can only go so far to protect an organisation’s data; an information security culture is just as important, if not more so.

If organisations fail to get company culture right they are just fighting a losing battle, especially with the arrival of the General Data Protection Regulation (GDPR).

Formally passed on 14 April this year, the GDPR is designed to better protect citizen’s data and harmonise legislation across Europe.

With the regulation comes a number of new guidelines for organisations in relation to personally identifiable information (PII).

>See also: Five years in information security – what has changed?

As a result, it’s vital that organisations take security, compliance and good governance seriously.

However, how can organisations ensure a cultural appreciation of good security hygiene is instilled within their business?

Creating a secure culture

Historically, businesses have viewed information security as something that is very much a function of information technology, rather than a function of business.

This is one of the biggest changes that needs to take place in order to secure a business and ensure compliance with the GDPR.

Organisations need to think about information security as an element that enables businesses, facilitating increased competitive advantage that allows them to manage risk and protect all of that capital that they spend on creating a brand.

This change in mindset is the first step to achieving a best practice approach to IT security.

What’s more, businesses need to introduce sound security procedures within their business and ensure that all personnel look at everything through a lens of data security, as it’s vital to have a clear view of everything that could possibly impact security.

>See also: What’s next for threat intelligence?

Everyone within the business needs to think about what they do day-to-day to make sure they behave in a way that is beneficial to the company as a whole and does not put security or compliance in jeopardy.

A culture of information security is really about a set of behaviours and everyone in the business needs to buy into that culture.

Information security professionals have a huge part to play when it comes to cultivating this security first ethos.

They need to speak the language of the boardroom so that they can clearly explain the commercial benefits of behaving in a secure way.

It’s vital for non-executive directors to have a firm grasp on the security hygiene of their company and the potential risks posed, as ultimately they are the ones who are accountable.

What it comes down to is having the right people, processes, technology and most importantly culture in place to protect the business and this starts at the board.

Trusted partners

A culture of information security needs to extend to all aspects of the business to be effective.

As a result, organisations must do their due diligence when selecting a supplier. It’s critical that businesses can get a handle of where their data is, how it is stored and who has access to it.

>See also: Sharing cyber intelligence can prevent security breaches

Businesses can gain a competitive advantage by working with a cloud service provider (CSP) that values security. This is even more important when an organisation’s customers reside in sectors that constantly evaluate security, such as financial services and government.

Under the GDPR and with the introduction of the data protection officer (DPO), supply chains are going to be tested to make sure data is being handled in the correct way.

Ultimately, without a secure framework installed throughout your business, people are less likely to want to do business with you.

The GDPR provides a framework that encourages organisations to evaluate whether or not they are behaving in a secure way.

As a result, the regulation is a real opportunity to change the way that information security is approached and it should be welcomed by all businesses.

By embracing a culture of information security, organisations will be more competitive, can manage risk, protect their brand, and innovate in a controlled way.

This in turn will allow organisations to compete at a European level as in order to trade with other European nations, organisations need to be compliant with the GDPR standard when it comes into existence.

Security can no longer rest on the back-burner, instead it needs to be an issue that is at the forefront of a business’s operations and culture.


Sourced by Phil Bindley, CTO at The Bunker

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics