How to create a security culture: 5 steps to success

Cyber security is as hot a topic as ever in business – the UK’s cybersecurity agency found that 78% of businesses rate it as a top priority.

At ThirdSpace, we recognise that evaluating the security posture of your organisation can be complex and very time consuming. It can be even harder to communicate your position and investment requirements at board level.

But by engaging the technical, operational, and cultural parts of the business, we help create a thorough understanding of any challenges, processes and behaviour. As John talks to IT to get a tech overview of the security posture, Harini, talks to the people to get both an operational and cultural overview.

A typical starting point for us is to conduct a current state assessment. This involves a team of experienced consultants and support analysts, using a variety of analytical tools to define an up-to-date security and compliance posture score for your business. At the end of this assessment, we provide an easy-to-use visual dashboard highlighting your security posture and a detailed remediation roadmap to address any concerns.

An example of a ThirdSpace security reportBut sometimes the best force for change can come from within. Here’s five steps you can use to create a successful security culture.

1.      User impact

The first step is understanding the impact these changes will have on your employees. Successful adoption doesn’t focus on just tools and processes – it uses a people-centric approach.

Keeping a people-centric approach, we recently helped a recruitment company ensure they enabled their employees to be collaborative and productive while improving their security posture. After an initial security assessment, follow-on support and strategy workshops, the organisation successfully introduced tools and technology that made them more secure.

What you can do as

CEO: Engage with your board on taking a people-centric mindset and understand how the changes can impact employees at the start of the project.
IT manager: Use a security dashboard to understand your immediate security gaps and think about how you can improve your user experience across the different personas within the organisation.
Firstline worker: Take a proactive approach to change and take part in workshops. Feedback to your manager/teams while the project is ongoing.

2.      Address resistance

Let’s face it, people have a natural resistance to change. Organisations need to plan for resistance. However, by showing employees the benefits of change and how it can enable them to work smarter, they will be more likely to accept change and get involved early on.

Employees can often find multifactor authentication (MFA) annoying and are resistant to using it. However, according to Verizon’s data breaches survey, 62% attacks were caused by compromised credentials. An organisation needs to use MFA to prevent any credential attacks. Some people may need more support learning to get the best from the tool. Others may just need to be shown why it’s so important to use.

What you can do as

CEO: Create hypothetical personas of different types of resistance and plan how to overcome it as a business. Convert those most resistant into champions of change. Evangelise the importance of security with the personas who are most resistant and reward those with minimal resistance.
IT manager: Run workshops to help showcase the benefits of new tools or processes. Offer assistance for those who need extra help or seem resistant.
Firstline worker: Understand that change may seem difficult at first, but will in the long-run help you become more productive, collaborative, and secure. Discuss changes and security with colleagues and offer assistance to those who need more understanding.

3.      Raise awareness

Figure out your organisation’s highest priority and what would have the biggest impact and then wrap it into a campaign. Ensure you get the message clear from the start. Mention the current security posture of the organisation and how it can be improved. Be honest and transparent about any breaches or failings – this will cause employees to be more vigilant and aware that it happens to everyone –not just something you read about in the news.

What you can do as

CEO: Honest communication is key. Talk about any real or hypothetical failings from a lack of security culture and the changes both you and the business are making as a whole.
IT manager: Run campaigns with security-positive messaging. For example, phishing attacks are the most common attack vector. Have a campaign where you send a fake phishing link to employees – if they click the link it takes them straight into your training platform to develop their skills and understanding.
Firstline worker: Keep up to date with your organisation’s security posture. Take an active part in training and encourage co-workers to do the same.

4.      Training

Perhaps the most important step – training should be available for all employees, cover a wide range of topics and address new security threats as they arise.

Make training flexible and encourage employees to learn at their own pace. Ensure each course is relevant for the employee and their specific role and identify which courses are a high priority.

A ThirdSpace adoption roadmap for Teams and OneDrive

What you can do as

CEO: Don’t just talk the talk. Ensure you and your C-level staff take an active and visible part in training to show the importance of a positive security culture.
IT manager: Change won’t happen overnight. People need to hear things up to seven times for it to really stick. Have different training methods to support different ways of learning, whether that’s on-demand or in-person, and ensure your training is updated as the threat landscape changes.
Firstline worker: Take time to do security training and ensure it stays up-to-date. Encourage others to do the training. Share your feedback if you think the training isn’t relevant or needs updating.

5.      Rewards and recognition

The reinforcement of change is really important. Make sure both operational and adoption sides of the project are supported. Identify and keep champions of change involved in the process to ensure it stays topical in the business.

Try and praise end users too. Recognise when they continually refresh their security knowledge. To have a successful security culture you have to ensure it doesn’t stay stagnant.

What you can do as

CEO: Communicate security wins and updates throughout the project. Reward success company-wide and for security champions to encourage everyone to take part.
IT manager: Continuously keep employees up to date with security news, new productivity tools and any training. Create a team of champions to keep cybersecurity topical.
Firstline worker:  Take part in schemes that help you keep up to date with the latest security threats.

More than tools

A mobile, productive workforce needs seamless access to documents and data irrespective of where an employee is and what device they have. What you have then is a complicated landscape where you need to balance the day-to-day running of the business with securing data and mitigating risk.

Creating a successful security culture in an organisation is more than inputting a few new tools and processes – it’s not a ‘one and done’ operation. Organisations need to understand that security is an ongoing journey, and you need to engage all employees to ensure it stays successful.

Find out more

A cybersecurity view from Microsoft

About the authors

John Hur headshot

John Hur is an experienced Microsoft architect, specialising in the designing, planning and deployment of large scale enterprise architecture, with a specific focus on modern productivity, security and management as part of the Microsoft cloud technology stack. His core skill set focuses on Microsoft 365 and Microsoft Azure.

Working with ThirdSpace, John is an experienced Microsoft 365 and Azure architect. He offers consultancy, advisory services, business value workshops, proof of concepts, business transformation strategising, solution design, planning and delivery of hybrid infrastructure and services.

John was also chosen by Microsoft to become a P-TSP (Partner Technical Solutions Professional) in both Microsoft Office 365 and Enterprise Mobility + Security.


Photo of a smiling woman - Harini Bandara

Harini is responsible for the Business Transformation Practice at ThirdSpace, making sure technology projects are delivered with the employee’s needs in mind.

Harini helps our customers to adopt the technology and transform their ways of working to stay secure and current in a world of fast-paced change.

Before joining ThirdSpace, Harini has had many years’ experience in delivering change programmes as a Business Change Consultant and Digital Transformation Architect working for another Microsoft Gold Partner.