Instituting a Security Culture

“Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk.” 1

What is a “security culture” and why do we need one?

A security culture is a series of shared security policies empowered by secure-minded attitudes, instituted across the entire enterprise in ways that bolster a company’s cybersecurity, physical security, and operational security. Regardless of the size of the organization, the same set of basic elements are essential to maintaining a safe and secure environment:

  1. Lead by example.  While each and every employee’s actions can contribute to a healthier security culture, executive management needs to take on a visible role in ensuring that they, too, take security very seriously — and not just when others are watching.
  2. Create an information technology security policy in which each and every employee understands their own role in helping to ensure a safe and secure environment.
  3. Keep software and systems contemporary and updated in a timely manner.
  4. Ensuring a policy of granting permissions under the “principle of least privilege.”
  5. Make security training engaging and bite-sized

How can the  “NIST Cybersecurity Framework” help my company establish a security culture?


  1.; page “v”