“Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk.” 1
What is a “security culture” and why do we need one?
A security culture is a series of shared security policies empowered by secure-minded attitudes, instituted across the entire enterprise in ways that bolster a company’s cybersecurity, physical security, and operational security. Regardless of the size of the organization, the same set of basic elements are essential to maintaining a safe and secure environment:
- Lead by example. While each and every employee’s actions can contribute to a healthier security culture, executive management needs to take on a visible role in ensuring that they, too, take security very seriously — and not just when others are watching.
- Create an information technology security policy in which each and every employee understands their own role in helping to ensure a safe and secure environment.
- Keep software and systems contemporary and updated in a timely manner.
- Ensuring a policy of granting permissions under the “principle of least privilege.”
- Make security training engaging and bite-sized
How can the “NIST Cybersecurity Framework” help my company establish a security culture?