In its latest report, the Cyber Safety Review Board (CSRB), a special commission of the US government, found Microsoft to have an “inadequate security culture”. This was identified as a major cause of a massive global security incident in 2023. While this clear, public indictment is surprising, it shows what can happen if this part of the corporate culture is prioritized to low.

What’s behind the term “security culture”

Security culture is an integral part of corporate culture. It exists in every company, but can take different forms, both positive and negative. A highly developed security culture is characterized by a high presence of positive features. These characteristics can be visible or invisible and depend on the size and type of organization. Visible characteristics include, for example, regular security drills, clear and documented security policies, and training and education for employees. Invisible characteristics include a strong security awareness mentality and an open communication culture regarding security issues. A federal authority has different characteristics than an SME, as it is exposed to different risks.

Characteristics are also differentiated according to their mode of action: there are guiding as well as resulting characteristics.

For example, a written statement from the management on the importance of information security for the organization has a guiding effect, as it provides orientation and serves as a reference for decisions.

On the other hand, negligent handling of authorizations can be seen as a result.

Security culture therefore goes far beyond mere compliance with regulations. It encompasses the values, attitudes, beliefs and behaviours of an organization in recurity to security. A positive security culture promotes an environment in which managers and employees actively strive for security and recognize and report risks. They also proactively take measures to mitigate risks rather than ignoring and minimizing them. The pivotal point is the attitude communicated by top management. There is also a positive error culture that enables all employees to develop further.

Promoting culture instead of just creating awareness

Awareness of specific risks is an important component of a good security culture, but it is not the only one. Other key pillars include effective communication, well-defined processes and committed leadership. A positive culture leads to awareness, and awareness in turn promotes the further development of such a culture. However, the individual situation of the employees must be taken into account. The guiding principle of “one size fits all” lumps all employees together and does not address different needs, which in practice hardly reduces risks and turns security into a mere compulsory exercise.

The temptation of the “one size fits all” approach

There is a great temptation to rely on a “one size fits all” approach: One-off measures plus phishing simulations are implemented to mark awareness among employees as “done”. This may work in homogeneous environments with standardized workplaces. In heterogeneous environments, however, this leads neither to high maturity nor to actual risk reduction, but to a pure compliance measure with no effect.

Two manifestations of the “one size fits all” approach:

1. superficial: all topics are dealt with superficially in order to save time. Relevant topics remain unmediated, irrelevant topics confuse.
2. in-depth: intensive teaching of all topics, but time-consuming and without taking individual learning needs into account.

Challenge: More than 50,000 employees

This was precisely the challenge faced by one of our clients with over 50,000 employees in different language and cultural regions and a changing IT landscape. We found maximum heterogeneity in the respective working environments - from office-based employees to train drivers equipped only with mobile devices to specialists in railroad technology in industrial plants.

Solution: Adaptive Awareness

We successfully implemented the principle of adaptive awareness via the 1st line.

Success factors:

• Responsible managers
• Clear expectations of the company
• Dashboard for transparent and measurable risk management/monitoring
• Straightforward risk management tools for managers
• Individual learning profiles for interested employees
• Continuous further development of learning content

Advantages:

• Individual target group approach
• Targeted measures at risk hotspots
• Effective and efficient risk reduction
• Autonomy for managers
• Internal competition through comparability

What has the customer received?

The overall package created a cultural movement that had a lasting impact on the company and brought the question “What does safe behavior look like?” to the forefront.

Through the consistent application of the processes and tools provided, employees are permanently transformed into well-prepared sensors that recognize and report unusual observations at an early stage. This enables a rapid response to potential threats and significantly increases overall security in the company without disproportionately increasing the costs incurred.

What is Temet’s contribution?

We have taken on the design of a new solution. An in-depth analysis of the customer’s situation was followed by a customized solution design, support from various committees and implementation until a cultural shift was finally felt.

Security culture - a journey

Culture encompasses what people in an organization believe, consider important or unimportant, even if they are not subject to end-to-end control. No organization is static. While new employees bring new ideas, they also need to be convinced of existing values.

Changes at management level can be particularly challenging, but also beneficial. A shift in priorities and budget cuts can exert considerable pressure on a cultural movement. Technical changes, such as a conversion of the IT infrastructure to cloud services, can bring new risks, but also opportunities.

Regulatory requirements, such as those imposed by FINMA in the form of on-site inspections, can set new priorities and ensure that resources are tied up elsewhere for a limited period of time.

Security incidents can be setbacks, as they reveal weaknesses that were thought to be closed or non-existent. At the same time, however, they provide an opportunity to identify and close previously undiscovered gaps and remind the organization of the importance of continuous development.

Due to this dynamic, we recommend regularly examining whether and how the organization’s own security culture is developing in order to promote it and thus actively reduce security risks. This allows the organization to carry out its tasks undisturbed.

Where does your security culture stand? Three questions you should ask yourself:

• What is the management’s written stance on security?
• How does my line manager deal with it?
• Do I dare to ask a question or report an observation?

Side note: At the beginning of May, Microsoft CEO Satya Nadella responded to the shortcomings identified and made it clear in an internal memo that security should be the top priority for the company in all future decisions.

Security Culture

About the author

About the author

Markus Günther has been working in cybersecurity for almost 10 years. After working as a SOC analyst and IT security officer, he now focuses mainly on the further development of the security culture. He also carries out audits and assessments for our customers.

Markus Günther, Senior Security Consultant