IT leaders are constantly struggling to build a “culture of security” but perhaps the real problem is a lack of culture building throughout the organization in general.

I’ve seen many attempts to build this ever elusive “security culture” that Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) dream of. Nevertheless, cyber practitioners are regularly slapping their foreheads at the malicious links and downloads the end users click on that, to the security professional, seem so obviously dangerous. Most of the time this is chalked up to the ignorance of users and undoubtedly that is a contributing factor.

But many times there is another, deeper, issue at play; the employees just don’t care.

And why should they? If the organization is hit with a ransomware attack many employees may just find themselves with some extra hours with little to do. If money is stolen from the organization it may not actually impact their pay check at all. If client PII is stolen, it won’t necessarily harm the employee.

This may seem like a pessimistic view of our team members’ investment and it is probably a bit exaggerated, but I have heard employees make statements identical to these and many more express a general lack of security concern. Why is that? It’s not a security culture problem, it is a culture problem.

Here are a few hard truths IT and business leaders need to accept:

Employees won’t care about security unless they care about the organization

Business owners care about the business because they build it and own it. They are directly tied to its success or failure. Security risks mean more to them. The average employee may not share the same connection to the organization. If it fails, they may have to look for another job but that investment is likely far less than what an executive has. If you want team members to care about security you must help them to care about the organization as a whole.

Employees won’t care about the organization unless the organization cares about them and provides them with purpose

This observation is the logical next step. Employees need to feel intimately connected with the organization in order to care about security, and that won’t happen unless they feel that they are cared for by the organization and they share purpose in the organization. That is to say, they see the value that is being provided to society by both the business and their personal work.

Employees won’t care about security unless they understand the risks to the company and how that risk impacts them

Only after the first two issues are addressed can security awareness and training actually begin to take place. Many business leaders want to start on this point but, as has been demonstrated, they are several steps ahead of their team members and the training is going to fall flat. Additionally, many user training programs today fail to connect the risks to the organization with the employee personally. User training should not be so generic that the user does not understand that clicking that link or downloading that malicious file may seriously harm their particular area of work and employment. Training needs to be generic enough to cover many types of threats but specific enough to show personal impact.

Cybersecurity must be directly connected to the mission of the organization

Ultimately, for a culture of security to permeate an organization security must be shown to have a direct connection to the overall mission of the business. For instance, if you are part of a medical organization then your mission may be to provide life improving health services to those in need. Security training ought to be associated with the continued ability to provide those services. A significant enough cyber attack can lead to down time (i.e. people that could not be helped) and financial failure of the organization (i.e. complete mission failure for the organization and the employee’s end of employment).

Building a security culture is only possible as an outgrowth of overall culture growth efforts. Attempting to bypass the need for a people and mission centric focus throughout the organization is to accept that your people will never really care enough about the organization to care about its security.

Justin McCorkle is the Director of Business Development for Tuearis Cyber, offering Professional and Managed Cyber Services. You can find out more about their services by visiting