iT1 Resources

Why A Security Culture Beats Security Compliance Every Time


It is that time of year again when many writers, blog posters, sales champions, and other crystal ball owners try to predict events for the coming year. So here is one that anyone can predict – security breaches, reported and unreported, will increase this year. Prognosticators have been saying that every year since 2000, and for 22 years they have been correct. Given that track record, why should they say anything else?

The Why

One question is – Why? Why do breaches continue to grow every year? The obvious answer is that hacking pays. Unfortunately, that is true and it pays because all of the compliance efforts, rules, policies, procedures, services, hardware, software, and so on that are deployed to stop hackers only work when people do not actively work around them. One example my security friends use is that they build the brick buildings, install the fire extinguishers, and teach people how to be safe, but there are always rule breakers who show up with gas cans and matches.

The How

Another question then must be – How? How do you stop the people from bringing gas cans and matches? Applied to IT systems, how do you stop people from clicking on random links that just appear in email, texts, chats, and other hacker front doors? Clearly, you need the appropriate security infrastructures, equipment, services, etc. However, you also need to make the rule breakers pay.

How do you make the rule breakers pay? As an IT professional, you do not, you cannot. Endangering the entire organization, every customer’s data, and every employee’s paycheck because you wanted to click on the cat picture has to be forbidden by the organization culture that exists inside. Creating and maintaining a security culture goes beyond the scope of IT roles and responsibilities. More correctly, organization culture cannot be created by IT or Security teams alone.

Organizations that create and maintain an internal security culture do not make the news headlines. Why? Hackers prefer easy targets and there are still so many easy targets to breach than spending time to convince an employee to go against the organization’s security culture is just not worth it. Perhaps it is more correct to say those organizations do not make headlines as often, given that nothing is foolproof.

The idea that a security culture can reduce the number of successful hacks might spark the question, how do you know if you have a security culture? The answer is not complicated or complex. You know if you do and if you are not sure, then you do not. While the answer may seem obvious or not quite helpful, remember that the first step toward fixing a problem is to recognize that the problem exists. Moving beyond just knowing, a few questions might help you evaluate where security fits in your organization’s culture:

  • Did you have more breaches last year than the year before?
  • If you asked ten employees how to report suspicious email, would two or more not know?
  • When a new employee asks why security matters, do they ask IT versus a team member?

If you answered no to all of the questions, – congratulations – your organization is on the path to a culture of security. If your answer is yes to one or more of the questions, well, at least you have identified a problem to fix this year. Which leads to my final point. Creating and maintaining a culture of security in any organization years. However, you have to start somewhere so let this year be year one on your organization’s security culture journey.


If you’re looking for IT solutions or help with your security, contact iT1 today to learn more about our Security Risk Assessment.



Dr. Mike Lewis serves as Chief Information Officer, EVP of Informatics, Security & Technology for Trillium Health Resources, a managed-care organization serving more than 350,000 members in North Carolina. He earned his Doctor of Management degree from George Fox University and is a former MBA adjunct professor at Maryhurst University. Mike has worked in the IT field for more than 25 years with stints at IBM, Merisel, and Dell.


<< Back to Resources