How to Develop a Security Culture for Your Startup

Humans are creatures of habit. All in all, we do the things we do because that’s the way that we’ve always done them.

The same can be said of cultures in our society and in our workplaces.

In terms of long-term business viability, culture is everything — especially as it relates to information and data security. Culture is a key factor of whether a business can grow, and protect itself from cybersecurity risks.

In this article, we aim to outline the levers that can aid in instilling a strong security culture.

The benefits of security culture

A strong security culture is both a mindset and method of operation. One that’s integrated into every employee's day-to-day thinking and decision-making can make for an almost impenetrable operation. Conversely, an absent security culture will lead to uncertainty and, ultimately, cause security incidents that you and your organization cannot afford.

According to the U.S. National Cyber Security Alliance, 60% of small businesses cannot sustain their businesses beyond six months after a cyber-attack.

Ira Winkler, author of Advanced Persistent Security, believes that every organization already has a security culture that’s either weak or strong. Ira defines security culture as the result of consistent behaviours by individuals within an organization.

But how do you get employees to adopt security focused behaviours? There are a few key principles that can keep security at the forefront of your employee’s daily routines.

  • Ingrain the concept that security belongs to everyone.
    Many organizations have the opinion that Security or IT departments are solely responsible for security. But in reality, a sustainable security culture is the responsibility of every employee.

    A reward system that’s tied into compensation can serve as a great motivator along with periodic security training. The key is that everyone must be on board.

    In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by employees. Learn how to protect your organization from insider threats.

  • Embrace organizational security top down.
    It all starts at the top. Executive leadership on security is essential for garnering employee buy-in. Executives must also communicate and set priorities with middle management and to encourage employees to integrate security practices every day. Additionally, the C-level should be held to the highest standards in the business to set the right example.

  • Make security engaging and fun.
    People often associate security with boring training or someone saying noall the time. To develop a sustainable security culture, build engagement and fun into all the process parts. If you have specific security training, ensure that it is not a boring PowerPoint presentation.

    Gamification reinforces learning and encourages desired behaviours in fun simple ways.

One way to gain employee buy-in into your security culture is to reinforce positive actions through an incentive program. There are some simple choices you can immediately implement to start influencing security attitudes across the organization, including:

  • Make security awareness a component of annual employee reviews and require employees to meet a certain standard to be eligible for a promotion.

  • Find polite ways to call out employees who aren’t representing a security mindset. For example, when an employee leaves his or her computer unlocked, teammates can send an all-staff email or Slack message saying “Hey team, I’m buying lunch for everyone” from that person’s computer.  

The risks of not focusing on security are well documented. Breaches can cost companies customers, degrade the brand and harm the business. At the other end of the spectrum, creating a strong security culture can actually help a company carve out a differentiated market position.

Wherever your organization sits on the security culture spectrum, there are always things that can be done to make the culture better.

So, do what’s right and get started now. Security culture takes time to develop.


New call-to-action



to get more from Hockeystick.

Keep exploring Entrepreneurs

5 Takeaways for Entrepreneurs from Collision Conference

Collision Conference welcomed over 25,000 people from over 125 countries to Toronto. Here are the top 5 takeaways for early-stage entrepreneurs from the tech conference.
Read More

What Hockeystick's Q1 Search Results Tell Us About the Rest of 2019

With the first quarter of 2019 wrapped up, we're taking a look at the top five searches on Hockeystick Database in Q1 2019. How are people using the database, what are they looking for and what do these searches tell us about where tech investment is headed for the rest of the year?
Read More

Accelerators, Incubators, Coworking Spaces: What's the Difference?

Have you ever wondered what the difference is between an accelerator, incubator and coworking space? We're looking at the differences and similarities between these innovation hubs and showcasing some of the coolest startup spaces in Canada.
Read More