How to develop an information security culture in your company?

Developing an information security culture: part 1

Granite's information security basics


Granite is a platform that provides digital services for business development for companies, organizations and people. Granite’s services help to reduce business risks comprehensively both in the fields of risk management, cybersecurity and occupational safety and health.

This article is part one of a blog series where we discuss the role of information security and developing information security culture as a part of the cost-effective an productive development of different kinds of businesses.

In this series, we propose that information security is a vital part of the lives of individual people as well as integral in the operations of large organizations. We view this subject through the more or less common challenges and obstacles to the development of information security awareness and consider some of the possible consequences of negligence towards information security has the potential to bring forward.

In addition to this, we shed light on a few practical methods that have been proven to help overcome this obstacle.

And because starting is always tricky, we present some simple steps to get things moving.

Wait, is Information security like, important?

In today’s world information security is without a doubt familiar to most people in some meaning of the word, although the degree of familiarity of the concept varies quite a bit. Even though there is a lot of talk about information security, it's meaning varies.

On average the common knowledge somewhat adequately supposes that information security has something to do with computers. Most of the information considered worth securing is handled with computers and other similar electronic devices. In more official context information security is defined as the management actions on the availability, trustworthiness and the integrity of information.

In everyday parlance, information security is very often mistaken to mean the same thing as data protection, but even though these terms are commonly used synonymously without hesitation, they are intact two very different things in the field of cybersecurity.

Data protection stands for the confidentiality of personal information, but some regulations and laws that concern privacy among other things, are also part of the concept of data protection.

Information security is quite a broad subject, so the confusion between these two subjects is understandable. Information comes in many forms. There is both digital information and analogic information, but knowledge and know-how of employees is also information that needs to be secured. Information security also includes the security of information when it’s transported.

The precise definition of information security might be unclear for a large number of people, but information security threats are much more widely recognised. Commonly acknowledged information security threats include among other things email scams, trash mail, viruses and privacy infringements, but many less known incidents can pose significant risks for any organization or business. Piracy, cyberterrorism, electronic warfare are all, among other things, areas of interest in information security. Even though some might not consider unauthorized access to information, or the use of said information or losing it as information security threat, that’s what it most certainly is.

Reducing risks with information security

As we just learned, information security isn’t just an abstract concept that has become a part of our shared vocabulary due to digitalization, but it’s a phenomenon that has a real effect on almost all operations.

If one views the modern business environment as a whole, it’s somewhat impossible to locate an area that can’t be or shouldn’t be observed from the viewpoint of information security.

It’s undeniable that the development of digital technology has brought with it many tools and processes that have made business more manageable, but on the flip side, it has brought a whole host of new challenges with it.

There’s no going back in time. Unmanaged information security is one of those things that can devilishly easily lead to severally hindered business prospects. This state of affair is what makes information security a natural part of the risk-reducing goals of every organization aiming to maximize the potential for success.

Challenges on the way to an evolving and effective information security culture

When organizations begin to take concrete steps towards the betterment of information security, it’s far too often understood merely a collection of different technological solutions.

This narrow view of information security isn’t that surprising because many of the widely publicized risk situations occurring in the realm of information security have fed the demand for such solutions. Modern information technology is interceptable for all kinds of computer viruses, malware and data breaches for which security software and services are seen as the final solution.

Information security software can be of great use in many business areas such as workstation, server and data network information security, but the implementation and further development of requires a bit more. For example, the information security of the working environment touches everyone taking part in the operations on a very different level that technical solutions for information security rarely can cover.

Evolving information security aims to effectivity, which means that for it to manifest successfully, virus detections software doesn’t necessarily suffice. In some unfortunate situations, they might even increase the amount of information security risks, due to unavoidable bugs in the code.

Technological information security solutions are of utmost importance in modern business.

In the best scenario, information security is more than just a supporting function for the business; it's a vital part of everyday operations. With the right attitude and proper implementation, the applying of information security to all areas of business is easy and cost-effective.

This goal is not nearly as burdensome and complicated as it sounds. Everything starts with the intent, but when the whole organization is engaged to reach common goals, results are quick and visible.

Communication promotes the development of information security

Information security and its development are far too often left solely for the IT department, even though the most efficient way do it would be by engaging the whole organization. Information security is what one might call a proverbial common cause, but that doesn’t always mean extreme and radical changes to the old ways.

It’s essential that visible commitment is made to the development of information security, even though some unwillingness to change is bound to surface. Even small steps suffice at the beginning of the process as long as the direction is determined.

For the information security to evolve it’s important that it’s talked about a lot and as often as possible, but its also very important to communicate the goals understandably and clearly through the whole organization. Unfortunately, when reaching for this goal, it’s often forgotten that the way things are said is almost as important as what is being said.

As a topic of conversation information security quite tender and prone to controversy. It’s effortless to discuss information security in overtly severe tone and manner, but for the situation improve, emphasizing information security risks isn’t helpful at all. Instead, this approach only hinders the corrective measures taken and complicates the development goals.

Information security is important, and there's no question about it. But when seen narrowly as a necessary evil, employees cant' engage in it wholeheartedly. Making information security an essential ingredient in the everyday operations, yield great results.

The conversation about information security might be awkward to start due to often lacking basic knowledge on the subject, and this has notoriously potential for misunderstandings. Nobody can successfully converse in an unknown and foreign matter, and much less to pay adequate attention to it in everyday actions.

Even though this challenge is well known, most of the talk about information security is unintelligible jargon, rigid consultese and unclear concepts.

Concrete conversation starting techniques about information security

Information security is a diverse subject and as such. There are many ways to approach information security, but that does not mean that its development should be complicated.

Setting specific goals and discussing them openly at least on the managerial level is advised in these situations. Determining preemptive technical measures and actions enables the personnel and levels the road to a more elevated level of information security.

Often, the need for improved information security rises from internal needs and goals, but sometimes it’s initiated by customers, partners and even by government regulations. In the business environment defined by continuing changes, stability is an undeniable competitive advantage and a high-level, evolving information security culture one of it’s most important indicators.

Often a large amount of the resources dedicated to the development of information security are exhausted in efforts that prove ineffective in the long run, such as singular courses and consultations. Internal operating models are difficult to change from outside.

How to start developing information security aware work culture?

Information security culture as an idea has a somewhat grandiose ring to it, and it plays well on customer newsletters and advertisements. It’s all well and good to be inspired by the ideas it invokes, but if one wants more than talk, enough resources should be directed at the most apparent obstacles standing the way of progress.

To get the whole organization involved in the development of information security isn’t necessary free of unforeseen issues, but when the members of the work community being to feel ownership over the information security aspects of they own work, its the most far-reaching way to reduce the strain on operations, brought on by information security risks.

Many organizations have found it useful to start developing information security by combining it’s essential themes into some organizational event, for example, bringing on an expert to discuss the matter. These quick-start events work as a vaccination, upon which information security immunity can be developed by systematic online training.

The most critical factor in the development of information security-aware culture is the internalized understanding go its importance.


In this first part of one the blog series about information security, we covered the foundations of information security aware work culture, and it’s further development into an actual piece of every operation.

We covered the definition of information security, its features and its significance in the context of modern business.

Also, we discussed the critical role of information security in reducing the business risks. We also addressed the challenges that the development of the information security culture usually brings with it, and how to overcome these challenges.

Finally, we outlined the first few steps towards the evolving security culture and what kind of efforts this requires from companies and organizations. In practice, security development goals are easy to reach if approached wisely and systematically.