Security culture in the company
The company-wide security culture is an often underestimated aspect of IT security. We help you identify problems and embrace security.
A strong security culture brings:
- Companies with a lived security culture experience fewer security incidents, avoid costly downtimes, and strengthen the trust of customers and business partners.
- A security-aware workforce recognizes and reports threats faster, enabling risks to be mitigated early on. At the same time, a positive security culture ensures greater satisfaction and personal responsibility among employees - creating a sustainable competitive advantage for your company.
Why is security culture so important?
What do clicks on phishing emails, unattended laptops, and sticky notes with passwords on the desk have in common? They are all symptoms of a missing security culture within a company and can significantly contribute to the occurrence of avoidable security incidents.
A robust security culture is the foundation for a modern approach to information technology. In light of the ever-growing threat from targeted attacks, it is essential that a company arm itself in the best possible way against them. Here, it is easy to fall into the trap of the "firewall as an all-purpose solution": "We have a firewall, so what else could happen?".
Not all problems can be solved with technical upgrades. Sometimes, the opposite is true when new technology or software also brings new, complicated processes that are not understood and/or properly followed by employees. "Shortcuts" quickly appear, which bring completely new security problems with them. For example: the password note on the desk.
The security culture begins where technology ends: with people. And people need special consideration that cannot be replaced with strict guidelines and punishments for misconduct. Such an internal company culture is a large red target just waiting to be targeted by someone.
The reality of security culture
A robust security culture cannot be enforced overnight; it must be nurtured and cultivated over an extended period. Neglecting it can quickly lead to the emergence of new vulnerabilities.
Therefore, it is crucial not to limit efforts to one-time initiatives but to continuously monitor developments, make necessary adjustments, and respond promptly when needed.
The path to an improved security culture is lengthy but can be broken down into three fundamental steps. These steps are formulated as questions that each company must answer individually:
- What are our major challenges and the associated risks?
- How can we measure our security culture and identify the problems?
- Can these problems be resolved in the long term without merely treating the symptoms?
Our motto: people not as a risk, but as an asset
We firmly believe that a lived and cultivated security culture should hold the same importance within a company as the hardening of technical systems.
The 5 Pillars of a Solid Security Culture
There are countless methods to summarize a security culture into metrics, but all these methods and models share the same core, which can be represented by the following 5 pillars:
Awareness and Training
The level of knowledge and competence regarding security-relevant topics present throughout the entire company.
Behavior and Opportunities
How people act concerning known security-relevant topics, and whether people are even capable of consistently following security-relevant instructions.
Communication and Collaboration
How security-relevant topics are communicated throughout the company, whether this is consistent, and how/if employees collaborate to achieve specific goals.
Incentives and Motivation
How people are treated and what reasons are given for engaging with specific security-relevant topics.
Team Leadership
Whether the guidelines are consistent throughout the company and what regulations apply to the executives. Executives set the tone in the company and influence the employees' attitude towards security.
Our Services
More than training – Your partner for real cultural change
Unlike traditional providers who focus on one-off training sessions, we provide comprehensive support in building a sustainable security culture. We not only focus on imparting knowledge, but also support you in anchoring changes in behavior, communication and collaboration. Through the close involvement of managers and employees, we work with you to develop individual measures that fit your corporate reality and have a real impact – instead of short-term flash in the pans.
We offer a holistic program that covers the five ENISA phases and is individually tailored to your company:
1
Awareness –
Sensitization and Introduction
- Execution of tailored security awareness campaigns
- Interactive phishing simulations and social engineering tests for location determination
- Keynote speeches for management and employees
2
Analysis –
Status Quo and Culture
- Measurement of security awareness through anonymous employee surveys and interviews
- Evaluation of existing incidents and identification of 'pain points' in processes and behavior
- Analysis of the security climate (e.g., handling of errors, reporting culture, management engagement)
3
Planning –
Development of Measures and Definition of Objectives
- Development of an individual action plan based on the analysis results
- Definition of concrete goals and KPIs (e.g., reduction of phishing clicks, increase in reporting readiness)
- Involvement of managers and 'security champions' as cultural multipliers
4
Implementation –
Making Changes Visible
- Support in the implementation of awareness training, communication campaigns and process adjustments
- Coaching for managers and 'security champions' in the company
- Establishment of feedback mechanisms and low-threshold reporting channels
5
Evaluation & Iteration –
Measuring Success and Securing it Sustainably
- Regular monitoring of success through repeat phishing tests, awareness surveys and KPI tracking
- Conducting lessons-learned workshops and continuously adapting measures
- Establishment of a sustainable improvement process (e.g., annual culture reviews, best practice sharing)
Making success visible – with clear key figures and regular checks
We won't leave you in the dark: Together, we define measurable goals and success factors, such as reducing clicks on phishing emails, increasing the willingness to report incidents, or improving security awareness through anonymous surveys. Through regular evaluations, targeted repeat checks and transparent reports, we make progress and the need for improvement visible – so that security becomes measurable and manageable for you.
Why mgm security partners?
In a world full of cyber threats, more than standard solutions are needed. We offer tailored IT security strategies that not only look good on paper but also prove themselves in practice.
- Holistic approach: We combine technology, organization and people to create a practical security program.
- Technically sound: Our methods are based on current standards and our many years of expertise.
- Individual & pragmatic: No 'one-size-fits-all', but tailor-made solutions for your corporate culture.
- Long-term support: From the initial analysis to the continuous improvement process – your success is our goal.
mgm DeepDive
Podcast: Security Culture – The Key to Sustainable Cybersecurity
Cybersecurity is not just about firewalls, policies, and tools. Above all, it thrives on an active security culture. But what does that mean in concrete terms? Why is it so crucial for companies? And how can you anchor security awareness in everyday work in the long term?
In the current podcast episode “Innovation Implemented”, Maximiliane Mayer (Head of Information Security Consulting, mgm security partners) and Julia Kirchner (Principal Consultant, mgm consulting partners) discuss exactly that: the role of change management, the connection between technology and behavior, and why security culture today is more than just annual training.