Creating positive security culture

Security threats are prevalent in our everyday personal and corporate lives. The cyber security battle continues as the attacks become more frequent and cleverer, while defence comes in the form of building new technologies and new ways to identify threats. What does remain constant is that technology and tools cannot win on their own, they require human interaction and engagement. This is where security culture becomes important.

As you would expect, security culture is a collection of shared norms, attitudes, beliefs and behaviours within an organisation that reflect a common commitment to security. Security culture is derived from several influences including existing culture, the commitment from leadership, effective security training, consistent and clear communication, adopted policies, as well as an environment that encourages reporting, responsibility and accountability towards continuous improvement.

What does a positive security culture look like?

The idea of your organisation or personal data being the subject of a cyber-attack is likely to instil fear into your people, but adopting a positive security culture created through the belief of common values, practices and behaviours helps to encourage security in our everyday lives and make defence part of the norm.
Creating a security culture isn’t a one-time implementation, but a continuous investment. It requires:

1. Education – continuous employee awareness and education must be in place. It must be relevant to the employee and to real world situations, supporting employees to identify and report risks.
2. Leadership – buy-in and commitment from the top is crucial. Placing security as a strategic priority and modelling good security behaviours – encourages the active engagement and support of all other employees.
3. Communication – adoption of good practices that allow employees to report incidents or issues without the fear of being penalised.
4. Collective responsibility – security is no longer just an IT responsibility but an everyone responsibility. Implementing strong processes to support responsibility models and using techniques to engage employees to feedback and develop the security approach.
5. Integration – security should be embedded into all organisational practices, and not simply an afterthought to be bolted on at the end or a later date.
6. Recognition and Reward – security practices that are rewarded and recognised generate engagement and encourage good security behaviour and habits to be adopted by employees.

Why does it matter?

Having a positive security culture is not just a nice to have, it is essential.

• It reduces the risk of costly errors often caused by human mistakes.
• It provides a more robust means of recovery in the case of crisis, as we are more prepared and understand what to do.
• Provides a competitive edge, showcasing to suppliers and clients that security is taken seriously and integrated into company values.
• Promotes a safe and supportive environment improving staff engagement.

Creating a positive security culture creates the direct link that ensure policies, process and technology all work together in unison.

What does the Cyber Security Culture look like in the Channel Islands today?

Working closely with businesses across the Channel Islands, we have seen more companies placing concerted efforts in improving their security, and recognition that it’s a combination of technology, process and people that will help them improve.

Across the Channel Islands there is a very active Cyber Security community, who have one common objective to keep our islands safe. Prosperity 24/7 are proud to be part of this community, to champion and support the building blocks that are being put in place to shape our security culture and behaviours.

Some of the building blocks that we have in place include:

1. Community Led Initiatives are critical to educating and reinforcing a shared sense of responsibility. For example, The Channel Island Information Security Forum (CIISF) brings together cyber and information security professionals. With over 500 members, this forum organises the annual Cyber Security Conference held in Jersey, along with other training sessions and activities that boost awareness and professional development.
2. Public Engagement and Co-operation – security initiatives rarely succeed if they do not have the backing of the public. The introduction of the Jersey Cyber Security Centre (JCSC) has this aim at its core which is responsible for promoting and improving cyber resilience across Jersey’s critical national infrastructure and everyday life. To achieve this, they have actively enlisted the support of local businesses through their suppliers and CISO advisory groups, who contribute valuable insights into how security is perceived and where we need to place conscious efforts for future success.
3. Governance and Policy Development – regulatory frameworks, such as the Cyber Security (Jersey) Law 2025, aim to mandate security responsibilities across the industries, specifically operators of essential services.
4. Industry Collaborations and Strategic Partnerships – Local businesses are bolstering their Cyber Defence capabilities. Identifying those products and services, that will provide the maximum defences that are relative to business types and can be successfully adopted into existing business cultures.
5. Education and Learning – The next generation of Cyber Security professionals are entering the workplace with industry and government backing to nurture their growth and development. Examples include the annual youth hackathons, petitions to improve the digital curriculum and engagement from local cyber security businesses at careers fairs to showcase cyber security as an attractive career path.

Commitment for change

Prosperity 24/7 have been actively involved in all Cyber Security initiatives across our islands, through regular engagement, sponsorship and support. We continue to champion the improvement of our security culture, through our own internal practices, individual services, and in line with our Cyber Security Strategic partnerships.

We recognise that a positive security culture across our islands is not fully developed, but the commitment to make a change certainly is. Companies, both with our help and the help of others, are moving toward building cultures that operate under a model of shared responsibility and trust.

Security culture can be seen in the choices people make daily, and not just in the policies and technology we put in place. All three compliment and need each other to make positive change. Leadership teams who show commitment and employees who view security as an enabler rather than a blocker, mean that when mistakes do happen, they can viewed as opportunities for lessons to be learned, to tighten measures or try something new – then we can say that a positive security culture exists.

Are we there just yet…. Not quite – but we are definitely on the right path…