You’ve built a successful business. Now how do you get your employees to care as much about protecting it as you do?

People are your greatest asset, but some days they can feel like your greatest liability. Humans are fallible, and even the best ones make mistakes. There are only a few bad apples out there that come to work to do harm, not good. So how do you keep well-intentioned people from making mistakes, and let the potential rogue employee know you are not going to let them get away with damaging what you’ve built?

The key is the culture you foster in your business. Company culture sounds like a touchy-feely thing that you can’t control, but more of it rests with you and your leadership than you might realize. As Peter Drucker said, “Culture eats strategy for breakfast.” It’s a powerful tool in running your organization successfully.

Before you can start building a culture that values securing your business and avoiding risky business, you need a foundation to build on. These are the first steps. (Part Two, Building a Culture of Security, my next post, is coming soon!)

1. Open and Honest Accountability

Holding people accountable for their actions doesn’t have to be punitive, but if you don’t have accountability, you will have a culture of chaos. It also doesn’t mean you fire everyone who makes a mistake -- otherwise your employees will simply hide their mistakes. Foster an atmosphere where people own their ”stuff” and everyone learns from mistakes. You still want people to take risks and innovate, but when people don’t follow company policy or process, put the company at risk, or just make a bad business decision, you need to acknowledge and respond appropriately. In my line of work, that could be anything from a friendly “oops!” message to an employee who clicks on a phishing email, to a disciplinary conversation with an employee who breaks a security policy. And when incidents bring insights, generously share with others as a “teaching moment.” Your goal is not to embarrass those involved but instead reframe their mistakes in order to help others learn and avoid the same pitfalls in the future.

2. Just Enough Policy

Do you have written company policies that your employees must acknowledge every year?

Create policies that cover the basics like how we all treat each other (policies regarding discrimination, harassment, etc), how we all behave (ethics, code of conduct, anti-bribery, corruption, workplace violence, etc.), how we remain in compliance (legal, regulatory, and contractual) and how we maintain security (data privacy and security, password practices, network security, access controls, etc.). Take advantage of resources that can help guide your policy creation, like NADA, the FTC, your insurance company, and of course your legal counsel.

3. Just Enough Process

While you don’t want to stifle innovation, a culture without some process is one of organizational immaturity. Errors become commonplace, and even worse, breed inefficiency. Document your processes so that everyone knows “how we do things around here.” Once you’ve documented your processes, it makes it much easier to teach others through training, and more importantly, without it, you can’t do No. 1 – hold people accountable. In the world of security, process includes things like having every potential new vendor complete a security assessment as a part of your procurement process, doing background checks on job applicants, or having a system to track software licenses in use at your company.

4. Influence Human Behavior

Your policies and processes may be complete, but how well do people’s behaviors reflect what is in them? Reading a policy or a process does not mean people change their behavior. It’s essential to continually reinforce the desired human behavior through incentives, disincentives and marketing. The first two – rewarding desired behaviors and creating negative consequences for undesirable behaviors - are pretty straight forward and can be reinforced by pay plans and HR. The third – marketing - is a lot more fun. Security can be a dry topic, so if you can make the topic engaging you’re more likely to create the desired behaviors. Marketing security messages is no easy feat – stay tuned for my next blog that will dig more into this topic, and even make it fun.

Start with these foundational steps, and watch for my next post, “How to Get People to Care About Security As Much As You Do."