Date posted: 17/05/2019 5 min read

Three secrets of a strong security culture

Good cyber security starts in the C-suite. But as threats become more potent, the solution is a company-wide security culture. Here’s how to build it.

In Brief

  • "Make security personal,” says McAfee APAC CTO Ian Yip. Everyone has a role in mitigating risk
  • Board level buy-in, a clear strategy and company-wide communication form a solid foundation
  • Take a risk-based approach – identify and protect the assets most crucial to the business

Every company, big or small, faces risks of malware attack, data breaches and cyber-fraud that can damage both organisational reputations and bottom lines.

The hazards are ubiquitous. "Cybersecurity makes front-page news fairly often and every other day we hear about a different cyber incident of some sort," says Ian Yip, chief technology officer, Asia Pacific, at cybersecurity solutions giant McAfee.

To ensure such threats never materialise, companies need to establish and embed a cyber-security culture. Building this culture "from the top down and the bottom up" requires commitment, clarity and communication, Yip says.


"The first step is executive and board level buy-in," Yip says. "Without this there will usually be impediments to success."

With commitment comes cash, but it's about more than technology investment. "While technology can help automate and orchestrate a lot of the operational aspects of cyber-defence, what it comes down to is, you still need the humans," Yip says.

A good cybersecurity culture is built on a reasonable budget and the right people. "If you don't have enough humans sitting there working on the problem, that makes it extremely challenging," Yip says.

Beyond the C-suite, company-wide buy-in is crucial.

"Everyone in the organisation needs to have some level of security awareness and education to be able to improve the culture."
Ian Yip, McAfee APAC CTO.

"Without that culture everywhere, it's difficult to embed security and put in things like secure-by-design principles," Yip says.


Lack of focus can impede a good security culture. "The trick is to get very specific about what you really care about," Yip says. "If you try to protect everything, you can kind of do half measures and you may not really have the effectiveness you want."

A risk-based approach can yield clarity. Whereas companies once focused on technological tools to block hackers, today the complexity of threats coupled with abundant data calls for a risk-management approach.

This means identifying the data assets that are the most critical to the business – those that, if compromised, would have the greatest impact – then aiming to mitigate any vulnerabilities that put those assets at risk.

"If you take a risk-based approach to cybersecurity, you're much more able to focus on the things that really matter instead of trying to do too many things at once," Yip says.

Clear metrics and regular reporting are also essential to a sound security culture, Yip says, offering a succinct list: "How many incidents do we get? What is the average detection time for an incident? What's the average time for us to respond to an incident? When we scan for vulnerabilities, how well do we do every single time? How quickly can we fix or remediate a problem?"

Once these metrics are in place, it becomes easier to monitor security trends and the reasons behind them and to build a culture of continuous improvement.


Every employee of every company is integral to cyber security culture. While education and training are essential, firms should "make security personal – in a positive way," Yip says. "Once people understand the real impact and consequences if and when something happens, they're a lot more likely to behave accordingly."

"The most important thing is to use plain language when you're speaking to non-security focused, non-technical people," Yip says. "You have to be able to articulate cyber security in the context of enterprise risk in general, so you need to overlay the cyber-risk conversation with plain language."

Ultimately, a successful cyber security culture relies on a future-facing perception that it is an enabler of business rather than an inhibitor. "And culture is probably the number-one priority," Yip says.

Search related topics