No Ties Attached: How recognizing culture drives great security

Late last year, I was in on a meeting where our Training team was gathering requirements for a Custom CBT to be built for a huge, recognizable client. This client had offices worldwide and our course would be viewed many teams so it was imperative that we got the details right. After a productive meeting we got to the end where I asked if there was anything else they wanted to address.

“Yes,” said someone on the client team,

“We don’t want pictures of people wearing ties in the course.”

There was a brief chuckle but they weren’t kidding. This was their company culture and they understood the importance it played in making this Training program successful. At this point a light should go off in all our heads and I want to share why it is, that understanding your company culture can be the difference in any security program.

What’s your culture?

Every organization has a culture. When you hear people describe their teams as “laid back” or “professional” this is describing the culture. When it comes to company culture you want to identify how is it that your teams communicate and work. Does your organization have many leaders that inspire people or maybe your teams are individual contributors which combine into an overall team effort? It could be something as simple as how people write e-mails to each other… do they offer a very formal tone, or do they often insert images and reddit memes into the e-mails to inspire a laugh? How do they dress, what turns them off?

First, identify the culture in your organization because this is your target audience. Anytime you promote any aspect of security, you will need to address this audience and engage them in a manner that relates to them. Security for most companies is a mandatory requirement, but it doesn’t have to be boring. But how can you make it UN-boring? Learn the culture of your company.

Where Security Fits

Now, your people are your most important assets. During my meeting, our Client understood that if the people taking the Training saw anything even close to “suit and tie” culture, they would immediately be turned-off by the training and connect it with negative thoughts. Clearly this is something we don’t want them to associate the training with, so it makes sense to not get off to a bad start.

“We don’t want any people wearing ties in the course.”

The same can be said for any aspect of security within your organization. As an example if you run a company with a “start-up” type culture, you may not want to write Security Policies that are overly formal because it could be seen as “pretentious” and be dismissed. A more engaging security policy in layman’s terms may actually inspire people to joke about it, discuss and remember the policy should a situation arise. You want to associate positive thoughts to security (as difficult as that sounds). It is easy to be discouraged about security because people are often told what not to do.

Target and Deliver

If something as simple as matching your culture and removing ties helps employees better relate then you can see why its important to research how you company works and apply that to your security program.

Know your audience. The saying is commonly thrown around, but it speaks volumes to what we should all try when approaching security within our organizations. Knowing your audience helps you target them better. Security can in some ways be thought of as a sales pitch, where you would rather entice people to opt-into rather than force it on them.

One example is Google and their privacy policy. Google realized that the majority of their users aren’t lawyers and that privacy policies affect mostly their customers. They released a layman’s version of their privacy policy and consolidated over 60 policies as a service to the customer but also spoke in a way that regular people like you and I could understand.

Delivering security programs that target your company culture can not only promote more positive engagement but may also inspire people to take active participation in it as they will be better equipped to understand the end goals.


Understanding your company culture can help you drive more effective security programs by understanding what it is that engages your teams and what turns them off. You’re more likely to be able to engage items your teams feel strongly about as opposed to turning them off before they even get to the starting gate. It really can be as simple as “No ties” please.