Cybersecurity should be a companywide commitment, not solely the responsibility of IT or security teams. Cultivate a culture where every employee understands their role in safeguarding information by providing training on recognizing and reporting threats. IT, Information Security, and Cybersecurity teams can support this shared responsibility by remaining approachable and available to answer questions, share insights, and promote open dialogue. When every colleague is engaged in defending the organization, defenses and accountability can be stronger—creating a united front against cyber risks.
Key Steps to Help Safeguard Your Organization
As organizations face rising cybersecurity challenges, creating a culture that prioritizes information security is essential. In our recent webinar, Building Cybersecurity Practices into Your Company Culture, Justin McIntyre, SVP and Director of InfoSec at First American, shared actionable insights on building a security-conscious workplace. Below are key takeaways from the discussion to help guide your cybersecurity journey.
Embrace Cybersecurity as a Shared Responsibility
Build a Risk-Informed Security Framework
Start with a tailored risk assessment to identify the assets most critical to your organization. Use established frameworks, like the NIST (National Institute of Standards and Technology) Cybersecurity Framework, to design a flexible security structure that aligns with your organization’s goals. This risk-informed approach supports targeted protections and adapts continuously to emerging threats, helping your strategy remain both comprehensive and proactive.
Secure Executive Support
Gaining executive buy-in is essential to embedding cybersecurity within company culture. IT, Information Security, and Cybersecurity leaders can support this by defining the ROI of security initiatives in terms that resonate with stakeholders across departments. Framing these investments as ways to help protect assets, reduce risk, and strengthen resilience fosters organizational confidence. When leaders actively champion cybersecurity, they reinforce its role as integral to both business continuity and success.
Standardize Security Responses with Open Communication
Create clear, standardized protocols across departments for handling threats like phishing to reduce confusion and ensure consistent responses. Encourage open dialogue about security practices, giving employees space to ask questions, share insights, and stay informed. This transparency builds trust and accountability, helping to make cybersecurity an accessible, integrated part of daily operations.
Use Positive Reinforcement Over Fear
Avoid fear-based tactics, which can lead to disengagement. Instead, foster a supportive environment that positions cybersecurity measures as empowering tools. Reinforce positive behaviors through training, simulations, and recognition of good security practices. This method encourages employees to view cybersecurity as a protective asset—and mistakes, like accidentally clicking phishing links, become learning opportunities instead of grounds for discipline.
Prepare for the Unexpected
Conduct regular simulation exercises, like disaster recovery and incident response drills, to ensure your team is equipped to handle real events. Involve multiple departments to uncover gaps in response protocols and document each exercise to strengthen processes and reduce dependence on individual knowledge. Proactive preparation boosts resilience and builds confidence, helping employees stay ready to manage unexpected disruptions.
Building a cybersecurity-focused culture is an ongoing journey that requires action, communication, and commitment at every level. By tailoring these practices to fit your unique needs, you can foster a workplace where employees feel empowered to actively protect the organization’s critical assets.
About the Contributor
Justin Mclntyre
Senior Vice President, InfoSec & Engineering, First American Equipment Finance
Justin McIntyre has over 20 years of experience in the information technology industry, with a strong focus on information security, IT risk, and IT governance and controls in financial services. Before joining First American in 2018, Justin worked in technology administration, public accounting, and application and data security, where he earned multiple certifications including Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), and Certified Cloud Security Professional (CCSP).
Currently, Justin serves as the Senior Vice President and Director of Information Security and Engineering at First American Equipment Finance. In this role, he leads the Information Security, IT Engineering, and IT Governance teams, overseeing the development and evolution of the company's IT control posture, infrastructure, and security environment.
