How do we create security culture?

In my nightmares, we've had a major security incident: A password that was susceptible to a dictionary attack and belonged to a staff member with admin access was cracked. A software bug allowed an attacker access to data we didn't intend for public consumption. A stolen laptop was scanned and contained a cache of our internal data.

As a result, we've had to notify all of our users, partners, funders, and volunteers that their data may not be secure - that it probably isn't. In our favor is the fact that we don't collect actual financial data or 'Personally Identifying Information'.... but against us is the massive loss of trust and reputation. It's not the reality that will damage us most, it's the perception. It's losing credibility as an organization that is doing good for everyone involved with us.

I was asked a question in my first week at this job: "What do you expect the hardest part of your job to be?"

"The social aspect. Security is 80-90% social when it's really functional," I replied. He asked a few more clarifying questions and I explained my position.

I've spent time in roles where these security questions weren't just a question of credibility but of life-and-death. Screwing up could send people to jail, cost the organization lots of money, or lead to people being tortured or killed. I trained on Security Culture of the sort the Ruckus Society talks about - "While opponents (like governments and corporations) use technology to snoop, spy and test our effectiveness, this guide walks activists through security measures we can take to safeguard ourselves against those dirty deeds."

That's a hard life. I joke about losing sleep here, but I'm mostly joking. In those positions I actually lost sleep, had nightmares, and had to practice very careful self-care to make sure I didn't burn out in a way that could harm others. Hard as that was, there are ways in which it was easier. When everyone knows the realities of the situation, that a slip can cost not just money and reputation but has the potential to cost lives, they put a lot of effort into creating and maintaining a culture that values security.

I've also worked in places where the security policies put up walls everywhere and users had to learn to scale those walls, drill holes in them, or sneak around them to get their jobs done - the security those policies created was a polite fiction at best, more dangerous then nothing at all at worst.

My goal in this organization is to create the first sort of culture - one where everyone has security in mind, is aware of the value of the information they handle every day, and want to protect that in all possible ways - without the need for fear to drive it. This is why I write our policies to be as gentle and aware of use cases as possible. I want us to be working together towards maintaining and understanding security, instead of everyone having to work around technical blocks I throw in your path to get your job done. Without the obvious risks, this is a more difficult task.

A concept I repeat in the trainings I give is that "security is a moving target and it's something I simply can't do alone. Everyone in the organization, from volunteers to the management team, is involved in security." I believe this, wholeheartedly. It doesn't stop me from doing what I can do, but it does inform my priorities.

In the spirit of transparency and accountability, I'm bringing this to you - How can we create a security aware culture within groups and organizations?