Building a security-first culture for MSPs: Always ready, always protected

For IT professionals and MSPs, a company’s security posture is influenced not only by technology but also by its team's daily actions. Whether intentional or accidental, human behavior plays a significant role in either fortifying or undermining security measures.

Verizon Business’ 2024 Data Breach Investigation Report revealed that 68 percent of breaches this year involved a non-malicious human element, such as people falling for phishing schemes, mishandling sensitive information or getting tricked by a social engineering ploy.

This statistic spotlights an important truth: implementing strong security technology is not enough for MSPs. They must also champion a culture of security awareness within their clients' organizations. Embedding security consciousness into everyone’s daily routines -- through training, consistent communication and clear policies -- reduces the risk of breaches.

Moreover, a team that understands the importance of its role in keeping the company safe not only strengthens security but also cultivates a strong security mindset among team members. When breach headlines can change the course of a company’s future in hours, prioritizing security as a focus across the organization increases internal and external trust in the organization’s reputation.

Security and Trust

Security is critical to a company’s success, just as finance, sales or product development are. It doesn’t only affect internal operations -- it shapes how a company is perceived by customers, partners and the market. Security failures can erode trust and have devastating effects on a company's reputation, stock performance and customer retention. Trust is earned slowly, but lost quickly. For MSPs working with businesses of all sizes, it's critical to educate leadership on the essential role security plays in overall business success.

As a trusted advisor, you can support clients building security awareness internally by helping their in-house IT teams consistently communicate the measurable benefits of strong security. It’s not just about protecting data or meeting compliance -- it’s about earning and keeping customers' trust.

The Metrics That Drive Security Performance

MSPs can play a pivotal role here by providing clients with the tools and reporting they need to track and manage security effectively. It’s important to identify and measure security metrics that demonstrate the program’s effectiveness. For instance, rather than only reporting on out-of-date devices that need remediation, track if users are improving their update speed over time. This shift emphasizes a holistic and proactive approach to security by reducing the window of exposure to potential threats.

MSPs can leverage vendor tools and existing audit reports to demonstrate success and keep security top of mind in leadership discussions. Providing regular updates on threat detection and mitigation proves the value of the security program and ensures the organization views security as a business asset, not just an IT expense.

Just Say No to Just Saying No

Security, whether handled in-house or provided by an MSP, should strive to be seen as an enabler of safe progress rather than a barrier. When security is perceived as the dreaded 'Department of No,' it can hinder employee engagement and lead to risky behavior. People may bypass security policies to circumvent what they perceive as cumbersome or arduous workflows.

MSPs can reframe this narrative by balancing security controls with the need for people to get their work done without unnecessary friction. Instead of simply publishing new policies, explain the "why" behind each security measure, helping people understand the material impact on overall security. Regularly soliciting feedback on new or misunderstood policies can provide insights for refining processes, and make team members feel heard.

Additionally, celebrating security wins -- such as potential phishes reported to security or reduced help desk tickets for password resets -- reinforces a positive security culture. This approach empowers everyone, making them feel supported rather than hindered by rules. It also helps build trust and collaboration, making security a shared responsibility.

Here’s a quick breakdown of how MSPs can encourage feedback, celebrate security wins and equip people with broader security knowledge through repetition:

Encouraging Feedback:

• Anonymous Feedback Channels: Create anonymous reporting tools where team members can voice concerns about security policies, suggest improvements or ask questions without fear of judgment.
• Interactive Feedback Sessions: Incorporate feedback loops in security training sessions by asking attendees for their thoughts on how current policies affect their workflow and inviting suggestions for better integration.
• Quarterly Pulse Surveys: Conduct regular surveys that assess employee satisfaction with security protocols, their understanding of policies and areas where they need more clarity.
• "Ask Me Anything" Sessions: Host open Q&A sessions with security professionals where people can ask questions about policies, report challenges or seek advice on specific security practices.

Celebrating Wins:

• Security Champion Awards: Offer awards or shout-outs during company meetings to recognize people or teams that actively contribute to security initiatives, such as reporting phishing attempts or applying patches promptly.
• Monthly Security Achievements: Share a monthly newsletter or post celebrating milestones like preventing a major security incident, closing a known vulnerability or achieving 100 percent training completion.
• Spotlight Stories: Highlight individual success stories, such as a team member who helped identify a phishing attempt and explain how their actions protected the organization. Use these moments as case studies to reinforce good habits.

Equipping Teams with Overall Security Know-How:

• Bite-Sized Learning Modules: Offer frequent, short modules that focus on both work-related and personal security topics, like spotting phishing attempts, setting strong passwords or securing personal devices.
• Cross-Platform Tips: Share security tips in multiple formats -- via email, internal chat tools, or in-office signage. Include advice covering everyday risks like protecting home Wi-Fi networks or avoiding scams when shopping online.
• Personalized Security Workshops: Offer optional, interactive security workshops where people can learn about topics like protecting home networks and personal devices, identifying scams or securing personal accounts. This process gives them more motivation to listen to security communication and guidance by improving their safety in their personal and professional lives.
• Weekly Security Briefings: Send out weekly bite-sized security tips via internal chat or email that address trending threats and how people can safeguard themselves both at work and at home. These tips help reinforce best practices through repetition, increasing the likelihood the information will be remembered and put into practice.

This approach helps everyone see security not just as a chore, but as a valuable skill set that benefits them both at work and at home. Regular, digestible updates can reinforce key behaviors and build a more security-conscious culture, reducing human error as a common breach vector.

Changing Security Perceptions

In an era when attacks are inevitable, each person’s role in maintaining an organization's security posture cannot be underestimated. Investing in technology is only part of the solution for MSPs and IT professionals. The real power lies in creating a security-first culture where everyone is aware of the risks and trained to recognize and respond to threats.

By embedding security awareness into clients' businesses' everyday workflows, MSPs reduce the likelihood of human errors and build a foundation of trust and resilience. Ultimately, a well-informed workforce is a company's greatest defense against threats, strengthening both its security and its reputation in an increasingly volatile digital landscape.

Zoe Lindsey is a security strategist at Blumira with over a decade of experience in information security. She began her infosec career at Duo Security in 2012 with a background in medical and cellular technology. Throughout her career, Zoe has advised organizations of all sizes on strong security tactics and strategies. As a sought-after speaker, she has shared best practices and recommendations at industry-leading events including RSA Conference, SecureWorld, and Cisco Live.