Three Ways to Develop a Security Culture

In the modern world of software development, it is simply not enough to build the best product, service or offering on the market.

Mindful of the fines and sanctions outlined within the EU GDPR, and ‘leaks’ of Personal Identifiable Information (PII) continuing to dominate the news headlines, all companies now need to have a highly secure product as well to compete in such a competitive environment.

With the Information Commissioner’s Office (ICO) ready to hand out fines equalling 4% of global turnover, the potential loss of trust from your clients let alone the more general reputational damage that could ensue from such a breach or loss of sensitive data, we all need to be better prepared to meet the next security threat our businesses face.

How does W2 compete?

Quite simply, by empowering our staff with a strong security mindset and, maintaining a strong security culture throughout and right across the business.

  1. We provide all staff with a comprehensive Information Security (InfoSec) training which is both informative and entertaining; giving all staff the confidence to challenge security vulnerabilities if / when encountered during their day to day tasks. Be it during the product development process, receiving a phishing email, or challenging an unknown person attempting to access the W2 offices via tailgating, training and awareness is the vital first step.

    Despite the use of the latest email filtering and mailbox protection, the occasional spear phishing email does get through our sturdy defences. Staff are all briefed to contact the InfoSec team quickly so that we can act just as quickly to nullify or remove the threat straightaway. While technology plays a key role on multiple levels, we consider that the most important layer of prevention is the creation of a security awareness culture across the entire organisation.

  2. All W2 members of staff are encouraged to challenge anything they deem to be insecure, and we – as the InfoSec team – ensure that the issue is resolved without delay. This includes everything from new policy creation and introduction right through to project implementation and delivery. The GDPR requires us to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’. Everyone has something valuable to say about the security of our customers data. After all, Security is everyone’s responsibility.

  3. Alongside this, our in-house development team are all cognisant of security best practice. Passionate about programming ‘secure code’ and ensuring teams come to a secure solution when tackling a problem, we have created a team of security champions; a group of developers across our project teams authorised to direct their product to be the best it can be.

Since implementing these steps, we’ve had scenarios where the automated testing in our pipelines, and our shift-left approach to application deployment, has resulted in security champions re-architecting a project, or re-prioritising tasks to ensure it is delivered securely.

The security champions have been a resounding success, and alongside our in-house InfoSec team, are making W2 into a highly secure platform you can trust.

We’re looking to produce more security blogs about the way W2 protects its customers, covering topics from policy & mindset, through to technical challenges.

If you have any questions, or there are any topics you would like us to cover, please let us know what you think at

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top