Episode 66

Creating a Security-Minded Culture

In this podcast, I enjoyed talking with Chirag Shah, Model N's Global Information Security Officer and Data Privacy Officer, about creating a security-minded culture. Infusing a security culture within organizations starts with leadership buy-in and support. Chirag highlighted the need for interactive and engaging training programs tailored to specific departments, involving real-world examples and practical scenarios. He stressed the significance of fostering a security mindset among employees through daily reminders and reinforcement and leveraging free or low-cost resources to implement effective security awareness programs. Chirag also emphasized the need for a strategic approach to security and a security-minded culture where employees are empowered and responsible for maintaining a strong security posture.

Action Items

Develop an interactive that delivers bite-sized security awareness content, quizzes, and scores performance.

Organize escape room and security hackathon events as hands-on learning initiatives.

Contextualize training for specific employee roles and responsibilities.

Incorporate security into employees' goals and recognize adherence to policies.

Lead by example and make security part of a company's vision and operations



Time Stamps



00:02 -- Introduction

02:38 -- Guest's Professional Highlights

04:14 -- Why do you emphasize the importance of infusing a culture of security?

06:35 -- How do you create a security-minded culture?

09:42 -- How do organizations create engaging and effective cybersecurity awareness training to develop security-minded cultures and cyber hygiene habits among employees?

15:49 -- Personalizing security

19:49 -- Dealing with common challenges and hurdles associated with creating security-minded cultures.

27:53 -- How do you get top management buy-in?

29:05 -- Creating a culture of accountability

36:35 -- Treating cybersecurity as a strategic enabler

37:57 -- Final Thoughts


Memorable Chirag Shah Quotes/Statements

"Security belongs to everyone, not just the security team. It's about embedding security awareness and responsibilities into the vision, mission, and day-to-day operations of all departments and employees."

"Security should become part of the daily goals for the execution of the business."

"Focus on security awareness training that is engaging, fun, and rewarding for employees, and move beyond annual compliance training to create a continuous security learning culture."

"When anyone asks, how big is your security team, I say about 1300 some people, right, because that's what my company is. All of them are our security team, and they are the security champions, and they helped me manage and drive the security program to the next level."

"What you want to do is implement a phased approach to security awareness training, starting with basic concepts and gradually increasing the complexity of those concepts."

"90% of the employees in US companies use laptops to conduct personal transactions, whether they're paying the credit card bill or they're booking travel tickets, they're all doing it online, and using a company laptop."

"Appoint security champions within different departments to assist in training and awareness."

"The message has to be very simple and to the point, so employees can understand and have an open dialogue."

"Implement pre-and post-training assessments and measure changes in employee knowledge."

"Leaders and managers should lead by example by following the security policies and procedures themselves."

"Inject security into the quarterly goals that individuals have or six monthly goals that they have, and give them an opportunity to work with the security team."

"Promote a culture of accountability, hold employees accountable for their actions."

"Employees are more likely to embrace security measures when they feel they have a voice in the process, they have a voice in creating the appropriate security culture."

"It would be awesome to have an interactive mobile app that delivers bite-sized security awareness content, quizzes, challenges, and scores performance."

"Create an environment where employees or teams feel empowered and responsible for maintaining a strong security posture and driving the business. Make sure that security is not just a roadblock, but they are the enablers."


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publications:

Published in USA Today — “Dave Chatterjee Drops the Cybersecurity Jargon, Encouraging Proactiveness Rather than Reactiveness,” April 8, 2024

Preventing Security Breaches Must Start at the Top

Mission Critical --How the American Cancer Society successfully and securely migrated to the cloud amid the pandemic

Latest Webinars:

How can brands rethink data security to maintain customer trust?

Cybersecurity Readiness in the Age of Generative AI and LLM

Insights for 2023, Cybersecurity Readiness with Dr. Dave Chatterjee

Next Episode All Episodes Previous Episode

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

Listen for free

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.