A company with a highly functional Security Culture is one where the staff all know the company's security concerns, and are both aware of, and exercise the needed procedures to deal with those concerns. Security is a cross-company problem, it does not rest solely with your security, or IT, or Ops staff.
Each individual has an understanding of what's expected of him or her. All staff need to be aware of the risks related to Phishing, Spear-Phishing, Smishing and related attacks, including how to identify them, and avoid 'clicking' 'or otherwise falling for these forms of attack.
Developers are aware of the security requirements of the product they're developing, and take steps to meet those requirements in every project and bug fix they work on. Security concerns are addressed on-par with any functionality changes/improvements.
Quality Assurance staff work to ensure that, especially, security and data privacy functionality is tested frequently, and in as automated a manner as is feasible. Where manual testing is required, they ensure that security manual tested in appropriately prioritized and not skimped. Where security testing is not performed, this is clearly called out as a potential risk for the success of the feature, fix or product.
Product Managers recognize and drive security as a normal part of doing business. Security is appropriately prioritized to meet the businesses security concerns. Product Managers understand the security of their competitors, and work to exceed that baseline where appropriate. They understand, intimately, their customers expectations with regard to security, privacy and visibility of the same (this is particularly important in a B2B environment).
When changes to the business or its process change, staff are made aware of the impact to their security requirements.
The business has a Board Member who oversees, at a high level, the company's security program.
One of the top executives in the company acts as the Security Program Sponsor. This person ensures that security issues are correctly prioritized, addressed, and that any follow-through takes place. This role is so critical, that I'd suggest a company without a knowledgeable, actively engaged Security Program Sponsor could not be considered to have a functioning Security Culture.
By Craig Payne