How to Establish a Security Culture
Security culture is the set of ideas, customs, and social behaviors that impact security in an organization, both in a positive and a negative way. This is a fascinating discipline deserving of more coverage that organizations can apply to minimize risk.
At a KuppingerCole European Identity Conference (EIC) keynote, Thom Langford, from Publicis Groupe made the following observation on the importance of nurturing a healthy security culture:
“That should be the CISO’s paramount goal. Security culture persists longer than strategy and gets a lot work done for you, helps you have credibility. People self-discipline rather than having to be disciplined. The key is to stop treating people as if they are stupid. Instead, treat them as the heroes of the business.“
Paraphrasing Thom’s tips:
- Engagement: Engage with stakeholders, be more open. Take an opportunity to thank them whenever something good happens.
- Risk management: Don’t say “no,” say “risk.” Ask if or why we should accept or mitigate the risk. Say “here are the options.”
- Awareness: Stop selling, start marketing – create the security culture not just at the top, but at the water cooler. Use awareness tools (stickers on bottles at events just to say we’re here).
Practitioner’s tip: Paul Simmonds (former Astra Zeneca CISO) told me later that he used to have 95 staff members and would never approve a travel expense without demanding evidence of at least a half day spent promoting awareness in the field.
My take: I couldn’t agree more with Thom and Paul. But although Langford did point us to a cool video satirizing the seedy world of corporate risk acceptance (a must watch for the LOLs) this gets us no closer to security culture building.
The concept of “security culture” sounded so right and true – but how to create one? At first Google searches turned up little detail. But persistence pays off. Eventually I found two great resources:
- Ira Winkler’s Advanced Persistent Security, Chapter 11 on “Security Culture”
- Kai Roer’s CLTRe Security Culture Report 2018
Security Culture Report
Kai Roer, Creator of the Security Culture Framework, provides organizations around the world with advice on assessing, building and maintaining good security culture using the Security Culture Framework. In the last two years (since I first posted on the SCF), Kai has built a CLTRe Toolkit to help organizations assess, build, and improve security culture within their organizations.
The CLTRe’s Security Culture Report 2018 (freely downloadable with registration) makes interesting reading. It benchmarks security culture in four industry sectors: Finance, Real Estate, Retail and Wholesale Trade, and Information and Communication. From the report’s introduction:
“When comparing the sectors, there are significant differences. Whilst security culture in the Finance sector is generally better than in other sectors, a major revelation is the above-average scores in both attitudes and compliance in the Retail and Wholesale Trade sector. The Real Estate sector demonstrates poor scores across all dimensions, giving it the worst security culture of all sectors.
Being able to measure change in security culture is crucial to document the effectiveness of the cybersecurity measures taken to protect the organization and its data, against cyber threats and security breaches…Security culture is the missing piece in the puzzle, bridging the gap between technology on the one side, and people and process on the other.”
What to Measure?
Working with the premise that “if you can measure it, you can manage it” let’s consider what CLTRe measures for security culture:
- “ATTITUDES: Employees’ feelings, thoughts and emotions about the various activities that pertain to security culture.
- BEHAVIOR: Actual or intended activities of employees that have direct or indirect impact on security culture and information security, including risk taking behavior.
- COGNITION: Employees’ awareness, knowledge and beliefs regarding practices, activities and self-efficacy that are related to security culture.
- COMMUNICATION: The way that employees communicate and interact among each other, exchange support regarding security issues, incident reporting.
- COMPLIANCE: Awareness of existing organizational policies on information security, understanding and making significance of them, acting in line with them.
- NORMS: Unwritten expectations regarding appropriate behaviors pertaining to usage of information technology in organizational context, perception of what practices are normal and unproblematic.
- RESPONSIBILITY: Perceived obligation or role to behave correctly towards maintaining security culture.“
Call to Action
At Security Architects Partners, we support our clients with a broad array of technical security architecture services, and governance-oriented risk management services. On many projects, we find governance or cultural issues creating challenges and constraints on security programs. Wherever possible, we like to bring culture into the frame for interested clients. Contact us if you’re interested in exploring security culture questions, and to learn to measure and improve in this space.