This article introduces the concept of a security culture and provides guidance on how you can positively influence and evolve the culture in your organisation.
According to ENISA “Cybersecurity Culture refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest in peoples behaviour”.
Every organisation has a security culture whether this is considered to be good or bad. Security culture is intertwined with organisational cultures and is shaped by messaging across all-levels of the organisation.
Large organisations are unlikely to have one culture. This will often differ across the organisation within different functions, departments, entities, business lines, offices, and jurisdictions. This cultural variation creates a challenge when seeking to communicate security messages and drive behavioural change as the message will be subject to differing interpretations.
Having a good security culture is fundamental in helping you to deliver an effective security programme within your organisation. This is key to building a good security foundation and will increase the probability that your initiatives deliver positive outcomes for the organisation.
Culture takes time and a concerted effort to evolve and must be formed with staff rather than being imposed upon them.
What does a good security culture look like?
A healthy or positive culture will actively contribute to support and enable the business to achieve its goals and objectives. To achieve this, you need staff to:
- Remember the things they are supposed to do for security and do them at the right times and in the right circumstances;
- Prioritise doing things in secure ways;
- Know how to report any concerns or suspicious activity and feel empowered to do so;
- Question processes in a constructive manner;
- Contribute to shape security policy;
- Understand the importance of cybersecurity measures and what they mean for the organisation;
- Understand risk associated with their day-to-day activities;
- Know and be confident in the mitigation and handling of risk.
What does a bad security culture look like?
A poor or negative culture will undermine efforts to manage security risk and has the potential to hinder the operation of the business. A negative security culture can result in:
- Staff not reporting any concerns or suspicious activity through the fear of blame or reprisal;
- Staff bypassing security tasks, taking unnecessary or high levels of risk or seeking to cut corners;
- Staff being cynical about security often due to a lack of influence to deliver the outcomes for which they are accountable;
- Staff only seek to do just enough;
- Company leaders not following the rules or seeking exceptions or special treatment;
- Staff not engaging with the security team or not contributing to security initiatives / programmes;
- Security team members feeling undervalued and separated (isolated) from the rest of the business;
- High attrition rate of security staff.
What blockers exist to developing a good security culture?
There are a multitude of factors that will hinder delivering a good security culture. These factors need to be addressed to support building the foundations for delivering a good culture of security:
- Security budgets are not keeping pace with the rising threat level;
- Staff do not feel their contributions are considered or valued;
- Staff lack the knowledge or confidence to do the right thing;
- Security is too insular and focused in a silo (such as technology) creating a boundary between security and the wider organisation;
- Rules make it hard for people to do their jobs encouraging staff to find workarounds or unofficial ways of working;
- Security seen as a blocker rather than an enabler;
- Leaders fail to lead by example;
- Operating a blame culture.
How can you influence security culture?
It is important to note that in general people want to do the right thing. There are often influencing factors involved that can inhibit staff following the desired security behaviours. Through understanding the behaviours, you can design and deliver targeted behaviour interventions that can help to overcome inhibiting influences.
The following are some examples of positive changes that you can make to support the development of a good security culture within your organisation.
Recognise that people are integral to successful security
Support people to get their job done as effectively and securely as possible. Develop capabilities and cues to make delivering secure behaviours easy. The less resistance to delivering a change in behaviour the easier it will be to support in the development of security as a habit.
Security Education, Training and Awareness (SETA)
Commit resource to the delivery of your SETA programme. Utilise the wealth of available resources to help you implement and deliver an effective programme. If you’re unsure what level of resourcing you require or what an effective programme looks like a good place to start is by reviewing the latest SANS Security Awareness Report and SANS Awareness Planning Kit.
Security as a business enabler
Support the business in achieving its goals and objectives. Enable people through helping them to effectively manage security risk. This will encourage staff to engage with the security team rather than finding ways of circumventing them.
Lead by example
The board and senior management need to lead by example and champion security. People will look to the leadership to provide an example. Ensure they receive tailored and targeted training, awareness and reporting. Help them to understand and manage the security risk to the business whilst enabling in the delivery of the organisational goals and objectives.
Avoid a culture of blame
Focus on the enforcement of good security behaviours through positive acknowledgment. Measure individuals progress and recognise their effort and improvement. Understand the root cause of bad security behaviours and design interventions to help address them. Fostering a culture of blame will encourage people to protect themselves often at the detriment of the organisation.
Make policies and standards fit for purpose
Engage with stakeholders from across the organisation. Be willing to recognise and address where they aren’t fit for purpose or are having a detrimental effect on peoples work. Support people to perform their role effectively and securely. If people don’t feel they are fit for purpose they are more likely to feel it is acceptable to bypass them.
Summary
Culture is developed at all levels of the organisation but needs to start from the top through the championing of security and cascading down through the organisational structure.
Assess the security culture in your organisation and understand what blockers exist in developing a good culture. Understand the root cause of these blockers and design initiatives / interventions to overcome them.
You can positively influence the security culture in your organisation but be careful to plan for this to take time and a concerted effort to deliver. Culture is something that needs to be managed and sustained over a prolonged period.
Further reading
There is a wealth of readily available information on developing a culture of security. The following are well worth reading to support you in the development of your own security programme: