Over the last few years the discussion around security culture has come to the fore and having worked in and around this area for a while I welcome it; particularly when, one of the simplest ways to reduce risk to organisations is to have a security conscious workforce.
However, it is not as simple as proclaiming that you’re going to run a phishing or a digital footprints campaign and be done with it. As with everything in life there are fundamental activities that one need to address before just jumping into things. Here are a few recommendations to keep in mind when building your security culture programme:
Trust and Branding – How is your security function perceived across the business, do you have good levels of engagement or are you seen as the “department of no”? If the security function is not recognised as a trusted brand then you are building on poor foundations. A simple way to do this is (within reason) to share security metrics with the organisation e.g. incidents that you protected the business from and even where you failed. It humanises the team and can reap great benefits.
Understand your environment – A key task in your journey to build security culture is to understand existing attitudes and behaviours across your organisation. You cannot attempt to affect change in an environment where you are not sure on how people feel about security on a day-to-day basis.Plan and run a security culture study. Typically, this is a combination of quantitative and qualitative data e.g. a survey combined with focus groups and one-to-one sessions with a subset of staff. This will provide insight into localised risk, ways of working across departments and inform your plan of activities.
Scaling your security function – Regardless of the size of your organisation, you can scale your security efforts by establishing a network of individuals to help spread your message. Commonly referred to as champions, these volunteers are immensely powerful when utilised correctly. If you haven’t already thought about building such a network – think about it now!
Targeted and engaging activities – Lets be honest, asking staff to watch a ten-minute video and then do a quiz after it doesn’t work. Of course, they have their place but if your content, activities and campaigns aren’t targeted, engaging and memorable then you are wasting your time. This is where a security culture study will help you understand what sort of content is best for your environment.
Looking ahead – Naturally, all organisations are different but fundamentally you should be aiming to have some sort of alignment to these recommendations. We have to move away from the status quo security approach.
We have to be more open, approachable, enabling and agile. Seek to deliver security-as-a-service, this in turn will help to affect a positive and lasting security culture across organisations.
This piece was included in the October 2018 edition of the IISP’s Pulse magazine.