Security culture in 3 simple steps (NOT)

In "What are the building blocks of security culture?", Kai Roer recommended the following "three vital parts / prerequisites needed for creating and maintaining good security culture":
  1. Security technologies. Kai tells us that "In order to create security culture, you need security technology. This includes all the basics like firewalls, antivirus, VPNs, access management and so forth."

  2. Policies and regulations. "These are all the rules you put in place - either by writing them down or by sharing them orally - to set up the boundaries of acceptable actions your users can and should perform. One thing to keep in mind is that policies are worthless if they come without incentives. If there is no defined and explained reason to adhere to the rule, the possibility that people won’t do it is great. Also, the policies should be clear and make sense to everyone that has to follow them."

  3. Competence. "We all have a large amount of policies we have to adhere to. Some make sense, others do not (or are not easy to understand), and that brings us to the third part of the puzzle: competence ... we should incorporate training designed to work in our organization - on all levels. The training should be adapted to our needs, risk acceptance level, and current and target security behavior. That means we have to learn how to adopt a holistic approach to security culture, and not to rely just on the yearly mandatory phishing training we send employees out for, knowing in advance that the results will be poor."
Oh boy oh boy, where to begin?

Well, first off, security culture is conceptually distinct from security technology. Culture is in the human rather than the technology domain. It is an entirely different beast. I'm not saying that security technology is worthless, far from it but the security culture has little to do with the security technology. Kai points out that the security technology should support the policies, fair enough but what about the flip side? Shouldn't the policies, the attitudes, the behaviors, the activities, the culture, make good use of the technologies, Kai?

Second, policies are not exactly 'worthless' without incentives, but I agree there is a need to motivate people to comply with them, going beyond having a "defined and explained reason to adhere to the rule". I guess you could call compliance and enforcement activities 'incentives', in a negative sense, while rewards to reinforce secure behaviors are positive incentives. So too are role models and shared value systems, which are definitely cultural in nature. It goes without saying that policies should be clear and make sense, although that is much easier to say than to achieve, especially in such a complex and wide-ranging field as information security. That's why sensible organizations support their security policies with standards, procedures and guidelines, the classic 'policy pyramid'. The policies themselves tend to be rather formal in style, while the other materials are more informal, readable and helpful.

Thirdly, Kai talks about achieving competence through 'training' which normally implies teacher-student relationships in a real or virtual classroom setting, focused on specific competencies. I completely agree that "the yearly mandatory phishing training" is doomed if that's all the organization does on this score. The myopic focus on (a) phishing and (b) annual training, is quite bizarre. It's a bit like suggesting that we should train learner drivers how to operate the indicators OR the steering OR the brakes, just once a year, and leave it at that! Kai's suggestions fall well short of  being "a holistic approach to security culture".

Here's a few of the things that Kai missed off his very short shortlist:
  • Prepare policies, standards, procedures and guidelines for specific audiences in styles that suits the audience' needs (e.g. relatively simple, basic stuff for general staff, more detailed stuff for specialists, and more strategic stuff for management);

  • The policies and related materials need to be interesting, relevant, engaging and motivational, not simply informative or factual and dry. Don't underestimate the effort needed to research, prepare/write and polish effective materials: this is not a suitable task for the office junior, an IT geek, or a random trainer in the bowels of HR;

  • Plan, prepare and deliver awareness and training activities on a wide range of information security and privacy topics (please, not just phishing!);

  • Link the awareness and training into the business by aligning with strategic and lower level objectives, picking up on current security risks and issues, highlighting recent incidents, newly-discovered vulnerabilities, hot threats and so forth;

  • Continue the delivery of awareness and training throughout the year. Design the program as a coherent, joined-up sequence of planned events and ongoing activities rather than a bunch of discrete and disjointed episodes (think 'driving course' not 'driving lesson');

  • To make securing/protecting information 'the way we do things' (i.e. part of the corporate culture) requires solid leadership commitment and overt support, which in turn means that managers need to be sold on the business/organizational and personal benefits of being part of a security culture. They really do need to walk-the-talk. Security metrics are therefore a vital piece of the puzzle, demonstrating  progress (or the lack of it!) and giving management the feedback they need to make security decisions become ever more effective over time. Kai's cynical comment about 'knowing in advance that the annual phishing training results will be poor' suggests that maybe his clients have yet to discover the value of security metrics.
I'm not done yet: there's plenty more to say. In fact much of it has already been said. Flick back through this blog, browse our websites, or read Rebecca Herold's masterpiece "Managing an Information Security and Privacy Awareness and Training Program" for the full nine yards.

The take-home message is that generating a 'security culture' is a lot more complicated and involved than 'simply follow these three steps'. If you cut too many corners, you'll end up right back where you started ... only poorer and more jaded.


PS  I probably would have published this rant on the Help Net Security website where Kai's piece was published, except there is no obvious way to respond to or comment on the article there - unlike here, where feedback is actively encouraged. Disagree if you will, point out the things I have missed or misconstrued, put me straight, that's all fine by me. Monologue bad, dialogue good!