Security culture: what it is and how to do it



In the previous blog, I promised to expand on security culture, so here goes ...

Most traditional security awareness programs are designed around circulating or broadcasting security messages throughout the organization. The focus is on the communications, mostly outbound from the security function to others. Our style of awareness program, however, emphasizes bidirectional communications between Information Security and The Business.

Why? What's the point?

The point is that we're exploiting the socialization of security to drive cultural change.

Establishing a strong social network of security friends and supporters throughout the organization takes commitment and sustained effort on the part of the entire Information Security function but promises a huge payback over the medium to long-term. An actively engaged and supportive corporate social network will keep the awareness program, and in fact the information security program as a whole, business-aligned and relevant to current security issues in the organization, broadening and deepening the department’s influence. On top of that, you can achieve far more through a distributed network of supportive contacts than you can possibly manage alone.
“Corporate culture ultimately sets the course for process, people, plans, policies, but changing corporate culture is like turning an oil tanker”
Duncan Harris, Oracle

We know cultural change takes time, so we’re here for the long haul. We’ve been developing and using our security awareness methods in conjunction with numerous organizations over three decades or so, launching this as a packaged commercial service in 2003. Way back in the 80’s when Kevin Mitnick was a kid, the accepted wisdom of the day was to put employees through an annual “IT security training session”. After the obligatory lecture to the troops from a senior manager about how important it was for staff (!) to pay attention, there followed a mind-numbingly tedious assortment of do’s and don’ts, interspersed with dire warnings and implied threats about ignoring the security rules.  Oh how we yawned!

Would you teach someone to drive safely by subjecting them
to an annual lecture about sticking to the speed limits?!

Within hours of the session, employees were back to their normal tricks, and within days all most of them could remember was the sheer pointlessness of it. They were bored stiff with the well-meaning lectures and notices, and about as far from engaged and motivated as one could possibly be. It was patently obvious from the lack of progress that conventional wisdom was failing us badly - the annual “sheep dip” approach to awareness was naïve and fundamentally flawed.

So we set out to reinvent security awareness

The combination of three distinct innovations distinguishes our unique approach to information security awareness:
  1. We tackle a different information security topic every month.  Not only do we keep up with the constantly changing landscape of security risks, controls and incidents, but the awareness program itself is more stimulating and vibrant – more topical in fact. It rolls gently along all year round, touching on all manner of security issues along the way while continually re-emphasizing the core messages and themes (governance, risk management, compliance, control, accountability ...). A month is just long enough to delve into the subject, yet short enough to avoid terminal boredom.

  2. Three parallel awareness streams address three distinct corporate audiences: staff, managers and professionals.  The security awareness materials and messages are designed to suit their respective concerns, perspectives and information needs and, since we cover the same monthly topic for all three audiences at the same time, they end up singing from the same hymn sheet. Most awareness programs focus exclusively on staff, or worse still IT users. We've always taken the line that managers need to be security aware too, in fact we'd go so far as to say that the lake of management-level security awareness is the primary reason that security awareness programs fail - assuming they even get off the ground in the first place.  If you find yourself constantly fighting an uphill battle to get any resources for information security, isn't that a symptom of management's lack of appreciation of the business value of what you are doing?

  3. By engaging employees at all levels and in all parts of the business, encouraging them to think and talk about a wide variety of security-related topics, we’re leveraging corporate social networks to spread and embed information security in the very fabric of the organization.  Literally before you know it, information security has become an integral part of the corporate culture – in other words, the way we do things here. Culture, to us, is an emergent property of any social group. In conjunction with individuals' values and drivers, the culture determines how people think, what they find acceptable or unacceptable, and what they do in many situations, including those where they face personal choices. "Shall I click that attachment to find out what it is, or should I heed the security advice to leave it well alone?" is a classic information security example. 'Doing the right thing' in situations like that hinges on the person's perception of what's right and wrong, which in turn is strongly influenced by their social context, plus their understanding of the issues and an appreciation of the likely consequences. In psychological terms, such choices may be made subconsciously but the conscious mind has a major role, provided the person is security-aware.
The corporate social networking element of our service marks a new direction in our marketing but the concept itself has been gently incubating for about a decade. My December 2012 piece about treating security awareness as a benign application of social engineering was a massive clue to the way things were heading!

In the same vein, we are actively creating, researching and developing further innovative approaches to security awareness right now, so you don’t have to … because security awareness is what we do.