What is 'security culture'?

For some while now, I've been contemplating what security culture actually means, in practice. 

Thinking back to the organizations in which I have worked, they have all had it some extent (otherwise they probably wouldn't have employed someone like me!) but there were differences in the cultures. What were they?

Weaknesses in corporate security cultures are also evident in organizations that end up on the 6 o'clock news as a result of security and privacy incidents. In the extreme, the marked absence of a security culture implies more than just casual risk-taking. There's a reckless air to them with people (including management - in fact managers in particular) deliberately doing things they know they shouldn't, not just bending the rules and pushing the boundaries of acceptable behavior but, in some cases, breaking laws and regulations. That's an insecurity culture!

The strength of the security culture is a relative rather than absolute measure: it's a matter of degree. So, with my metrics hat on, what are the measurable characteristics? How would we go about measuring them? What are the scales? What's important to the organization in this domain?

A notable feature of organizations with relatively strong security cultures is that information security is an endemic part of the business - neither ignored nor treated as something special, an optional extra tacked-on the side (suggesting that 'information risk and security integration' might be one of those measurable characteristics). When IT systems and business processes are changed, for instance, the information risk, security and related aspects are naturally taken into account almost without being pushed by management. On a broader front, there's a general expectation that things will be done properly. By default, workers generally act in the organization's best interests, doing the right thing normally without even being asked. Information security is integral to the organization's approach, alongside other considerations and approaches such as quality, efficiency, ethics, compliance and ... well ... maturity.  

Maturity hints at a journey, a sequence of stages that organizations go through as their security culture emerges and grows stronger. That's what October's security awareness content will be addressing, promoting good practices in this area. Today I'll be exploring and expanding on the maturity approach, drawing conceptual diagrams and thinking about the governance elements. What would it take to assemble a framework facilitating, supporting and strengthening the corporate security culture? What are the building blocks, the foundations underpinning it? What does the blueprint look like? Who is the architect?

Where does one even start? 

I've raised lots of rhetorical questions today. Come back tomorrow to find out if we're making progress towards answering any of them!